Does your website use third-party services? Get GDPR compliant in minutes.

Cartpanda

PreferencesWebsite

What does Cartpanda do?

Cartpanda is a Brazilian eCommerce checkout and storefront platform with infrastructure in US data centers, designed for direct to consumer brands, dropshipping and high conversion checkouts.

What is Cartpanda

Cartpanda is an eCommerce checkout and storefront platform headquartered in Brazil with infrastructure hosted in US AWS data centers. It targets direct to consumer brands, dropshippers and high volume merchants who need optimised checkout flows, upsells, order bumps and built in integrations with payment processors, shipping carriers and advertising platforms. Cartpanda is delivered as a SaaS service, and Cartpanda acts as a processor (or joint controller, depending on the configuration) for the merchant.

Data and cookies set by Cartpanda

Cartpanda sets first party cookies for session continuity, the shopping cart, the customer identifier, the checkout step and fraud signals. It also runs analytics and conversion tracking scripts, frequently combined with third party pixels (Facebook, Google Ads, TikTok, Pinterest) configured by the merchant. Payment and abandoned cart logic also relies on cookies.

GDPR and ePrivacy implications

Cookies necessary to complete the order are exempt from consent under Article 5(3) of the ePrivacy Directive. Analytics, conversion pixels, advertising trackers and remarketing cookies all require informed, prior, granular and revocable consent. Because Cartpanda processes payment and contact data on behalf of the merchant, a data processing agreement is mandatory under Article 28 of the GDPR.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent requirements

Implement a CMP that conditionally loads Cartpanda''s optional analytics and any advertising pixel only after the visitor accepts. Surface a clear refuse button, store consent proof with a timestamp and version, and let visitors withdraw consent at any time. Apply Google Consent Mode v2 and Facebook Conversions API parameters consistent with the user''s choice.

Data transfers

Cartpanda transfers EU personal data to AWS US regions and to its operations in Brazil. EU US transfers can rely on the EU US Data Privacy Framework when the importer is certified, on Standard Contractual Clauses otherwise. EU Brazil transfers rely on SCCs, since Brazil is not covered by an adequacy decision. A transfer impact assessment is required for both routes.

Practical compliance steps

Sign the DPA with Cartpanda, list it in your record of processing activities, document each cookie, deploy a CMP that blocks non essential tags by default, configure server side tracking where possible, restrict admin access, set retention for orders and abandoned carts, and publish a clear cookie and privacy policy mentioning Brazil and the US as data destinations.

GDPR consent category

Preferences

Websites using Cartpanda must obtain user consent under GDPR regulations.

Legal basisConsent for analytics, marketing and profiling; contract for order processing; legitimate interest for fraud prevention

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, UK GDPR, Brazilian LGPD, CCPA

DPIA considerations

A DPIA is strongly recommended for Cartpanda stores due to the systematic transfer of payment and behavioural data outside the EEA, the integration of multiple marketing pixels, and the high volume of consumer transactions handled.

Sample consent text

We use essential cookies to operate the checkout. With your consent we also set analytics, conversion and marketing cookies, including pixels from Facebook, Google and other partners. You can accept, reject or fine tune your choices in the cookie settings.

Technical details

Tracking methodServer side processing, first party cookies, JavaScript pixels for analytics and conversion tracking, integration with Facebook and Google pixels

Server locationUnited States (AWS data centers) with global edge delivery

Data transferred outside the EUCartpanda is operated from Brazil with infrastructure primarily in US AWS regions. Personal data of EU visitors is transferred to the United States and to Brazil, both subject to specific GDPR transfer requirements.

Third-party domains contacted

cartpanda.comcheckout.cartpanda.comcdn.cartpanda.comconnect.facebook.netwww.googletagmanager.com

Cookies placed

Name	Type	Duration	Purpose
cp_session	first_party	Session	Server side session identifier that keeps the shopper connected throughout the checkout flow.
cp_cart_id	first_party	14 days	Unique identifier of the shopping cart used to persist items, upsells and order bumps.
cp_customer	first_party	30 days	Reference of the logged in customer for account access and order history retrieval.
cp_visitor	first_party	1 year	Anonymous visitor identifier used by Cartpanda analytics for funnel and conversion measurement.
cp_consent	first_party	6 months	Stores the visitor's cookie consent choice and version of the consent notice.
cp_fb_pixel	third_party	3 months	Facebook Pixel cookie used for ad measurement and remarketing when the merchant enables the Meta integration.

Cartpanda uses cookies for user preferences — inform visitors with a consent banner.

Get started free Scan your site

Frequently asked questions

Which cookies does Cartpanda set on a shopper's browser?

Cartpanda sets first party cookies for session continuity, the cart identifier, the customer reference, the checkout step and fraud signals. When the merchant enables analytics or marketing pixels (Facebook, Google Ads, TikTok, Pinterest), additional cookies are deposited by those vendors.

Is shopper consent required before Cartpanda cookies are set?

Cookies that are necessary to complete the order do not require consent. Cookies for analytics, conversion tracking, advertising and remarketing require prior, informed and granular consent under Article 5(3) of the ePrivacy Directive and the GDPR.

What legal basis applies to data processed through Cartpanda?

Order processing is based on the performance of a contract. Fraud prevention can rely on legitimate interest. Analytics, marketing pixels and profiling rely on consent. Special categories of data, if any, require explicit consent or another Article 9 GDPR exception.

Does Cartpanda transfer personal data to the United States or Brazil?

Yes. Cartpanda hosts data in US AWS regions and operates from Brazil. EU US transfers can rely on the EU US Data Privacy Framework when Cartpanda or its sub processors are certified, otherwise on Standard Contractual Clauses. EU Brazil transfers require SCCs, plus a transfer impact assessment in both cases.

Do I need a DPIA for a store running on Cartpanda?

A DPIA is strongly recommended because Cartpanda combines payment processing, behavioural data and marketing pixels, with systematic transfers outside the EEA. It becomes mandatory for large catalogues, high traffic volumes, or stores selling regulated products.

How do I implement compliance correctly with Cartpanda?

Sign the Cartpanda DPA, list all sub processors, deploy a CMP that blocks non essential tags by default, prefer server side tracking, set retention periods, restrict admin access, document each cookie, mention Brazil and the US in your privacy policy, and run regular checkout audits.

What are European alternatives to Cartpanda?

European alternatives include PrestaShop self hosted (France), Shopware (Germany), Sylius (open source, France), CCV Shop (Netherlands), as well as Shopify Plus with EU data residency. Headless commerce setups with EU hosted backends (commercetools, Saleor) also limit cross border transfers.

How should I update the cookie policy when Cartpanda evolves?

List the new cookies, their purpose, retention, recipient and any data transfer. Update the CMP categories, refresh the consent banner so shoppers are asked again, version the policy with the publication date, and notify the data protection officer if applicable.

Get compliant — Try FlowConsent free

Free plan · 10-min setup