Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Kartris is an open source ASP.NET e-commerce platform developed by CACTUSOFT (Switzerland) and self hosted by the merchant on a Microsoft IIS web server. It powers the storefront, catalogue, basket and customer account. Out of the box Kartris sets only strictly necessary session, cart and authentication cookies, so the consent obligation under Article 5(3) ePrivacy applies only to optional analytics or marketing modules the merchant chooses to add. Personal data stays on the merchant own infrastructure.
Kartris is an open source ASP.NET e-commerce platform maintained by CACTUSOFT, a software house based in Switzerland. It is released under the GPL and distributed as source code that the merchant compiles and deploys on a Microsoft IIS web server with a Microsoft SQL Server database. Kartris ships with a storefront, catalogue and category browsing, basket, member registration, secure checkout, order management and a back office admin. It is widely used by small and medium retailers in the United Kingdom and continental Europe that prefer a self hosted .NET stack.
Because Kartris is self hosted, the merchant is the data controller for everything that happens on the server. CACTUSOFT is not a processor of the merchant customer data unless the merchant subscribes to a paid support or hosting service from them.
Out of the box Kartris sets only strictly necessary first party cookies: an ASP.NET session cookie (ASP.NET_SessionId), an authentication cookie for the customer account (typically .ASPXAUTH or a forms authentication ticket), an anti forgery token, a culture or language cookie, and a basket identifier when guests add items without logging in. These cookies do not track behaviour, are scoped to the merchant own domain and exist only to operate the shopping experience the visitor has requested.
On the database side Kartris stores order data, customer accounts, addresses, optional newsletter opt ins and payment references. Sensitive payment card data is normally not stored in Kartris itself; the platform integrates with PCI compliant gateways (SagePay, Stripe, Worldpay, Authorize.Net) which receive the card data directly from the customer browser via tokenised hosted fields.
Strictly necessary cookies are exempt from the prior consent requirement of Article 5(3) of the ePrivacy Directive, as recognised by the CNIL, the BfDI, the AEPD and the Article 29 Working Party Opinion 4/2012. The Kartris session, basket and authentication cookies fall squarely in that exemption. Order processing, account management and fraud prevention rely on Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (legitimate interest in detecting fraud). Marketing emails and behavioural analytics added on top of the platform are out of scope and need their own consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Most merchants extend Kartris with third party tags: Google Analytics, Meta Pixel, Hotjar, Microsoft Clarity, abandoned cart email tools, recommendation engines or chat widgets. Each of these is non essential and triggers Article 5(3) ePrivacy consent plus Article 6 GDPR scrutiny. The merchant must integrate a consent management platform, block all optional tags until the visitor opts in, and ensure refusal is as easy as acceptance under EDPB Guidelines 03/2022. The core Kartris layer can continue to operate without any such tag.
Because Kartris is self hosted, the data location is exactly the location of the IIS server the merchant chooses, plus the location of the chosen payment gateway and any optional integration. EEA merchants that host on European infrastructure (OVH, Hetzner, Scaleway, Azure West Europe, IONOS) keep production data inside the EEA. If the merchant uses a US payment gateway or a US analytics provider, those specific flows raise Schrems II questions for the third party in question, not for Kartris itself. CACTUSOFT being based in Switzerland is not problematic because Switzerland benefits from a European Commission adequacy decision.
Document the platform in the record of processing activities. Encrypt the SQL Server database at rest and the customer connections in transit (TLS 1.2 or 1.3). Restrict admin access by IP and require MFA. Configure a retention policy on orders, addresses and account data aligned with national tax and consumer law. Patch Kartris and IIS regularly, follow the project security advisories, and back up the database with restorable copies. Integrate a consent management platform if the merchant adds any analytics, advertising, recommendation or chat module. Update the privacy notice with the data controller, the legal bases, the retention periods, the rights mechanism and the list of any third party integrations.
Websites using Kartris must obtain user consent under GDPR regulations.
DPIA considerations
A formal DPIA under Article 35 GDPR is not normally required for a standard Kartris installation, because the core platform processes only the customer data needed to fulfil an order on the merchant own server. A DPIA becomes appropriate when the merchant layers profiling, large scale loyalty programs, behavioural analytics, marketing automation or third country payment processors on top of Kartris, or when the catalogue includes special category goods. The DPIA should describe the categories of customer data, the retention in the SQL Server database, the access controls on the IIS host, the encryption at rest and in transit, the backup and breach detection processes, and any third party modules that are activated.
Sample consent text
This shop runs on Kartris, an open source e-commerce platform that we host on our own server. To operate the basket, the customer account and the secure checkout, Kartris uses strictly necessary cookies that do not require your consent. We use no analytics or marketing cookies by default. If you accept optional cookies, we may also activate analytics or marketing modules; you can refuse those at any time without affecting your ability to browse, register or place an order.
