Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ecforce is a Japanese all-in-one e-commerce platform operated by SUPER STUDIO Inc., with a strong focus on subscription commerce (D2C, beauty, food, supplements). It bundles storefront, checkout, subscription management, CRM, fulfilment, and marketing automation. Hosted on Japanese cloud infrastructure, ecforce is widely used by Japanese D2C brands. Use by EU-targeting merchants is rare but raises GDPR questions about transfers to Japan and the cookies set by the platform.
ecforce is an all-in-one e-commerce platform operated by SUPER STUDIO Inc., a Tokyo-based company founded in 2014. It serves the Japanese direct-to-consumer market, with a particular strength in subscription commerce: beauty, food and beverage, supplements, pet products. ecforce combines a storefront builder, a checkout, a subscription engine, a CRM, fulfilment integrations, and a marketing automation layer in a single SaaS offering.
Merchants run their store on ecforce.jp domains or on a custom domain. The platform handles recurring billing logic, customer segmentation, drip campaigns, and detailed cohort analytics aimed at maximising lifetime value.
ecforce sets first-party cookies for cart state, login session, CSRF protection, and a customer identifier. Optional analytics cookies are set to feed the in-platform reporting and cohort analytics. Merchants can also enable Google Tag Manager, Meta Pixel, LINE tag, Yahoo! JAPAN Tag, and Karte connectors inside ecforce, each of which adds its own cookies and pixel calls.
Personal data handled by ecforce typically includes name, e-mail, postal address, phone, payment instrument reference, order and consumption history, subscription cadence, marketing preferences, and browsing data. Sensitive categories are not collected by default but can appear in custom fields if the merchant adds them.
For EU customers, strictly necessary cookies (cart, session, CSRF) are exempt from consent. Analytics and marketing cookies, including any pixels connected through ecforce, require informed prior consent. The legal basis for the checkout itself is performance of the contract; consent is the basis for analytics, marketing automation and remarketing.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Japan benefits from a European Commission adequacy decision adopted in 2019, supplemented by binding Supplementary Rules issued by Japan''s Personal Information Protection Commission. These rules raise APPI protection to a level deemed essentially equivalent to the GDPR for personal information transferred from the EU. As a result, transfers to ecforce do not require Standard Contractual Clauses, provided the data falls within the scope of the decision.
Controllers should still document the transfer in their record of processing, inform data subjects in the privacy notice, and verify that ecforce treats EU data in accordance with the Supplementary Rules.
A DPIA is advisable when ecforce is used at scale for EU customers because of the combination of recurring billing, behavioural profiling for lifetime value optimisation, marketing automation, and a transfer to Japan. The DPIA should cover the data flow, the legal basis stack, the consent design, and the safeguards built into the adequacy decision.
Sign a data processing addendum with SUPER STUDIO, document the transfer to Japan as covered by the adequacy decision, gate analytics and marketing cookies behind your consent banner, disable advertising connectors for visitors who refuse marketing, set a retention policy for subscription and consumption history, and provide a clear privacy notice that names ecforce as the processor and explains the Japan transfer.
Websites using ecforce must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is advisable when ecforce is used to target EU customers, even though Japan benefits from an EU adequacy decision. The risk profile combines large-scale subscription billing, repeat purchase profiling, and integration with marketing pixels. The DPIA should cover retention of order and consumption history, the use of marketing automation, and the scope of the Japan adequacy decision (which applies only to commercial data and excludes certain categories).
Sample consent text
We use ecforce, operated by SUPER STUDIO Inc., to power our online store, subscriptions, and customer database. Functional cookies needed for shopping are strictly necessary; analytics and marketing cookies (including any pixels connected to ecforce) require your consent. Data is processed in Japan under the EU adequacy decision.
Third-party domains contacted
ecforce.jpapi.ecforce.jpcdn.ecforce.jptag.ecforce.jpCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _ecforce_session | http | session | Maintains the shopper session on the storefront and the checkout. |
| XSRF-TOKEN | http | session | CSRF protection token for forms and order submission. |
| _ecforce_cart | http | 30 days | Persists the cart contents between sessions. |
| _ecforce_cid | http | 13 months | First-party customer identifier used to link browsing, orders and subscriptions. |
| _ecforce_analytics | http | 13 months | First-party analytics for cohort and lifetime value reports, set only after consent. |
| _ecforce_attribution | http | 30 days | Marketing attribution cookie used by the campaign reports, set only after consent. |
ecforce uses cookies for user preferences — inform visitors with a consent banner.
ecforce sets first-party cookies for the shopper session, CSRF protection, cart persistence, and a customer identifier (strictly necessary or contractual). It also offers optional analytics and attribution cookies for cohort reports and campaign measurement; those require consent. Merchants can plug in Meta Pixel, Google Tag Manager, LINE Tag or Karte, each adding its own cookies.
The session, CSRF, cart, and customer identifier cookies are exempt from consent. The optional analytics, attribution, and any third-party marketing pixels added on top of ecforce do require informed prior consent before being set on EU users' devices.
Article 6(1)(b) GDPR (performance of a contract) covers the storefront, checkout, subscription billing, and order fulfilment. Article 6(1)(a) (consent) covers analytics, attribution, marketing automation, and any third-party pixels enabled through ecforce.
Yes. ecforce is hosted in Japan. Japan benefits from a 2019 European Commission adequacy decision, supplemented by binding Supplementary Rules issued by the Japanese Personal Information Protection Commission. Transfers to ecforce are therefore lawful without Standard Contractual Clauses, provided the data falls within the scope of the decision.
A DPIA is advisable when ecforce is used to target EU residents at scale. The combination of subscription billing, behavioural profiling for lifetime value, marketing automation, and a transfer to Japan exceeds the threshold for a focused risk assessment, even though Japan is an adequate country.
Sign a data processing addendum with SUPER STUDIO, configure your consent banner so that analytics, attribution and any marketing pixels are blocked until opt-in, set clear retention periods for order, subscription and consumption history, document the Japan transfer in your record of processing, and reference ecforce in your privacy policy with its role as processor and the EU adequacy basis.
EU-targeting merchants typically choose Shopify (with EU data residency options), Shopware, Adobe Commerce, BigCommerce, Salesforce Commerce Cloud, Centra (Sweden), or Spryker (Germany). For subscription commerce specifically, Recharge on top of Shopify, Ordergroove, or PrestaShop with subscription modules are common, with EU or US hosting depending on the vendor.
List each ecforce cookie with name, type, duration, and purpose. Mark session, CSRF, cart, and customer ID as strictly necessary or contractual, and analytics, attribution, and third-party pixels as subject to consent. Mention ecforce by SUPER STUDIO as processor in Japan, reference the EU adequacy decision, and update the page when ecforce changes its cookie list or its connector catalogue.