Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Lemon Squeezy is a US based merchant of record (MoR) payment platform built for SaaS, software, ebooks and digital products. Acquired by Stripe in 2024, it lets sellers outsource billing, EU VAT, refunds, fraud prevention and chargebacks. The hosted checkout overlay is loaded from lemonsqueezy.com via lemon.js, sets non strictly necessary first party cookies and routes payments through Stripe. EU sellers should gate the overlay behind consent and document the US transfer with SCCs and the Data Privacy Framework.
Lemon Squeezy is a US based merchant of record (MoR) payment platform incorporated as Lemon Squeezy LLC in Pennsylvania, and acquired by Stripe Inc. in 2024. It targets SaaS, software vendors, indie hackers, ebook authors and any creator selling digital products that require global tax handling. As MoR, Lemon Squeezy is the legal seller on the invoice, collects EU VAT and other sales taxes, handles refunds, chargebacks and fraud prevention, and remits the net revenue to the seller.
Sellers integrate Lemon Squeezy with the hosted checkout link, the Lemon.js overlay (a checkout iframe over their own site) or the API. License keys, file downloads, subscriptions and affiliate management are built in.
On the seller''s site, lemon.js is fetched from assets.lemonsqueezy.com. Once the overlay opens, an iframe to app.lemonsqueezy.com sets first party Lemon Squeezy cookies (ls_session, ls_csrf, ls_risk and an attribution cookie) and Cloudflare bot management cookies. Stripe is used as the underlying payment processor and adds __stripe_mid, __stripe_sid and m on the checkout iframe. Lemon Squeezy''s own dashboard and marketing site use Google Analytics 4, Crisp Chat and HubSpot.
Loading the Lemon.js overlay sets non strictly necessary cookies before the visitor takes any action, which triggers Art. 5(3) ePrivacy and requires prior consent in the EU. On the hosted checkout itself, strictly necessary cookies needed to complete the purchase rely on contract performance and are exempt from prior consent. As MoR, Lemon Squeezy is a separate controller for the invoicing and tax data and a processor for the seller''s customer base.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU visitors, the cleanest pattern is to redirect to the hosted checkout link until consent is given in your CMP, then load lemon.js after the visitor has accepted the functional or marketing category. Sellers that want the overlay to open instantly can rely on a CMP with auto blocking and document the consent flow.
Lemon Squeezy processes EU customer data on AWS US East. The DPA incorporates the EU Standard Contractual Clauses (modules 2 and 3) and the UK IDTA, and the company is self certified under the EU US Data Privacy Framework. Following the Stripe acquisition, Stripe''s sub processor list and adequacy documentation apply.
Sign the Lemon Squeezy DPA from the seller dashboard. Gate the Lemon.js overlay behind a CMP. List Lemon Squeezy (Lemon Squeezy LLC) and Stripe in your privacy notice and Article 30 record, document the US transfer with SCCs and DPF, and update your terms so refunds and VAT receipts go through Lemon Squeezy as merchant of record.
Websites using Lemon Squeezy must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for a standard SaaS subscription sold through Lemon Squeezy. It can become relevant when the seller combines Lemon Squeezy with extensive customer profiling, behavioural pricing, regulated industry data or special category data tied to subscription tiers.
Sample consent text
Sales on this site are powered by Lemon Squeezy (Lemon Squeezy LLC, a Stripe company, United States), our merchant of record. The Lemon.js overlay sets functional and analytics cookies, opens an iframe to lemonsqueezy.com and routes payments through Stripe. International transfers to the US are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
lemonsqueezy.comapp.lemonsqueezy.comassets.lemonsqueezy.comjs.stripe.comq.stripe.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ls_session | third_party | 2 weeks | Lemon Squeezy functional session cookie set on app.lemonsqueezy.com to keep an in progress checkout and the buyer's session. |
| ls_csrf | third_party | Session | CSRF protection token for the Lemon Squeezy checkout form. |
| ls_risk | third_party | 30 minutes | Fraud risk score cookie used by Lemon Squeezy and Stripe to assess the transaction during the checkout. |
| ls_attribution | third_party | 6 months | Attribution cookie used to track which seller link or affiliate brought the buyer to the Lemon Squeezy checkout. |
| __stripe_mid | third_party | 1 year | Stripe machine identifier loaded during the Lemon Squeezy Stripe checkout step for fraud prevention. |
| __stripe_sid | third_party | 30 minutes | Stripe session identifier loaded during the Lemon Squeezy Stripe checkout step for fraud detection. |
Lemon Squeezy uses cookies for user preferences — inform visitors with a consent banner.
When the Lemon.js overlay opens, it sets first party Lemon Squeezy cookies on app.lemonsqueezy.com (ls_session, ls_csrf, ls_risk and an attribution cookie) and Cloudflare bot management cookies. The Stripe checkout step adds __stripe_mid, __stripe_sid and m.
Yes. The overlay loads non strictly necessary cookies before any visitor action, so Art. 5(3) ePrivacy requires prior consent in the EU. Use a CMP to gate lemon.js and rely on a static link to the hosted checkout until consent is given.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for the overlay cookies. Contract performance (Art. 6(1)(b)) for the purchase on the hosted checkout. Legal obligation (Art. 6(1)(c)) for EU VAT collection and tax record keeping, since Lemon Squeezy is the merchant of record.
Yes. Lemon Squeezy is established in the United States and processes EU customer data on AWS US East. Transfers are covered by the EU Standard Contractual Clauses and the EU US Data Privacy Framework. Stripe applies its own SCCs and DPF for the payment step.
Standard SaaS billing through Lemon Squeezy does not normally require a DPIA. It can become appropriate when Lemon Squeezy is combined with extensive customer profiling, regulated industries or special category data tied to subscription tiers.
Sign the DPA, gate the overlay behind a CMP, list Lemon Squeezy and Stripe in your privacy notice and Article 30 record, document the US transfer with SCCs and DPF and update your terms so refunds and VAT receipts go through Lemon Squeezy.
Other merchant of record platforms include Paddle (UK), FastSpring (US with DPF), 2Checkout / Verifone (US and EU), Gumroad (US with DPF). Non MoR EU friendly options include Stripe Billing (Ireland), Mollie subscriptions (Netherlands), Adyen subscriptions (Netherlands) and Chargebee Billing.
List the Lemon Squeezy and Stripe cookies in your cookie policy. In your privacy notice describe Lemon Squeezy as your merchant of record, the overlay, the iframe to lemonsqueezy.com, the US transfer with SCCs and DPF and the role of Stripe as the underlying payment processor.