Does your website use third-party services? Get GDPR compliant in minutes.

Lightspeed eCom

PreferencesWebsite

What does Lightspeed eCom do?

Lightspeed eCom is a cloud ecommerce platform operated by Lightspeed Commerce. European stores are hosted on AWS Ireland. The shopfront sets strictly necessary session and cart cookies, while marketing tags installed from the Lightspeed App Store require consent under ePrivacy.

What Lightspeed eCom is and how it serves a shop

Lightspeed eCom is a cloud ecommerce platform operated by Lightspeed Commerce Inc., headquartered in Montreal, Canada. The platform combines a hosted storefront, a catalog manager, the back office for order processing and an App Store of integrations (analytics, advertising, payment, shipping). European merchants are typically provisioned on AWS Ireland for content storage and the application stack. Stores are reachable on a customer subdomain (mystore.webshopapp.com) or a custom domain.

Cookies and identifiers set on visitors

By default the Lightspeed storefront sets a PHP session cookie, a cart identifier, a CSRF token and a CDN load balancing cookie. These are strictly necessary for the cart and checkout to work. The backoffice for merchants uses its own authentication cookies on admin.merchantos.com. Marketing cookies such as Google Ads, Meta Pixel, Klaviyo or TikTok Pixel appear only when the merchant installs the corresponding app in the Lightspeed App Store and configures it on the theme.

GDPR and ePrivacy implications

Strictly necessary cart and session cookies fall under the Article 5(3) ePrivacy carveout and do not require prior consent. Any optional analytics or advertising cookie added through the App Store requires opt in consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR. The merchant is the controller for all customer data processed in the shop. Lightspeed Commerce is the processor under Article 28 GDPR, with a DPA available in the merchant agreement.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers and Schrems II

European stores are hosted on AWS Ireland which keeps order data in the EEA. The corporate Lightspeed Commerce Inc. operates from Canada, which benefits from an adequacy decision. Support, billing and marketing tooling use additional US providers (Segment, HubSpot, Intercom, Stripe) covered by Standard Contractual Clauses and the EU US Data Privacy Framework. The optional Lightspeed marketing apps may transfer behavioral data to US platforms when installed.

Practical compliance steps

Install a consent management platform that integrates with the Lightspeed theme to gate Google Ads, Meta Pixel, Klaviyo and other marketing scripts. Sign the Lightspeed DPA. Document the processor in your record of processing activities with the AWS Ireland region, the order retention period and the list of installed apps. Configure shopper data retention and deletion flows. For shops in Germany, France, Spain and the rest of the EU, the consent banner must operate before any non strictly necessary cookie is set.

GDPR consent category

Preferences

Websites using Lightspeed eCom must obtain user consent under GDPR regulations.

Legal basisArticle 6(1)(f) GDPR (legitimate interest) for the strictly necessary cart and session cookies. Article 6(1)(a) (consent) and Article 5(3) ePrivacy for any optional analytics and advertising tags activated in the Lightspeed app marketplace.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, DSGVO, RGPD, LSSI, Canadian PIPEDA, Belgian GBA enforcement of GDPR, IAB TCF when consent management is layered on top

DPIA considerations

A DPIA is recommended for Lightspeed eCom stores that activate behavioral marketing tags (Google Ads, Meta Pixel, TikTok Pixel, Klaviyo) because they enable profiling of shoppers. Document the legal basis for each tag, the EU US data transfer triggered by Meta and Google, the retention period for cart and order data, and the integration with a consent management platform.

Sample consent text

This shop is powered by Lightspeed eCom. Lightspeed sets a session and cart cookie that is strictly necessary for the checkout to work. Additional marketing cookies (Google Ads, Meta Pixel, Klaviyo) are activated only after you accept them in the consent banner.

Technical details

Tracking methodCloud ecommerce platform that hosts the storefront and admin on Lightspeed infrastructure. The shopfront sets first party session, cart and CSRF cookies (PHPSESSID, cartid, lightspeed_session, _shopify_y for some templates) and integrates with Google Analytics, Meta Pixel, Klarna and other third party tags through the marketing apps. The customer chooses which trackers to install.

