Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Gumroad is a US based merchant of record platform that lets creators sell ebooks, digital downloads, software, memberships and online courses. Creators either link to a Gumroad hosted product page or embed an overlay loaded from gumroad.com on their own site. As the merchant of record, Gumroad collects EU VAT, handles refunds and routes payments through Stripe and PayPal. The embed sets non strictly necessary cookies, so EU sites must gate it behind consent and document the US transfer.
Gumroad is a US based platform incorporated as Gumroad Inc. in San Francisco, California, founded in 2011 by Sahil Lavingia. It targets independent creators who want to sell digital goods (ebooks, courses, software, music, art assets), physical goods and recurring memberships. Gumroad operates as the merchant of record (MoR): when a buyer checks out, Gumroad Inc. is the legal seller of record on the invoice, collects EU VAT and other sales taxes, handles refunds and remits the net revenue to the creator.
Creators can either send buyers to a hosted Gumroad page (creator.gumroad.com or gumroad.com/l/PRODUCT) or use the Gumroad overlay, a JavaScript snippet that opens the checkout in an iframe on the creator''s own site.
When the Gumroad overlay is embedded on a third party site, gumroad.js loads from gumroad.com. The overlay opens an iframe to gumroad.com that sets first party Gumroad cookies (_gumroad_session, _gumroad_guid for cart attribution, a CSRF token) and Cloudflare bot management cookies. The Stripe checkout step adds __stripe_mid and __stripe_sid; if the buyer uses PayPal, paypal_* cookies are loaded. Gumroad''s own site also runs Google Analytics 4, Microsoft Clarity and Segment for product analytics.
Embedding the Gumroad overlay loads cookies before any action by the visitor, which triggers Art. 5(3) ePrivacy and requires prior consent in the EU. On the Gumroad hosted checkout itself, strictly necessary cookies needed to complete the purchase rely on contract performance and are exempt from prior consent. As merchant of record, Gumroad is a separate controller for VAT, invoicing and refunds.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU traffic, replace the overlay with a button that opens the hosted Gumroad page in a new tab until the visitor has accepted the functional or marketing category in your CMP. Once consent is given, load gumroad.js and let the overlay open. The buyer''s interaction with the Gumroad checkout itself is on Gumroad''s domain, with its own privacy notice and cookie controls.
All Gumroad processing happens on AWS US East. The Gumroad DPA incorporates the EU Standard Contractual Clauses (modules 2 and 3) and references the EU US Data Privacy Framework. Stripe and PayPal apply their own transfer mechanisms (Ireland based EU entities with SCCs to the US, DPF certifications).
Sign the Gumroad DPA from your account. Gate the overlay behind a CMP toggle and use a static link to the hosted page until consent is given. List Gumroad, Stripe and PayPal in your privacy notice and Article 30 record. Mention the merchant of record relationship and the US transfer with SCCs and DPF. Update your customer service expectations: buyers contact Gumroad for refunds and VAT receipts.
Websites using Gumroad must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for a typical creator using Gumroad. It can become relevant for creators running large catalogs with extensive analytics, audience profiling, course completion tracking and AI driven recommendation on the same customer base.
Sample consent text
Sales on this site are powered by Gumroad (Gumroad Inc., United States), our merchant of record for digital goods. The Gumroad overlay sets functional and analytics cookies, opens an iframe to gumroad.com, processes payments through Stripe and PayPal and remits EU VAT on our behalf. International transfers to the US are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
gumroad.compublic-files.gumroad.comstatic.gumroad.comjs.stripe.comwww.paypal.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _gumroad_session | third_party | 2 weeks | Gumroad session cookie set on gumroad.com to keep an authenticated session and an in progress checkout. |
| _gumroad_guid | third_party | 1 year | Gumroad attribution and recognition identifier used to attribute purchases to the originating link or affiliate. |
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie set on gumroad.com to distinguish humans from automated traffic. |
| __stripe_mid | third_party | 1 year | Stripe machine identifier loaded during the Gumroad Stripe checkout step for fraud prevention. |
| __stripe_sid | third_party | 30 minutes | Stripe session identifier loaded during the Gumroad Stripe checkout step for fraud detection. |
Gumroad uses cookies for user preferences — inform visitors with a consent banner.
When the Gumroad overlay loads, it sets first party Gumroad cookies on gumroad.com (_gumroad_session, _gumroad_guid for cart attribution, a CSRF token) and Cloudflare bot management cookies (__cf_bm, _cfuvid). The Stripe checkout step adds __stripe_mid, __stripe_sid and m. If the buyer chooses PayPal, paypal_* cookies are loaded.
Yes. The overlay loads gumroad.js before the visitor does anything, which puts non strictly necessary cookies on the device. Art. 5(3) ePrivacy requires prior consent in the EU. Until consent is given, replace the overlay with a static button linking to the hosted Gumroad page in a new tab.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for loading the overlay and its cookies on your own site. Contract performance (Art. 6(1)(b)) for processing the purchase on the hosted Gumroad page. Legal obligation (Art. 6(1)(c)) for EU VAT collection and reporting, since Gumroad is the merchant of record.
Yes. Gumroad Inc. is established in the United States and processes EU customer data on AWS US East. The Gumroad DPA incorporates the EU Standard Contractual Clauses (modules 2 and 3) and references the EU US Data Privacy Framework. Stripe and PayPal apply their own transfer mechanisms.
A DPIA is not normally required for a single creator selling a few products through Gumroad. It can be appropriate when Gumroad is combined with extensive customer profiling, audience emails, course completion tracking and AI recommendations on the same customer base.
Sign the Gumroad DPA, gate the overlay behind a CMP toggle, use a static link to the hosted page until consent is given, mention Gumroad, Stripe and PayPal in your privacy notice, document the US transfer with SCCs and DPF, add Gumroad to your Article 30 record and direct refund and VAT receipt requests to Gumroad as merchant of record.
EU friendly creator commerce platforms include Lemon Squeezy (US with DPF, see our dedicated page), Paddle (UK MoR), Podia, Kajabi (US), Teachable (US), SendOwl (UK), Tipeee (France), Lemonway and Stripe Checkout / Payment Links for self managed setups. EU sellers without MoR can also use Mollie (Netherlands) or Adyen (Netherlands).
List the Gumroad and Stripe cookies in your cookie policy under their categories. In your privacy notice describe Gumroad as your merchant of record for digital goods, the overlay, the iframe to gumroad.com, the US transfer with SCCs and DPF and the role of Stripe and PayPal as separate processors.