Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Empretienda is an Argentine e commerce SaaS platform that hosts online stores for Latin American merchants. The platform sets cart, authentication and analytics cookies on shopper devices and may serve EU buyers, which triggers GDPR and the ePrivacy Directive. Storefronts often bundle marketing pixels (Meta, Google, TikTok) that require explicit consent before loading. Empretienda hosts data in Argentina with US edge infrastructure, so Schrems II considerations apply for any onward transfer.
Empretienda is an Argentine software as a service e commerce platform that lets Latin American merchants spin up an online store in minutes. It provides hosted product catalogues, checkout, shipping integrations and a merchant back office, and it operates on a multi tenant infrastructure based in Argentina with Cloudflare and AWS edge nodes that may sit in the United States. Although the platform is regional, individual storefronts frequently sell into the European Union, which brings the merchant and Empretienda within the territorial scope of Art. 3(2) GDPR.
Out of the box, an Empretienda storefront sets first party cookies for the shopping cart identifier, the logged in customer session and a CSRF token. These cookies are strictly necessary for the contract of sale and qualify for the Art. 5(3) ePrivacy exemption. Most stores also enable an analytics module and one or more advertising pixels (Meta, Google Ads, TikTok, Hotjar), which set persistent third party cookies and read browser identifiers. Free text fields such as order notes or product reviews can collect any personal data the shopper chooses to type, including occasionally special category data.
When EU residents browse or buy from an Empretienda store, the merchant is the data controller and Empretienda acts as processor for the storefront infrastructure. Marketing pixels are typically joint controller scenarios under Fashion ID (C 40/17). Art. 5(3) ePrivacy requires prior, freely given, specific, informed and unambiguous consent before any non essential identifier is stored on the device. National regulators (CNIL, AEPD, garante) routinely fine storefronts that fire pixels at page load without a consent gate.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cart and authentication cookies rely on Art. 6(1)(b) GDPR (contract performance) and the ePrivacy strict necessity exemption. Analytics, retargeting, conversion APIs and personalisation features must rely on Art. 6(1)(a) consent, captured through a Consent Management Platform that blocks tags until the visitor opts in. Empretienda merchants should configure their theme so that Meta Pixel, Google tag, TikTok pixel and any chat or review widgets are gated behind the consent banner and that a reject all option is as visible as accept all.
Argentina has held a partial EU adequacy decision since Commission Decision 2003/490/EC, but the decision is under review and does not cover every onward flow. Empretienda routes traffic through Cloudflare and may use AWS regions in the United States for edge caching and DDoS protection. Transfers to the US require Standard Contractual Clauses plus supplementary measures and a Transfer Impact Assessment under Schrems II (C 311/18). Marketing pixels add their own transfers to Meta and Google in the United States, each governed by the EU US Data Privacy Framework or SCCs.
Audit the storefront with the browser developer tools and a scanner such as CookieServe, list every cookie and pixel, then map each to a purpose category. Sign a Data Processing Addendum with Empretienda and with every third party tag vendor. Deploy a CMP that respects IAB TCF or its CNIL aligned equivalent and that blocks scripts prior to consent. Publish a layered privacy notice in the languages of the markets you serve, document Schrems II transfer impact assessments and review the cookie inventory at least every six months or after any theme update.
Websites using Empretienda must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when an Empretienda storefront targets EU residents and bundles third party tracking pixels such as Meta Pixel, Google Ads or TikTok. The assessment should map every cookie set by the theme and by injected apps, document the legal basis for each, evaluate the Argentine adequacy decision against the partial scope of personal data flows, and assess Schrems II risk where Cloudflare or AWS edge nodes terminate TLS in the United States. Special attention is required if the merchant collects health, political or other Art. 9 special category data through product reviews or contact forms.
Sample consent text
This store uses cookies and similar technologies to keep your cart, log you in and, with your consent, to measure audience and show personalised ads from Meta, Google and other partners. Some data may be processed in Argentina and the United States under Standard Contractual Clauses. You can accept all, reject all or set your preferences at any time from the cookie banner.
