Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
commercetools is a German headless and composable commerce platform built on Google Cloud Platform, with EU regions and a strong fit for European retailers, B2B players and marketplaces.
commercetools is a German headless and composable commerce platform operated by commercetools GmbH in Munich. It exposes a REST and GraphQL API for product, cart, order and customer management, and runs on Google Cloud Platform with regions in Frankfurt and Belgium. It is widely used by European retailers, B2B brands and marketplaces.
As a headless backend, commercetools does not set browser cookies by itself. The storefront built on top (Next.js, Nuxt, Hybris frontend) sets session and cart cookies. Marketing, recommendation and personalisation features add consent based cookies, depending on the integration.
Order, customer and cart data are processed under Article 6(1)(b) GDPR. Personalisation, behavioural recommendations and marketing analytics require consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
You do not need consent for the headless commerce APIs that support order processing, but every script attached to the storefront for analytics, advertising or personalisation must be loaded only after a valid consent recorded through a CMP.
commercetools provides EU regions on GCP. The vendor signs a GDPR aligned data processing agreement with SCCs for any global support function. Watch sub processors and Google Cloud disclosures, and run a transfer impact assessment if global support is engaged for production.
Pin projects to an EU region, restrict API tokens with scoped roles, separate order data from marketing analytics, integrate a CMP on the storefront, document GCP sub processors and run a DPIA for personalisation modules.
Websites using commercetools must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally limited for commercetools itself because hosting stays in the EU. It can be triggered by personalisation, recommendation or marketing modules and by integrations with third party CRMs, especially when they involve US processors.
Sample consent text
Our commerce backend is powered by commercetools, operated by commercetools GmbH (Germany), and hosted on Google Cloud Platform in the European Union. Marketing and personalisation features are activated only with your prior consent.
Third-party domains contacted
api.europe-west1.gcp.commercetools.comauth.europe-west1.gcp.commercetools.commc.europe-west1.gcp.commercetools.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ctsess | first_party | Session | Maintains the API session between the storefront and the commercetools backend (strictly necessary). |
| ct-anonymous-cart | first_party | 30 days | Stores the anonymous cart identifier for guest checkout (strictly necessary). |
commercetools uses cookies for user preferences — inform visitors with a consent banner.
commercetools is headless and does not set browser cookies itself. The storefront on top sets session and cart cookies which are strictly necessary, while integrations such as analytics or recommendations may add consent based cookies.
Not for order processing, which relies on Article 6(1)(b) GDPR. Yes for marketing, recommendation and analytics features that store or read information on the device.
Contract performance for order data. Consent for marketing cookies, behavioural recommendations and analytics.
In EU configuration no. The platform runs on GCP Frankfurt or Belgium. Global support engagements should be analysed for any US access.
Generally limited for the core platform. Run a DPIA for personalisation, recommendation, marketing automation and any integration with US sub processors.
Pin projects to an EU region, scope API tokens, integrate a CMP on the storefront, gate analytics and personalisation behind consent, and document sub processors.
Spryker, SAP Commerce Cloud, Salesforce Commerce Cloud, Adobe Commerce (Magento), Shopify Plus and BigCommerce. EU based options reduce transfer complexity.
Inventory cookies from the storefront and every integration, separate strictly necessary from consent based, version the policy in your CMS and update it on every release.