Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
CubeCart is an open source PHP e commerce platform maintained by Devellion Limited (United Kingdom). Merchants self host the software on their own server or chosen provider, so data location is entirely under merchant control. CubeCart sets strictly necessary cookies for cart, session and customer authentication. Optional integrations such as Google Analytics, PayPal, Stripe or live chat add their own cookies and trigger GDPR and ePrivacy obligations on top of the merchant baseline.
CubeCart is an open source PHP e commerce platform first released in 2003 and maintained by Devellion Limited, a private company based in the United Kingdom. The software ships with a storefront, an administration panel, a product catalogue, order management, tax and shipping engines, customer accounts and a plugin system. Merchants self host CubeCart on shared hosting, a VPS or a cloud provider of their choice, which means the location of the underlying personal data is determined by the merchant. Devellion only operates a licence and update verification server that the installation contacts periodically.
CubeCart sets a small number of strictly necessary first party cookies: a PHP session identifier (PHPSESSID or CubeCart-Session), a cart identifier holding the contents of the shopping basket, a customer authentication token for logged in users, an admin session cookie for the back office and a currency or language preference cookie. The database stores order data, customer profile, billing and delivery addresses, order history and any account preferences. Optional plugins for newsletters, analytics, live chat or social login can introduce additional cookies and processing.
The merchant is the controller for all personal data processed in the shop. CubeCart is an on premise software, so Devellion Limited acts as a processor only for the update channel and any paid support service that involves access to the merchant data. Strictly necessary cookies for the cart, session, checkout and authentication are exempt from prior consent under Art. 5(3) ePrivacy because they are essential to provide the service that the user explicitly requested. Any analytics, advertising or non essential personalisation cookie added by the merchant falls inside the consent scope.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No consent is required for the strictly necessary CubeCart cookies, but the privacy notice must still describe them. As soon as the merchant installs Google Analytics, Meta Pixel, Hotjar, a chat widget or a marketing automation script, a Consent Management Platform must block these scripts until the visitor opts in. Consent must be granular (analytics, advertising, functional), informed and as easy to withdraw as to give. Keep a proof of consent record (timestamp, banner version, user choices) to demonstrate compliance with Art. 7 GDPR.
The CubeCart software does not in itself transfer customer data abroad. Transfers depend on the merchant infrastructure and integrations: a hosting provider outside the European Economic Area, payment gateways such as PayPal or Stripe with US operations, Google Analytics, Mailchimp or US based shipping APIs. For each external recipient, identify the legal mechanism (EU US Data Privacy Framework, Standard Contractual Clauses, adequacy decision for the United Kingdom), document a Transfer Impact Assessment and add the recipient to the privacy notice and the Art. 30 record.
Pick an EU or UK hosting provider with a data processing agreement, enable HTTPS, configure secure and SameSite cookie flags, restrict admin access by IP, and back up the database within the EU. Install a CMP plugin that blocks non essential third party scripts before consent. Add a clear privacy notice, a cookie page that distinguishes strictly necessary cookies from optional integrations, and a customer rights workflow (access, rectification, erasure, portability) using the built in CubeCart account management. Audit installed plugins and remove any that you do not actively use.
Websites using CubeCart must obtain user consent under GDPR regulations.
DPIA considerations
A full Data Protection Impact Assessment is generally not required for a baseline CubeCart installation because the merchant self hosts the software and processes only the personal data needed to complete a purchase (contract performance under Art. 6(1)(b) GDPR). A documented record of processing activities under Art. 30 GDPR is sufficient. A DPIA becomes appropriate when the merchant enables behavioural advertising, customer profiling, large scale newsletter automation, sensitive product categories (health, religion, sexual orientation), payment fraud scoring or any large scale combination of trackers that would meet Art. 35 GDPR thresholds.
Sample consent text
This shop runs on CubeCart and uses strictly necessary cookies to keep your cart, your session and your login active during checkout, which do not require consent. With your consent, we also enable analytics, marketing and chat integrations such as Google Analytics or a live chat widget that may set additional cookies and share data with partners. You can accept all, reject all non essential or set your preferences at any time from the cookie link in the footer.