Third-party domains contacted
empretienda.com.armitiendanube.empretienda.com.arcdn.empretienda.comapi.empretienda.com.arCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cart | Persistent | 14 days | Stores the shopping cart identifier so the buyer can navigate the storefront and return later without losing selected products. Strictly necessary under Art. 5(3) ePrivacy. |
| PHPSESSID | Session | Session | Maintains the authenticated customer session and CSRF state during checkout. Strictly necessary, exempt from consent. |
| _ga | Persistent | 2 years | Set by the Google Analytics tag when the merchant enables analytics. Distinguishes unique visitors. Requires prior consent under Art. 5(3) ePrivacy. |
| _fbp | Persistent | 90 days | Set by Meta Pixel when installed by the merchant. Used for advertising attribution and audience building. Requires explicit opt in consent. |
Empretienda uses cookies for user preferences — inform visitors with a consent banner.
Out of the box, an Empretienda storefront drops first party cookies for the cart identifier, the customer session and a CSRF token, plus a small handful of theme preferences. As soon as the merchant enables the analytics module or installs a marketing app, additional cookies and identifiers from Google Analytics, Meta Pixel, TikTok, Hotjar, chat widgets or review apps are stored on the device. The platform also processes name, address, phone, email, order history, IP, user agent and any free text the buyer types into product reviews or order notes.
Yes. The cart, login and CSRF cookies are strictly necessary and fall under the Art. 5(3) ePrivacy exemption. Anything else, including audience measurement, retargeting, Conversion API, personalisation, chat tracking or A/B testing, requires prior, freely given, specific, informed and unambiguous consent under Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy. The CNIL and AEPD expect a reject all button that is as visible and as easy to click as accept all, and no non essential script may fire before the visitor opts in.
Cart, checkout, account creation and order processing rely on Art. 6(1)(b) GDPR (performance of the contract). Fraud prevention, security logs and core analytics with no profile sharing may rely on Art. 6(1)(f) GDPR (legitimate interest), but the ePrivacy strict necessity test still applies to any device storage. Advertising pixels, behavioural retargeting, conversion APIs and personalisation always require Art. 6(1)(a) GDPR consent because they involve non essential tracking and onward transfers to ad networks.
Yes. The platform is hosted in Argentina, which holds a partial EU adequacy decision (2003/490/EC) currently under review. Traffic is routed via Cloudflare and AWS edge nodes, some located in the United States, so transfers to a non adequate third country occur in practice. Empretienda merchants must sign Standard Contractual Clauses, document supplementary measures (TLS, encryption keys held in country) and complete a Transfer Impact Assessment in line with Schrems II (CJEU C 311/18) before processing EU resident data.
A DPIA is required when processing is likely to result in a high risk to the rights and freedoms of individuals (Art. 35 GDPR). Combining e commerce profiling, behavioural retargeting through Meta and Google, and transfers to a third country meets at least two of the EDPB criteria and usually triggers the obligation. The DPIA should describe each tag, its legal basis, retention, risk of re identification and the supplementary measures used to mitigate Schrems II risk.
Choose a CMP that supports the IAB TCF or a CNIL aligned framework and that exposes a JavaScript API for blocking tags. Inject the CMP loader before any tracking script in the theme header, wrap Meta Pixel, Google tag, TikTok pixel and review or chat widgets in the consent gate, and pass the consent state to server side endpoints (Conversion API, server tagging). Provide accept all, reject all and granular preference controls, log consent server side with a timestamp and offer an always available link to change preferences.
EU based merchants who serve mostly European buyers can use Shopify (EU region), Prestashop self hosted in the EU, Sylius, CommerceTools or WooCommerce on European infrastructure such as OVH, Scaleway or Hetzner. These options keep storefront data inside the EEA by default and reduce Schrems II exposure. Combine the platform with privacy first analytics such as Matomo on premise or Plausible EU to further limit cross border flows, and run advertising through the platform server side endpoints to keep IP minimisation under control.
Review the cookie inventory and privacy notice at least every six months, and any time you install or remove an app, change the active theme, enable a new payment provider or run a marketing campaign with a new pixel. Re scan the storefront with browser DevTools or a cookie audit tool, update the cookie table in the privacy notice with names, providers, durations and purposes, and re prompt visitors for consent whenever you add a new vendor or change the purpose of an existing one.