Third-party domains contacted
kartris.comforum.kartris.comgithub.com/Kartriscactusoft.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ASP.NET_SessionId | Session | Session | Strictly necessary first party session cookie set by Microsoft IIS to maintain server side session state for the Kartris storefront, including the contents of an unauthenticated basket. |
| .ASPXAUTH | Persistent | Until logout or expiry | Strictly necessary first party authentication ticket issued by ASP.NET Forms Authentication after the customer signs into the Kartris account. Used to keep the customer signed in across pages. |
| KartrisBasketID | Persistent | 30 days | Strictly necessary first party identifier that allows Kartris to associate basket contents and order in progress to the same visitor across pages and short return visits before checkout. |
| KartrisCulture | Persistent | 1 year | Strictly necessary preference cookie that remembers the language and currency selected by the visitor so the Kartris storefront displays the right localisation on the next visit. |
| __RequestVerificationToken | Session | Session | Strictly necessary anti CSRF token issued by ASP.NET to protect Kartris forms (checkout, account, admin) against cross site request forgery attacks. |
Kartris uses cookies for user preferences — inform visitors with a consent banner.
In a standard installation Kartris sets only strictly necessary first party cookies: an ASP.NET session cookie (ASP.NET_SessionId), an authentication cookie when the customer signs in (typically .ASPXAUTH), an anti CSRF token, a culture or language cookie and a basket identifier for guests. The SQL Server database stores order data, customer accounts, shipping and billing addresses, optional newsletter opt ins and payment references. Payment card numbers are normally not stored in Kartris itself: the platform delegates card capture to PCI compliant gateways such as SagePay, Stripe, Worldpay or Authorize.Net using tokenised hosted fields. No behavioural analytics or marketing data is collected unless the merchant adds a third party module.
No, not for the core platform. The cookies that Kartris sets by default are strictly necessary to provide the service the visitor has requested (browsing the shop, adding products to a basket, signing in, checking out), so they fall within the consent exemption of Article 5(3) of the ePrivacy Directive. The CNIL, the BfDI and the AEPD all recognise this exemption for session, basket and authentication cookies. Consent is required only for optional modules that the merchant chooses to install on top of Kartris, for example a web analytics tag, an advertising pixel, a chat widget or a recommendation engine. Those must remain blocked until the user opts in.
The Kartris core processing splits across two legal bases. Order processing, account management and the related cookies rely on contract performance under Article 6(1)(b) GDPR, because the visitor cannot complete a purchase without basket persistence, authentication and storage of shipping data. Fraud detection, abuse prevention, server logs and security event collection rely on legitimate interest under Article 6(1)(f) GDPR. Marketing emails sent through Kartris built in newsletter feature require Article 6(1)(a) GDPR consent and Article 13 PECR / national ePrivacy compliance. Optional analytics and advertising layered on top of Kartris also require consent.
Not by itself. Kartris is open source software that the merchant compiles and runs on its own Microsoft IIS server. Personal data flows go to whichever hosting provider, payment gateway and email service the merchant has chosen. CACTUSOFT, the publisher based in Switzerland, does not receive customer data unless the merchant subscribes to a paid support or hosting contract. Switzerland benefits from a European Commission adequacy decision, so a transfer to a Swiss support team would in any case not be a third country transfer requiring SCCs. If the merchant connects Kartris to US analytics, US email tools or US payment providers, those specific flows raise Schrems II questions for those providers, not for Kartris itself.
For a standard Kartris store with strictly necessary cookies, EU hosting and conventional payment gateways, a formal DPIA under Article 35 GDPR is generally not required. The processing is contractual, limited in scope and supported by a clear legal basis. A DPIA becomes appropriate when the merchant adds profiling features, large scale loyalty schemes, behavioural analytics, marketing automation, third country payment providers, or when the catalogue includes items with potentially sensitive inferences (health, political, ethnic background). The DPIA should describe data categories, retention, database security, access controls and the third party modules that have been added on top of the platform.
Document Kartris in the record of processing activities. Encrypt the SQL Server database at rest and the customer traffic in transit with TLS 1.2 or 1.3. Restrict admin access by IP allow list and require multi factor authentication on the back office. Define a retention policy on orders, addresses and accounts aligned with national tax and consumer law. Patch Kartris and IIS regularly and subscribe to the project security advisories. Back up the database and test restores. If you add any optional analytics, advertising or chat module, integrate a CMP that blocks those tags until consent is recorded and update the privacy and cookie notices accordingly.
For merchants who prefer not to maintain a Microsoft IIS stack, EU friendly e-commerce alternatives include WooCommerce on managed European hosting, PrestaShop (French open source platform), Magento Adobe Commerce (with the EU data residency option), Shopware (German), Sylius (French), OpenCart, Drupal Commerce and Saleor. SaaS platforms like Shopify, BigCommerce and Wix run mostly on US infrastructure and require a Schrems II analysis. The right choice depends on the in house technical stack, the catalogue size, the integration ecosystem and the merchant ability to host or to outsource hosting.
In the privacy notice, identify your company as the data controller, state that the shop runs on Kartris (open source software by CACTUSOFT) self hosted on your infrastructure, list the categories of customer data (identity, contact, shipping, order, payment reference), give the legal bases (contract, legitimate interest, consent for marketing), the retention period, the rights mechanism and the contact for data protection. In the cookie notice, list each Kartris cookie by name (ASP.NET_SessionId, .ASPXAUTH, basket id, anti CSRF, culture) marked as strictly necessary, and list separately any optional cookies set by third party modules with their purpose, duration and consent state.