Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
DevzCart is a cloud-hosted multi-tenant e-commerce platform that lets merchants spin up storefronts with catalog, cart, checkout and order management. It is detected by Wappalyzer as a packaged commerce stack and runs from Indian or Southeast Asian infrastructure. The storefront sets first party cookies for cart, session and authentication and supports optional analytics and marketing pixels that require consent under GDPR and ePrivacy.
DevzCart is a cloud-hosted multi-tenant e-commerce platform that lets merchants stand up an online storefront with catalog management, cart, checkout and order workflows. It is detected by fingerprinting tools such as Wappalyzer as a packaged commerce stack. The vendor operates the application and the database in the cloud, while merchants configure their storefront, products and payment gateways through an admin console. The platform is delivered as SaaS, which means storefront and admin traffic terminates on DevzCart infrastructure rather than on merchant controlled servers.
DevzCart writes first party functional cookies that the buyer cannot opt out of without breaking the experience: a session cookie (PHPSESSID or equivalent) that keeps the cart and login active, a customer authentication cookie for registered shoppers, a cart token, and a CSRF protection token. The platform also exposes hooks for merchants to inject third party scripts such as Google Analytics, Meta Pixel or affiliate tracking tags, each of which sets its own cookies. Buyer data captured on the platform includes account details, shipping addresses, order history and any communication exchanged with customer support.
Where European buyers visit a DevzCart storefront, the merchant remains the controller and DevzCart acts as a processor under Article 28 GDPR. The strictly necessary commerce cookies do not require consent because they are essential to deliver the contract the buyer has explicitly requested. Any analytics or marketing tags injected by the merchant must follow ePrivacy Article 5(3) and require prior, freely given, informed consent before they are loaded. A processor agreement that mirrors Article 28 obligations must be signed with DevzCart, listing every sub processor.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
DevzCart operates outside the EU/EEE without the benefit of an adequacy decision. India in particular is not covered by an adequacy decision and Indian public authorities retain interception powers under the Telegraph Act and the Information Technology Act. EU controllers must therefore sign the 2021 EU Standard Contractual Clauses with DevzCart, conduct a Transfer Impact Assessment that documents access rights of Indian authorities, and apply supplementary measures: encryption in transit and at rest, pseudonymisation of buyer identifiers, retention minimisation and a clear deletion timeline. The Indian Digital Personal Data Protection Act 2023 also applies on the local side.
A DPIA is recommended whenever a European merchant relies on DevzCart, because the transfer to a non adequacy third country and the systematic processing of buyer profiles trigger the criteria set out in the Article 29 Working Party guidelines on DPIAs. The DPIA must address the third country risk, the retention of order history, the use of behavioural tracking and the existence of fallback EU based alternatives. The CMP placed in front of the storefront must block non essential vendor tags by default until consent is granted.
Sign a written DPA with DevzCart that includes the 2021 SCCs Module 2, request the sub processor list and the audit reports, and enforce TLS 1.2 or higher across the storefront. Integrate a CMP (Cookiebot, Didomi, Axeptio) and block analytics or marketing tags until consent. Set realistic retention windows for order data, typically 10 years for invoicing in the EU and shorter for marketing data. EU based alternatives include PrestaShop (France), Shopware (Germany), Sylius (Poland) and Centra (Sweden) for merchants who must keep all buyer data inside the EU/EEE.
Websites using DevzCart must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for European merchants because DevzCart is operated outside the EU/EEE without an adequacy decision. The assessment must map the buyer data flow to Indian infrastructure, evaluate access by Indian public authorities under the Telegraph Act and the Digital Personal Data Protection Act 2023, and confirm that DevzCart will sign the 2021 SCCs as a processor. Where payment is processed on-platform, PCI DSS scope and storage of cardholder data must also be assessed.
Sample consent text
This storefront is powered by DevzCart. Cookies that keep your cart, your session and your account active are strictly necessary and do not require consent. We also use optional analytics and marketing cookies to improve the store and to show you relevant offers. You can accept, refuse or change these choices at any time from our cookie preference center.
Third-party domains contacted
devzcart.comcdn.devzcart.comapi.devzcart.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | strictly-necessary | Session | PHP session identifier that keeps the shopping cart and the login state across page loads. Required to deliver the commerce service requested by the buyer. |
| devzcart_cart | functional | 30 days | Stores the cart token so that an anonymous visitor can return to a non submitted cart. Strictly necessary for cart continuity. |
| devzcart_auth | functional | 12 months | Authentication cookie for registered buyers. Strictly necessary while the user is logged in. |
| XSRF-TOKEN | strictly-necessary | Session | CSRF token that validates form submissions and protects the storefront from cross site request forgery. |
DevzCart uses cookies for user preferences — inform visitors with a consent banner.
DevzCart sets strictly necessary first party cookies: a PHP session cookie (PHPSESSID) to keep the cart and login active, a cart token (devzcart_cart) for cart continuity, an authentication cookie (devzcart_auth) for registered buyers, and an XSRF-TOKEN for CSRF protection. Any analytics, marketing or affiliate cookies added by the merchant through script injection are not part of the platform default and require consent.
You do not need consent for the cookies that operate the cart, the session and the authentication, because they are strictly necessary to deliver the commerce service the buyer requested. You do need prior consent for any analytics, marketing or personalisation cookies you add on top, and the consent banner must let buyers refuse as easily as they accept.
Performance of a contract (Art. 6(1)(b) GDPR) is the right basis for cart, account, order and shipping data. Legal obligation (Art. 6(1)(c)) covers invoicing and tax retention. Consent (Art. 6(1)(a) GDPR and ePrivacy Article 5(3)) is required for analytics, marketing and personalisation cookies. The merchant is the controller; DevzCart is the processor.
Yes. DevzCart hosts buyer data outside the EU/EEE, most likely in India or another Southeast Asian location without an adequacy decision. EU controllers must sign the 2021 EU SCCs with DevzCart, complete a Transfer Impact Assessment that addresses Indian state access powers, and implement supplementary measures (encryption, pseudonymisation, strict retention). Document the transfer clearly in the cookie policy and in the privacy notice.
A DPIA is strongly recommended for European merchants. The combination of a third country transfer without adequacy, the systematic processing of buyer profiles and order histories, and the absence of detailed independent audit reports meets multiple DPIA criteria. The assessment should compare DevzCart against EU based alternatives and document why the third country processing is necessary and proportionate.
Sign a written DPA including the 2021 SCCs Module 2 with DevzCart. Integrate a CMP that blocks all non essential tags until consent. Restrict the admin to two factor authentication. Disclose every cookie in the cookie policy, separating strictly necessary from optional. Document the retention windows (10 years for invoices in the EU, shorter for marketing). Run a periodic cookie scan to confirm that the live storefront matches the documented inventory.
Yes. PrestaShop (France), Shopware (Germany), Sylius (Poland) and Centra (Sweden) are e-commerce platforms hosted within the EU/EEE. They eliminate the third country transfer question and often integrate more easily with European payment service providers (Adyen, Mollie, Stripe Europe). They are typically the safer baseline when the merchant cannot fully document the necessity of an Indian transfer.
List DevzCart as the platform processor, disclose that buyer data is hosted outside the EU (in India or another Southeast Asian location), and reference the 2021 EU SCCs signed with the vendor. List every functional cookie with name, retention and purpose, and explain that optional analytics or marketing cookies set on top are subject to the preference center. Update the policy after every storefront customisation that introduces new tags.