Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Gumstack is a US based Shopify app that embeds a live video shopping widget on store pages. Founded in 2020 in Beaverton, Oregon, it lets merchants run one to one video calls and group live streams to drive conversions. The widget sets first-party cookies for session, consent and analytics, and routes interactions to Gumstack servers in the United States. As a result, integrating Gumstack on an EU storefront triggers a third country transfer that must rely on DPF or SCCs and requires informed consent for non essential cookies.
Gumstack is a Shopify app that brings live video shopping to merchant storefronts. The company was founded in 2020 in Beaverton, Oregon, and offers both one to one calling and one to many live streaming for product launches and influencer events. Merchants install the app from the Shopify App Store, configure availability windows and embed a button or modal on product pages. When a visitor clicks, the Gumstack widget initialises a WebRTC session that connects the shopper to the merchant team, then logs the interaction for analytics and follow up.
The Gumstack widget sets first-party functional cookies for the visitor session, an identifier used to reconnect to an ongoing video call, a consent record cookie and optional analytics cookies that measure session length and conversion. During a live call, the service processes the WebRTC audio video stream, optional chat messages, the visitor IP address, User-Agent, the referring URL and a viewer identifier that links the conversation back to the merchant CRM. The merchant account hosted by Gumstack stores agent profiles, scheduling data and aggregate dashboards.
The Shopify merchant is the controller of the data collected via Gumstack on its storefront. Shopify acts as a processor for the platform side and Gumstack as a processor (or sub-processor depending on the contractual chain) for the live shopping feature. Cookies strictly necessary to deliver the video session explicitly requested by the visitor fall under the Article 5(3) ePrivacy exemption. Analytics, conversion tracking and replay cookies require prior, informed consent, captured through a compliant banner on the storefront before the Gumstack script is loaded.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Gumstack hosts its production environment in the United States and routes WebRTC sessions through US TURN servers when relays are needed. Each live call therefore involves a transfer of personal data to a third country. EU merchants should rely on the EU US Data Privacy Framework adequacy decision when Gumstack Inc. is certified, with the new Standard Contractual Clauses as a contractual fallback and supplementary measures (TLS encryption, tenant segregation, controlled retention of recordings) explicitly documented in the DPA.
Live video shopping is more intrusive than a classic cookie banner because it involves real time audio and video. A DPIA is recommended whenever the merchant enables recording, transcription or AI assisted analysis of calls, when the audience includes minors or when the catalogue covers sensitive sectors. The consent banner on the storefront should distinguish strictly necessary cookies (session) from optional cookies (analytics, attribution, replay) and link to a clear privacy notice that mentions the US transfer.
Sign the Gumstack DPA, verify the DPF certification on dataprivacyframework.gov, configure the consent banner to gate non essential Gumstack cookies, restrict recording retention to a justified minimum and provide clear in app information before the call starts. EU based alternatives include Bambuser (Sweden), Livescale (Canada with EU regions) and Phygital Plus (France), which offer comparable live shopping features with localised hosting and contractual coverage adapted to the European market.
Websites using Gumstack must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for merchants integrating Gumstack because the service combines video streaming, behavioural analytics and conversion tracking on EU customers. The assessment must cover the categories of data exchanged (IP, identifiers, audio video stream, chat, purchase intent), retention of session recordings, US hosting risks under Schrems II, the role of Shopify and Gumstack as processors, supplementary measures and the rights of data subjects, in particular the right to object and the right to deletion of recordings.
Sample consent text
This store uses Gumstack, a live video shopping app operated from the United States, to offer real time video sessions with our team. Strictly necessary cookies allow the video session to function. With your consent, additional Gumstack cookies measure session analytics and attribution. By accepting, you authorise the transfer of your IP, User-Agent and interaction data to Gumstack Inc., under the EU US Data Privacy Framework or Standard Contractual Clauses.
Third-party domains contacted
gumstack.comapp.gumstack.comapi.gumstack.comcdn.gumstack.comlive.gumstack.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| gumstack_session | first_party | Session | Identifies the live video shopping session and links the visitor to the active WebRTC connection. Strictly necessary functional cookie. |
| gumstack_viewer_id | first_party | 12 months | Persistent viewer identifier used to resume an interrupted call and to display the visitor history to the agent. |
| gumstack_consent | first_party | 12 months | Stores the cookie consent choice made by the visitor for the Gumstack widget, including analytics opt in or opt out. |
| gumstack_analytics | first_party | 13 months | Aggregated session analytics (duration, drop off, conversion). Loaded only after the visitor accepts analytics cookies. |
| gumstack_attribution | first_party | 90 days | Conversion attribution token that links a purchase back to a Gumstack live session. Marketing category, requires consent. |
Gumstack uses cookies for user preferences — inform visitors with a consent banner.
Gumstack sets first-party functional cookies for the video session, a persistent viewer identifier, the consent record and optional analytics and attribution cookies. The strictly necessary cookies are loaded as soon as a visitor opens the widget. Analytics and attribution cookies should only load after the visitor has accepted them in the consent banner.
Yes for any non essential cookie or processing (analytics, attribution, replay, AI analysis). The strictly necessary session cookie used to deliver the video call requested by the visitor falls under the Article 5(3) ePrivacy exemption, but the visitor must be informed before the call starts that the session is operated from the United States.
The merchant Gumstack relationship relies on contract performance under Article 6(1)(b) GDPR, formalised by the app subscription and the DPA. On the storefront, strictly necessary cookies rely on the same logic, while analytics, attribution and replay cookies require consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy. Recording calls additionally requires explicit information and a documented purpose.
Yes. Gumstack Inc. is based in Beaverton, Oregon, and runs its infrastructure on US cloud regions. WebRTC sessions, identifiers, recorded calls and analytics data therefore reach the United States. The transfer relies on the EU US Data Privacy Framework when Gumstack is certified, or on the new Standard Contractual Clauses combined with supplementary technical measures.
Yes when the merchant activates call recording, transcription, AI analysis or marketing attribution, when the audience includes minors or when the catalogue covers sensitive sectors. The DPIA should cover data categories (audio, video, chat, identifiers), retention, US transfer risks, the role of Shopify and Gumstack and the residual risk after technical and contractual measures.
Sign the Gumstack DPA, configure the Shopify consent banner or a third-party CMP to gate non essential Gumstack cookies, customise the pre call notice with the US hosting disclosure, restrict recording retention to a justified minimum, train agents on data subject rights and add Gumstack to your record of processing activities and sub-processor list.
European alternatives include Bambuser (Sweden), Phygital Plus (France) and Caast.tv (France), all of which offer live and one to one video shopping with EU hosting options. Livescale (Canada with EU regions) and Vimeo Studio are also worth considering. The choice depends on Shopify compatibility, recording features, replay quality and the contractual framework offered by the vendor.
Add a dedicated section listing each Gumstack cookie (name, purpose, retention, category), mention Gumstack Inc. as processor, the United States hosting and the transfer mechanism (DPF or SCCs). Disclose any call recording, the retention period and the legal basis used. Update the notice when you change the analytics or attribution settings, when you enable AI analysis or when the DPF status of Gumstack changes.