Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
GoKwik is an Indian conversion intelligence platform built for direct to consumer e commerce stores on Shopify, Magento and custom stacks. The SDK loaded from sdk.gokwik.co writes first party cookies on the merchant's domain, scores cash on delivery risk, runs address intelligence and renders a one click hosted checkout overlay. Data is processed on AWS Mumbai. For EU stores, the transfer to India relies on Standard Contractual Clauses and requires consent for the non strictly necessary tracking cookies.
GoKwik is an Indian conversion intelligence platform, incorporated as GoKwik Solutions Pvt. Ltd. in Gurugram, Haryana, that targets direct to consumer (D2C) e commerce merchants. It bundles a one click hosted checkout (KwikCheckout), an address intelligence layer (KwikPass) and a cash on delivery (COD) risk engine on top of a merchant''s Shopify, Magento or custom storefront. The SDK loaded from sdk.gokwik.co replaces the native checkout, identifies returning customers across stores in the GoKwik network and prevents fraudulent COD orders using device, network and behaviour signals.
On a typical Shopify or Magento store, GoKwik writes first party cookies on the merchant domain (gk_visitor, gk_session, gk_kwikpass) and a localStorage object with the GoKwik visitor ID, a returning customer hash, the chosen shipping pincode and the COD risk band. The SDK transmits shipping address fragments, phone number hashes, IP, user agent, device fingerprint and prior order patterns to api.gokwik.co for scoring. KwikPass also enables cross store checkout, so the same shopper hash can be recognised across multiple GoKwik powered storefronts.
Under the GDPR, GoKwik is a processor for the merchant (controller) when running the checkout flow, and a controller for its cross store network. The COD risk engine and KwikPass are forms of automated decision making under Art. 22 GDPR because they can decline cash on delivery or trigger upfront payment requirements. Under Art. 5(3) ePrivacy, gk_visitor and gk_kwikpass are not strictly necessary for the requested page view, so they require consent before they are set.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
EU merchants should gate the GoKwik SDK behind a CMP. A pragmatic option is to load only a stub before consent (the Add to cart button stays native), then load the full SDK after the analytics or marketing category is accepted. Inside the checkout itself, strictly necessary data processing required to complete the order may rely on contract performance, but the cross store recognition and COD risk profiling need consent or a strong legitimate interest balancing test.
GoKwik processes data on AWS Mumbai. India is not covered by an EU adequacy decision. The GoKwik DPA includes the EU Standard Contractual Clauses (modules 2 and 3) and aligns with India''s Digital Personal Data Protection Act, 2023. EU merchants should run a Transfer Impact Assessment that looks at Indian access laws (CERT IN, the IT Act, the DPDP Act exemptions), encryption in transit and at rest and the residual risk for EU customers.
Sign the GoKwik DPA, gate the SDK behind a CMP, separate strictly necessary checkout data from cross store profiling in your privacy notice, give EU customers a meaningful right to object to automated COD scoring, document the international transfer to India with SCCs and a TIA, list gokwik.co and sdk.gokwik.co in your Content Security Policy and complete a DPIA that covers fraud scoring and cross store recognition.
Websites using GoKwik must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever an EU merchant deploys GoKwik because the SDK combines device fingerprinting, COD fraud scoring (a form of profiling under Art. 4(4) GDPR) and a transfer to India, a third country without an adequacy decision. The DPIA should cover fraud scoring, attribution profiling and the international transfer.
Sample consent text
This store uses GoKwik (GoKwik Solutions Pvt. Ltd., India) to power its checkout, address intelligence and cash on delivery risk scoring. GoKwik sets functional and analytics cookies, sends data to AWS Mumbai and uses Standard Contractual Clauses for the transfer outside the EEA. Some features only run after you give consent for analytics.
Third-party domains contacted
gokwik.cosdk.gokwik.coapi.gokwik.copay.gokwik.coCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| gk_visitor | first_party | 1 year | GoKwik long lived visitor identifier used to recognise returning shoppers on the merchant store and to attribute conversions. |
| gk_session | first_party | Session | GoKwik session state cookie used to keep the checkout step, cart contents and chosen shipping information. |
| gk_kwikpass | first_party | 6 months | KwikPass cross store recognition hash used to identify the shopper across multiple GoKwik powered merchant stores for one click checkout. |
| gk_cod_risk | first_party | 30 days | COD risk band cookie used to remember the customer's cash on delivery risk classification for faster checkout decisioning on subsequent visits. |
GoKwik uses cookies for user preferences — inform visitors with a consent banner.
GoKwik writes first party cookies on the merchant domain: gk_visitor (a long lived visitor identifier), gk_session (session state), gk_kwikpass (KwikPass cross store recognition hash) and a small localStorage object with the COD risk band, the shipping pincode and the returning customer hash. Cloudflare bot management cookies may also be set on gokwik.co subdomains.
Yes. The gk_visitor and gk_kwikpass cookies and the device fingerprint used for COD scoring are not strictly necessary for the page the EU visitor first sees. Art. 5(3) ePrivacy requires consent before they are set. The full SDK should only load after the analytics or marketing category has been accepted in your CMP.
Contract performance (Art. 6(1)(b) GDPR) for the data needed to complete the checkout the customer has initiated. Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for the tracking cookies and the fraud scoring. Legitimate interest can support some fraud prevention work but rarely covers cross store profiling and automated COD refusals.
Yes. GoKwik is established in India and processes data on AWS Mumbai. India has no EU adequacy decision. The GoKwik DPA includes the EU Standard Contractual Clauses (modules 2 and 3) and references the Indian Digital Personal Data Protection Act 2023. EU merchants should complete a Transfer Impact Assessment.
Yes, in most EU deployments. GoKwik combines device fingerprinting, behavioural scoring (COD risk and cross store recognition), automated decisions on payment options and an international transfer to India. The combination meets at least two of the Art. 35 GDPR criteria.
Sign the GoKwik DPA, gate the SDK behind a CMP, give customers a meaningful way to object to automated COD scoring, document the India transfer with SCCs and TIA, separate strictly necessary checkout data from cross store profiling in the privacy notice, and complete a DPIA covering fraud scoring and cross store recognition.
EU friendly checkout and fraud platforms include Mollie Checkout (Netherlands), Adyen Risk Hub (Netherlands), Stripe Radar + Stripe Link (Ireland and US with DPF), Klarna Authentication (Sweden), Riskified (Israel with EU servers), Bolt Checkout (US) and Shop Pay (Shopify). For COD specific markets the EU has fewer direct equivalents.
List gk_visitor, gk_session and gk_kwikpass in your cookie policy as analytics or marketing cookies, with their durations. In your privacy notice, describe GoKwik as your checkout and fraud prevention provider, the data sent to AWS Mumbai, the use of automated COD decisions, the international transfer to India with SCCs and the customer's rights including the right to object to profiling.