Server locationLightspeed eCom (E Series, formerly EcWid, and C Series, formerly SEOshop) is operated by Lightspeed Commerce Inc. (Montreal, Canada). Hosting is on Amazon Web Services with primary regions EU West 1 (Ireland) for European customers and US East 1 (Virginia) for North American customers. CDN by Amazon CloudFront. Lightspeed Retail POS in Europe is operated by Lightspeed Europe (Ghent, Belgium).

Data transferred outside the EUEuropean Lightspeed eCom stores are hosted on AWS Ireland, keeping core shop data in the EEA. Lightspeed Commerce is headquartered in Canada, which has an adequacy decision from the European Commission. Corporate support and analytics tools include US providers (Segment, HubSpot, Intercom). The marketing tags injected through Lightspeed apps (Google, Meta, Klaviyo) may transfer data to the US.

Third-party domains contacted

lightspeedhq.comwebshopapp.comshoplightspeed.comadmin.merchantos.comd2cnel0prk94o2.cloudfront.netstatic.webshopapp.com

Cookies placed

Name	Type	Duration	Purpose
PHPSESSID	first-party	Session	PHP session cookie used by the Lightspeed storefront to maintain the shopper context across pages. Strictly necessary.
cartid	first-party	Up to 30 days	Cart identifier used to persist the basket between visits. Strictly necessary for ecommerce functionality.
lightspeed_session	first-party	Session	Lightspeed session identifier used by the storefront framework. Strictly necessary.
AWSALB	first-party (AWS Application Load Balancer)	7 days	AWS load balancer cookie that routes requests to the same backend instance during a session. Strictly necessary for performance.
XSRF-TOKEN	first-party	Session	Cross site request forgery token used to protect state changing operations like checkout. Strictly necessary.

Lightspeed eCom uses cookies for user preferences — inform visitors with a consent banner.

Get started free Scan your site

Frequently asked questions

Does Lightspeed eCom set cookies on shop visitors?

Yes. The Lightspeed storefront sets a PHP session cookie, a cart identifier, a CSRF token and a load balancing cookie. These are strictly necessary for the cart and checkout. Marketing cookies (Google Ads, Meta Pixel, Klaviyo) only appear if the merchant installs the corresponding app from the Lightspeed App Store.

Do I need consent for Lightspeed eCom under GDPR and ePrivacy?

No consent is required for the strictly necessary cart and session cookies. Optional analytics and advertising cookies installed via the App Store require prior opt in consent under Article 5(3) ePrivacy.

What is the legal basis for processing data with Lightspeed eCom?

Article 6(1)(b) GDPR (performance of a contract) for order processing, Article 6(1)(f) (legitimate interest) for the strictly necessary storefront cookies, Article 6(1)(a) (consent) for any optional marketing tag. The merchant is the controller, Lightspeed Commerce is the processor with a DPA.

Does Lightspeed eCom transfer data to the United States?

European stores are hosted on AWS Ireland, keeping order data in the EEA. Lightspeed Commerce operates from Canada with an EU adequacy decision. Marketing apps that connect Google Ads, Meta or TikTok will transfer behavioral data to the US, covered by SCCs and the EU US Data Privacy Framework.

Is a DPIA required for Lightspeed eCom?

A DPIA is recommended when marketing apps that profile shoppers are installed (Meta Pixel, Google Ads, TikTok Pixel, Klaviyo). It is also useful when the shop processes large volumes of orders or stores additional personal data through custom fields.

How do I implement Lightspeed eCom compliantly?

Install a consent management platform that integrates with the Lightspeed theme, gate marketing tags behind consent, sign the Lightspeed DPA, document the AWS Ireland region in your RoPA, configure order retention and customer deletion flows, and ensure all installed marketing apps respect consent signals.

What are the alternatives to Lightspeed eCom?

Other ecommerce platforms include Shopify, BigCommerce, WooCommerce, PrestaShop (France), Shopware (Germany), Sylius (open source), Saleor (open source), Magento, Wix, Squarespace and Centra (Sweden).

How do I update the cookie policy for Lightspeed eCom?

List the strictly necessary storefront cookies (session, cart, CSRF, load balancing) with their purpose and duration in the cookie disclosure. Add an entry for each marketing app installed (Google Ads, Meta Pixel, Klaviyo, TikTok Pixel) with retention and EU US transfer information. Update whenever a new app is installed.

Get compliant — Try FlowConsent free

Free plan · 10-min setup