Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Merchello is an open source e commerce extension for the Umbraco content management system, released under the MIT licence. It adds product catalogues, baskets, checkout flows, order management and payment gateway integrations to an existing Umbraco site. Merchello runs entirely inside the merchant Umbraco installation: it does not phone home, does not send telemetry to a vendor cloud and does not set third party cookies. The privacy footprint is limited to the strictly necessary cart and session cookies that the merchant Umbraco site issues.
Merchello is an open source e commerce package for the Umbraco content management system, released under the MIT licence and maintained by the community on GitHub. It turns a standard Umbraco site into an online shop by adding product types, catalogues, customer accounts, shopping baskets, multi step checkout, order processing, taxes, discounts and pluggable payment gateways. The package is installed as a NuGet dependency in the merchant Umbraco solution and runs entirely on the merchant ASP.NET application server. There is no Merchello cloud, no central licensing call, no analytics beacon.
Merchello processes the customer data needed to fulfil an order: full name, billing and shipping address, email, phone, order history and, where applicable, a tokenised payment reference returned by the chosen gateway. It does not store full card numbers when a PCI compliant gateway is used. In the browser, Merchello relies on a small set of strictly necessary cookies issued by the merchant Umbraco application: an ASP.NET session identifier, a basket key, an antiforgery token and an authentication cookie if the visitor signs in. No third party tracking cookie is set by Merchello itself.
The merchant is the GDPR data controller, Merchello is software running on the controller infrastructure rather than a processor in the meaning of Art. 28 GDPR. Cart and checkout cookies fall within the strictly necessary exemption of Art. 5(3) of the ePrivacy Directive because they are required to deliver the service explicitly requested by the customer. CNIL guidelines on cookies (recommendation of 2020), § 25(2) TDDDG in Germany and the AEPD Guía de Cookies in Spain all confirm that no consent banner is needed for these technical cookies.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The legal basis for processing customer data through Merchello is performance of a contract under Art. 6(1)(b) GDPR, complemented by compliance with a legal obligation under Art. 6(1)(c) for tax, invoicing and consumer protection records. Marketing emails, abandoned basket recovery, cross device tracking and analytics that the merchant might bolt on through additional Umbraco packages do require separate consent under Art. 6(1)(a) GDPR. The privacy notice must clearly separate purchase processing from marketing.
Because Merchello is self hosted, transfers depend on where the merchant runs the Umbraco application and database. Hosting in Azure West Europe, AWS Frankfurt or a European managed Umbraco host such as Umbraco Cloud (Microsoft Azure EU regions) keeps the data inside the EEA. If the merchant chooses a US region, Schrems II safeguards apply: Standard Contractual Clauses with the hosting provider and reliance on the EU US Data Privacy Framework where the provider is certified. Payment, email and shipping integrations must be reviewed individually for their own transfer regime.
Document Merchello in the Art. 30 record of processing activities as part of the e commerce activity. List the strictly necessary cookies in the privacy notice without asking for consent. Configure data retention so that orders are kept for the statutory accounting period (commonly ten years in the EU) and customer accounts inactive for two years are anonymised. Sign data processing agreements with the hosting provider, the payment gateway, the email transactional provider and the shipping carrier. Apply standard ASP.NET security hardening, log access to the back office and implement a clear data subject rights workflow.
Websites using Merchello must obtain user consent under GDPR regulations.
DPIA considerations
A full Data Protection Impact Assessment under Art. 35 GDPR is generally not required for Merchello itself because the processing is limited to running an online shop on infrastructure controlled by the merchant. The Art. 30 record of processing activities should describe the categories of customer data (identity, address, order history, payment tokens), the retention periods aligned with accounting law, the technical and organisational security measures applied to the Umbraco database, and the data processing agreements signed with hosting providers and payment gateways used alongside Merchello.
