Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Hit-Mall is a hosted e-commerce platform widely used by online retailers in Russia and the Commonwealth of Independent States. It provides catalogue management, baskets, checkout, payment integrations and a marketing toolset. Hit-Mall stores cookies for session, basket, language and authentication, and processes data on infrastructure located outside the European Economic Area, which raises specific obligations under GDPR and the ePrivacy Directive when European visitors are concerned.
Hit-Mall is a hosted e-commerce platform widely used by online retailers in Russia and the Commonwealth of Independent States. It provides catalogue management, customer accounts, baskets, checkout, payment integrations, marketing automation and a content management layer. Merchants subscribe to the platform, configure their store and run their business on Hit-Mall infrastructure rather than self hosting the application. Visitors interact with a JavaScript storefront that writes a small set of first party cookies, while the back office runs in the Hit-Mall data centres.
The Hit-Mall storefront typically writes a session cookie (PHPSESSID or a renamed equivalent), a basket cookie that stores the anonymous cart reference, an authentication cookie for logged in customers and a language cookie. Optional modules add marketing, abandoned cart, retargeting and analytics cookies. The platform processes the customer name, billing address, shipping address, phone number, email and order history. Payment is usually delegated to a separate processor that returns a token, but the merchant remains responsible for the data flow.
The session, basket and authentication cookies fall under the strictly necessary exemption of Article 5(3) of the ePrivacy Directive, since they are required to deliver the shopping service explicitly requested by the customer. They can be loaded without consent. Marketing, analytics and retargeting modules trigger consent obligations and must be blocked by a Consent Management Platform until accepted. The privacy notice must list each module and the categories of data processed.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Hit-Mall infrastructure is mainly located in Russia, which has no European adequacy decision and which has been the target of EU sanctions and counter sanctions affecting personal data. Transfers from the European Economic Area must rely on Standard Contractual Clauses and on supplementary measures (strong encryption with keys held in the EU, pseudonymisation, restriction of administrative access, transparent reporting of any government access request). A Schrems II style Transfer Impact Assessment is mandatory and should conclude on the residual risk after the supplementary measures.
Sign Standard Contractual Clauses with Hit-Mall, document the supplementary measures and run a Transfer Impact Assessment. Block optional marketing and analytics modules behind a Consent Management Platform such as FlowConsent. Configure the cookies with Secure and HttpOnly with SameSite=Lax. Document the retention period of orders, customer accounts and abandoned baskets. Reference Hit-Mall in your privacy notice and reflect on whether a self hosted European platform such as Saleor, Sylius or Spryker would be a more proportionate choice.
Websites using Hit-Mall must obtain user consent under GDPR regulations.
DPIA considerations
A merchant targeting European customers with a Hit-Mall store should consider a DPIA because data is transferred to a country without adequacy and the platform combines order, account, payment and marketing data. The DPIA should describe the transfer mechanism, the supplementary measures (encryption, pseudonymisation, EU mirror copy if available), the access rights of Russian support staff, the legal basis of each processing activity and the retention period.
Sample consent text
This shop runs on the Hit-Mall platform. Strictly necessary cookies are written to keep your basket and session active. Order data, account information and payment metadata are processed by the platform on infrastructure located in the Russian Federation under Standard Contractual Clauses. Optional marketing or analytics cookies are activated only with your consent.
Third-party domains contacted
hit-mall.rustatic.hit-mall.rucdn.hit-mall.ruCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | first_party | Session | Stores the session identifier used to keep the cart, login state and language preference active across page loads. |
| hm_basket | first_party | 30 days | Stores the anonymous reference to the active shopping basket so that cart contents persist across visits. |
| hm_auth | first_party | Session | Stores the encrypted authentication ticket of customers who have logged into their account on the storefront. |
| hm_lang | first_party | 1 year | Stores the language and locale chosen by the visitor so that returning visits load the right localised version. |
Hit-Mall uses cookies for user preferences — inform visitors with a consent banner.
By default the storefront writes a session cookie (typically PHPSESSID), a basket cookie that holds the anonymous cart reference, an authentication cookie for logged in customers and a language cookie. Optional modules add marketing, retargeting and analytics cookies that require consent.
No. Session, basket, language and authentication cookies fall under the strictly necessary exemption of Article 5(3) of the ePrivacy Directive, since they are required to deliver the shopping service explicitly requested. Optional marketing, retargeting and analytics modules require an explicit opt in.
Order processing, account management and authentication rely on contract performance under Article 6(1)(b) GDPR. Marketing and retargeting require consent under Article 6(1)(a). Anti fraud and security logs may rely on legitimate interest under Article 6(1)(f). Document each basis in your record of processing.
Yes. Hit-Mall infrastructure is mainly located in Russia, which has no European adequacy decision. Transfers must rely on Standard Contractual Clauses with supplementary measures (encryption with EU based keys, pseudonymisation, restriction of administrative access). A Schrems II style Transfer Impact Assessment is mandatory.
In most cases yes. The combination of large scale order data, financial information, marketing modules and a transfer to a country without adequacy meets several criteria of Article 35 GDPR and the EDPB Guidelines on DPIA. Document the supplementary measures and the residual risk before launching the store.
Sign Standard Contractual Clauses with Hit-Mall, run a Transfer Impact Assessment, deploy strong encryption with EU based keys, restrict administrative access, block optional marketing and analytics modules behind a Consent Management Platform such as FlowConsent, document the data flows and reflect on whether a self hosted European platform would be more proportionate.
European alternatives include Shopify (Canada with EU options), PrestaShop (France), Sylius (France), Saleor (Poland), Spryker (Germany), Adobe Commerce (Magento), Shopware (Germany) and Bagisto. Each platform has a different hosting model and integrations, but all provide a stronger EU privacy posture than a Russian hosted store.
List the strictly necessary cookies (session, basket, authentication, language) with their purpose and lifetime, document the data transfer to Russia, reference the Standard Contractual Clauses and supplementary measures, list every optional module that writes additional cookies, and provide a clear consent management link with a working revocation flow.