Third-party domains contacted
cubecart.comwww.cubecart.comforums.cubecart.comgithub.com/cubecartCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | Session | Session | Standard PHP session identifier used by CubeCart to maintain state across page requests during a visitor session. |
| CubeCart-Session | Session | Session | CubeCart session token that links the visitor browser to the server side session data including basket and login state. |
| cart | Session | Session | Stores a reference to the current shopping basket so the visitor can add products and proceed to checkout without losing items. |
| customer | Persistent | 30 days | Authenticated customer identifier used when a returning shopper has logged in and chosen the remember me option. |
| admin | Session | Session | Admin back office session cookie used to keep store administrators logged in to the CubeCart control panel. |
| currency | Persistent | 1 year | Stores the visitor preferred display currency so prices show consistently across pages and sessions. |
CubeCart uses cookies for user preferences — inform visitors with a consent banner.
By default CubeCart only sets first party cookies that are strictly necessary to operate the shop: PHPSESSID (or CubeCart-Session) for the PHP session, a cart identifier referencing the current basket, a customer authentication cookie for logged in users, an admin session cookie for the back office and a small preference cookie for currency or language. No analytics, advertising or social cookies ship with the core product. The merchant database stores order details, customer profile, billing and delivery addresses and order history.
Consent is not required for the strictly necessary cookies that operate the cart, checkout, login and admin panel, because they are exempt under Art. 5(3) ePrivacy. Consent is required as soon as the merchant enables optional integrations: Google Analytics, Meta Pixel, Hotjar, live chat, marketing automation or social login. In that case, install a Consent Management Platform that blocks the relevant scripts until the visitor opts in, and offer reject all, accept all and granular per category choices.
The merchant relies on contract performance under Art. 6(1)(b) GDPR for cart, checkout and order management, including delivery addresses and invoicing. Legitimate interest under Art. 6(1)(f) GDPR can support fraud prevention and basic web security cookies. Consent under Art. 6(1)(a) GDPR is the basis for optional analytics, advertising, newsletter sign ups and any non essential personalisation. Legal obligations (Art. 6(1)(c) GDPR) apply to invoice retention and tax reporting, typically for ten years depending on the EU country.
The core CubeCart application does not transfer customer data abroad: storage location depends on the merchant hosting choice. Transfers happen through merchant integrations: PayPal, Stripe and Authorize.Net for payments, Google Analytics or Mailchimp for marketing, Royal Mail or shipping APIs for logistics. Each recipient must be covered by an appropriate transfer tool: the EU US Data Privacy Framework for certified US partners, EU Standard Contractual Clauses for others, and the adequacy decision when data flows to the United Kingdom.
A formal DPIA is generally not required for a standard CubeCart shop because the processing is necessary for contract performance and limited to typical e commerce data. A DPIA becomes appropriate when the merchant runs large scale behavioural advertising, sells sensitive products (health, religion, sexual orientation), profiles customers across channels, uses automated fraud scoring with significant effects, or processes data of a large number of children. Document the screening decision in your data protection file regardless.
Pick an EU based hosting provider with a signed Data Processing Agreement, force HTTPS on all pages, configure Secure and SameSite=Lax on session cookies, restrict admin access with IP filtering and strong authentication, and back up the database inside the EU. Install a CMP plugin that gates every optional integration, publish a clear privacy notice and a cookie policy, and configure customer rights workflows using built in account management. Audit installed plugins quarterly and remove anything that you do not actively use.
Other self hosted EU friendly e commerce platforms include WooCommerce on European hosting, PrestaShop (France), Sylius (PHP, France), Spree (Ruby), Drupal Commerce, OpenCart and Magento Open Source. For managed solutions, consider Shopware (Germany), Shopify with EU hosting selected or Lightspeed eCom (Netherlands). None of these remove the consent requirement for analytics and marketing add ons, but the choice impacts hosting location, the available Data Processing Agreement and the maturity of native consent integrations.
List the strictly necessary CubeCart cookies (PHPSESSID, cart, customer auth, admin session, currency or language) with purpose and duration, then add a section for every optional integration: analytics, marketing pixels, chat, social login, payment gateways. Include transfer information (EU US Data Privacy Framework, Standard Contractual Clauses, UK adequacy) for any non EU recipient and the link to the partner privacy policy. Review the policy whenever a plugin is added or removed, at least every six months, and archive previous versions for accountability.