Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
FastSpring is a US based merchant of record (MoR) payment platform widely used by software and SaaS companies to outsource billing, EU VAT collection, fraud prevention and global tax compliance. The hosted checkout, served from fastspring.com and onfastspring.com, sets only strictly necessary first party cookies and routes transactions through Bright Market LLC, the legal seller of record. As the merchant of record FastSpring handles VAT, invoicing and chargebacks on behalf of the publisher.
FastSpring is a US based payment platform incorporated as Bright Market LLC in Santa Barbara, California. It operates as a merchant of record (MoR) for software, SaaS and digital products: when a customer pays through FastSpring, Bright Market LLC is the legal seller of record on the invoice, collects EU VAT and other sales taxes, handles refunds, chargebacks and dispute management and remits the net revenue to the publisher.
Publishers integrate FastSpring with the Popup Storefront (an overlay on their site), the Web Storefront (a hosted product page) or the Embedded Storefront (a checkout in an iframe). The Storefront.js library and the Order API allow advanced flows such as price localisation, subscription management and B2B quoting.
On the hosted FastSpring checkout, only strictly necessary first party cookies are set on fastspring.com and onfastspring.com: a session cookie that maintains the cart, a CSRF protection token and a fraud risk score cookie. FastSpring also collects billing data (name, email, address, country, payment method) needed to complete the purchase. When the publisher uses the Library API to display localised prices on its own page, geo IP lookups happen server side without setting cookies on the publisher domain.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because FastSpring acts as the merchant of record, it is a controller for the invoicing and tax remittance data and a processor for the publisher''s customer data. Strictly necessary cookies set on the hosted checkout are exempt from prior consent under Art. 5(3) ePrivacy and the EDPB ePrivacy guidance. The customer''s explicit choice to start a purchase is the legal basis for the processing of the payment data.
FastSpring processes EU customer data on AWS US East regions. The FastSpring DPA incorporates the EU Standard Contractual Clauses (modules 2 and 3) and the UK International Data Transfer Addendum, and FastSpring is self certified under the EU US Data Privacy Framework. EU customers can request additional information on access controls and on the categories of sub processors used.
Sign the FastSpring DPA from your account. List FastSpring (Bright Market LLC) in your privacy notice as merchant of record and processor, mention the US transfer with SCCs and DPF, and add it to your Article 30 register. No cookie banner update is needed for the hosted checkout itself, but any third party analytics that you wire to FastSpring events (Google Analytics, GA4 ecommerce, Meta CAPI) must remain in the consent gated tag manager.
Websites using FastSpring must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for standard SaaS subscription billing through FastSpring. It can become relevant for products that combine billing with extensive customer profiling, regulated industry data or special category data tied to subscription tiers.
Sample consent text
Payments and invoicing on this site are handled by FastSpring (Bright Market LLC, United States), our merchant of record. FastSpring processes your payment data and EU VAT under contract and legal obligations on its US infrastructure. International transfers to the United States are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
fastspring.comonfastspring.comsbl.onfastspring.comd1f8f9xcsvx3ha.cloudfront.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| fs_session | first_party | Session | Strictly necessary session cookie on the FastSpring hosted checkout used to maintain the customer cart and the in progress order. |
| fs_csrf | first_party | Session | CSRF protection token used to validate the payment form submission on the FastSpring hosted checkout. |
| fs_risk | first_party | 30 minutes | Strictly necessary fraud risk cookie used by FastSpring for transaction risk scoring during the checkout. |
| fs_locale | first_party | 1 year | Functional cookie used by the FastSpring hosted checkout to remember the customer's language and currency preference between sessions. |
FastSpring uses cookies for user preferences — inform visitors with a consent banner.
On the hosted FastSpring checkout only strictly necessary first party cookies are set on fastspring.com and onfastspring.com: a session cookie (fs_session) keeping the cart, a CSRF protection token (fs_csrf) and a risk score cookie (fs_risk). When the customer pays with a card, the underlying card processor may add its own short lived risk cookies.
No, the cookies on the hosted FastSpring checkout are strictly necessary under Art. 5(3) ePrivacy and are exempt from prior consent. The customer has actively initiated the purchase, which is the legal basis for processing the payment data under Art. 6(1)(b) GDPR. Optional analytics on the publisher domain (GA4 ecommerce, Meta CAPI) must stay behind a consent gated tag manager.
Contract performance (Art. 6(1)(b) GDPR) for processing the data necessary to complete the transaction. Legal obligation (Art. 6(1)(c)) for EU VAT, AML and tax record keeping, since FastSpring is the merchant of record. Strictly necessary cookies are exempt under Art. 5(3) ePrivacy.
Yes. Bright Market LLC is established in the United States and processes EU customer data on AWS US East. The FastSpring DPA includes the EU Standard Contractual Clauses and the UK IDTA, and FastSpring is self certified under the EU US Data Privacy Framework. A Transfer Impact Assessment should review US surveillance laws.
Standard SaaS billing through FastSpring does not normally require a DPIA. A DPIA may be appropriate when FastSpring is combined with extensive customer profiling, regulated industries or special category data tied to subscription tiers.
Sign the FastSpring DPA, mention FastSpring (Bright Market LLC) as merchant of record and processor in your privacy notice, document the US transfer with SCCs and DPF, and add the service to your Article 30 register. Use the hosted checkout to keep the payment data scope minimal and avoid loading any optional analytics outside the consent gated tag manager.
Other merchant of record platforms include Paddle (UK with EU AWS), Lemon Squeezy (US with DPF), 2Checkout / Verifone (US and EU). For non MoR EU options, Stripe Billing (Ireland), Mollie subscriptions (Netherlands), Adyen subscriptions (Netherlands) and Chargebee Billing (US with EU residency on enterprise).
For most setups no banner update is needed because the hosted checkout sets only strictly necessary cookies under Art. 5(3) ePrivacy. Update the privacy notice to mention FastSpring as merchant of record, the US transfer with SCCs and DPF and the role of FastSpring as a separate controller for VAT and tax remittance.