Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Chargebee is a subscription management and recurring billing platform widely used by SaaS, e commerce subscription and digital media businesses across Europe. It handles plans, trials, dunning, invoicing, taxes (EU VAT, OSS) and revenue recognition, and connects to payment service providers like Stripe, Adyen, GoCardless or Braintree. Integrations include hosted checkout pages, a JavaScript SDK and back end APIs. Chargebee acts as a processor for subscription data and offers an EU data centre in Frankfurt for European customers.
Chargebee is a subscription management and recurring billing platform operated by Chargebee Inc. (California), with substantial operations through Chargebee Technologies Pvt Ltd in India. It is a popular middle layer between e commerce sites or SaaS applications and the underlying payment service provider, handling plans and pricing tables, free trials, coupons, dunning, taxes (including EU VAT MOSS/OSS), revenue recognition and customer self service portals. Integration options include hosted checkout pages on chargebee.com, drop in JavaScript components and a server side REST API. Chargebee currently offers regional data centres in the EU (Frankfurt, AWS eu-central-1), the US and Australia.
Chargebee processes customer name, billing and shipping address, email, phone, tax identifiers (VAT number, ABN), subscription plan, invoice history and references to payment method tokens issued by the PSP. The hosted checkout pages set technical cookies (CSRF, session, JSESSIONID) and may include analytics cookies depending on the configuration. Server side, Chargebee stores activity logs, audit trails, webhook deliveries and dunning event history. The Card Vault (cb_secured) optionally tokenises cards inside Chargebee with PCI DSS Level 1 certification.
Chargebee acts as a processor under Article 28 GDPR for the subscription data. The legal basis for the underlying processing is the contract with the subscriber (Art. 6(1)(b)), legal obligations for invoicing and accounting (Art. 6(1)(c)) and legitimate interest for dunning and fraud prevention (Art. 6(1)(f)). The technical cookies set by the hosted checkout are largely strictly necessary for the requested service, but any analytics or marketing cookies the merchant enables on the Chargebee pages require consent under Article 5(3) ePrivacy. Cross border transfers to Chargebee Inc. (US) and Chargebee Technologies (India) trigger Chapter V GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the core subscription processing on hosted checkout, no: the cookies are strictly necessary to complete the requested service. For any Chargebee analytics integration (Mixpanel, Google Analytics, custom tracking) and for marketing widgets on the merchant site that lead to Chargebee, consent is required. The user must also be informed that Chargebee receives the data and that some flows reach the US and India.
With the EU data centre, persistent customer data stays in Frankfurt. Chargebee Inc. in the United States accesses data for engineering, support and security; Chargebee Technologies in India handles a significant share of the technical operations. Chargebee Inc. is self certified under the EU US Data Privacy Framework. India does not have an EU adequacy decision; transfers rely on the new SCCs in the Chargebee DPA and supplementary measures (encryption at rest, access controls, audit logs). The DPA is publicly available and pre approved by EU customers.
Choose the EU data centre during onboarding, sign the Chargebee DPA, list Chargebee Inc. and Chargebee Technologies as recipients in your privacy policy with the transfer mechanism, restrict access using SSO and role based controls, and configure the dunning and email notifications to use anonymised templates. Make sure the cookie banner exposes any analytics integration enabled on the Chargebee hosted pages.
Websites using Chargebee must obtain user consent under GDPR regulations.
DPIA considerations
Chargebee processes customer identity, billing and payment metadata at scale. A DPIA is recommended when the merchant relies on automated dunning, customer scoring or cross border subscription flows, and should cover the choice of data centre, the EU US and EU India transfers and the integrations with payment providers.
Sample consent text
We use Chargebee to manage your subscription and process recurring billing. This stores your billing data with Chargebee in our chosen region (EU data centre when available) and shares it with Chargebee Inc. in the United States and Chargebee Technologies in India.
Third-party domains contacted
chargebee.com<site>.chargebee.comjs.chargebee.comjs.eu.chargebee.comapi.chargebee.comapi.eu.chargebee.comconfig.chargebee.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cb_session_id | third party | Session | Session identifier set by Chargebee hosted checkout to keep the user logged in to the secure billing flow. |
| cb_visit_id | third party | 1 year | Visit identifier used by Chargebee for funnel analytics inside the hosted checkout and customer portal. |
| cb_user_id | third party | 1 year | Anonymous user identifier set by Chargebee to correlate sessions across the checkout and the customer portal. |
| JSESSIONID | third party | Session | Java application server session cookie set by the Chargebee back end for the hosted checkout. |
| XSRF-TOKEN | third party | Session | CSRF protection token used by Chargebee during the checkout flow. |
| ajs_anonymous_id | third party | 1 year | Segment.io anonymous identifier sometimes set on Chargebee admin and checkout pages when product analytics are enabled. |
Chargebee uses cookies for user preferences — inform visitors with a consent banner.
Chargebee hosted checkout pages set technical cookies (CSRF token, JSESSIONID, cb_visit_id, cb_user_id) that are strictly necessary to maintain the checkout session. Some integrations may add analytics cookies (Mixpanel, Google Analytics) which then require consent.
For the strictly necessary checkout cookies no, the contract performance basis covers them. For any optional analytics integration enabled on Chargebee hosted pages, yes. Make sure the marketing widget on your own site that leads to Chargebee is also consented.
Contract with the subscriber (Art. 6(1)(b) GDPR) for managing the subscription, legal obligation (Art. 6(1)(c)) for invoicing and accounting retention, legitimate interest (Art. 6(1)(f)) for dunning, fraud and customer retention analytics, and consent (Art. 6(1)(a)) for non essential cookies and marketing.
Yes. Even with the EU data centre, Chargebee Inc. (United States) and Chargebee Technologies (India) access data for support, engineering and security. Chargebee Inc. is DPF certified; India transfers rely on the SCCs in the Chargebee DPA with supplementary measures.
A standalone DPIA is rarely required, but Chargebee should appear in the DPIA of the SaaS or e commerce product it supports, especially when high subscription volumes, automated dunning and cross border flows are involved.
Pick the EU data centre during onboarding, sign the Chargebee DPA, enable SSO and RBAC for the admin console, configure invoice retention to match local accounting rules, mention Chargebee in the privacy policy with the recipient list and transfer mechanism, and disable analytics integrations on hosted pages unless they are consented.
Recurly, Stripe Billing, Paddle (acts as merchant of record from the EU), Zoho Subscriptions, Maxio (formerly Chargify), Recurpay or self hosted alternatives (Lago, Killbill, Apphud). EU based options include billwerk (Germany) and Solid Invoice or Spendesk on the lighter side.
Add an entry under Functional or Strictly Necessary listing the checkout session cookies (CSRF, JSESSIONID, cb_visit_id), the provider (Chargebee Inc., USA and Chargebee Technologies, India), the purpose (subscription checkout) and the transfer mechanism (Data Privacy Framework and SCCs). Mention any analytics cookie enabled on hosted pages separately.