Sample consent text
Our online shop runs on Merchello, an open source e commerce extension for Umbraco hosted on our own servers. To process your order we use strictly necessary cookies that store your basket, your authentication session and your checkout progress. These cookies do not require consent under the ePrivacy Directive. We never send your shopping data to Merchello or to any third party advertiser without a separate consent.
Third-party domains contacted
merchello.comour.umbraco.comgithub.comwww.nuget.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ASP.NET_SessionId | Session | Session | Standard ASP.NET session identifier used by the Umbraco application to associate the visitor with their server side basket and checkout state. |
| merchello.basket | Persistent | 30 days | First party cookie that stores the visitor basket key so an unauthenticated customer can return to the site and find the items they had selected. |
| __RequestVerificationToken | Session | Session | Antiforgery token issued by ASP.NET to protect Merchello forms (add to basket, checkout, account) against cross site request forgery attacks. |
| UMB_UCONTEXT | Session | Session | Authentication cookie set when a registered customer or back office user signs in, used by Umbraco identity to keep the session. |
| merchello.customer | Persistent | 1 year | First party cookie that stores the anonymous customer key used by Merchello to attach an order, address book entry or wishlist to a returning visitor. |
Merchello uses cookies for user preferences — inform visitors with a consent banner.
Merchello processes the customer data needed to fulfil an order: name, billing and shipping address, email, phone, order history and a tokenised payment reference when a PCI compliant gateway is used. In the browser it relies on the standard ASP.NET session identifier, a basket key, an antiforgery token and an authentication cookie if the visitor logs in. These cookies are first party, set by the merchant Umbraco application. Merchello does not phone home, does not send telemetry to a vendor cloud and does not set third party tracking cookies.
No. The cart, session, antiforgery and login cookies set by a Merchello powered Umbraco site fall under the strictly necessary exemption of Art. 5(3) of the ePrivacy Directive because they are required to deliver the online shop service explicitly requested by the visitor. The CNIL cookie recommendation of 2020, § 25(2) TDDDG in Germany and the AEPD Guía de Cookies confirm this position. Consent is only required for additional marketing, analytics or personalisation cookies the merchant might add alongside Merchello.
Performance of the sales contract under Art. 6(1)(b) GDPR is the primary basis for order processing. Art. 6(1)(c) (legal obligation) covers retention of invoices and accounting records. Art. 6(1)(f) (legitimate interest) supports fraud prevention and basic security logging. Art. 6(1)(a) (consent) is needed for marketing emails, loyalty profiling and personalised advertising. The merchant should document each purpose, basis and retention period in the Art. 30 record of processing activities and reflect them in the privacy notice.
Merchello itself does not transfer data to third countries since it runs on the merchant servers. Transfers depend on the merchant choices: hosting provider, payment gateway (Stripe, Braintree, PayPal often involve US transfers), email provider (Mailgun, SendGrid), shipping carrier APIs, and any analytics or marketing tool added separately. Each of these must be reviewed under Chapter V GDPR with Standard Contractual Clauses or reliance on the EU US Data Privacy Framework, and a Transfer Impact Assessment where applicable.
A formal DPIA under Art. 35 GDPR is generally not required for a Merchello shop that processes standard customer data on a moderate scale. It becomes recommended if the merchant deals with large volumes, special category data (for example a pharmacy or health store), automated decision making (credit scoring, fraud rules that block users) or large scale cross border transfers. The Art. 30 record of processing activities is mandatory and should map each Merchello dependency, processor and retention period.
Host the Umbraco application and database in an EU region you control. Apply ASP.NET hardening, enforce HTTPS, hash passwords with Identity, lock down the back office to a VPN or IP allowlist and patch Umbraco and Merchello dependencies regularly. Configure cart and account retention policies and run a nightly cleanup job. Sign data processing agreements with the hosting provider, payment gateway, transactional email vendor and shipping carrier. Publish a privacy notice and a clear data subject rights workflow.
Open source e commerce alternatives that integrate well with .NET and headless CMS include nopCommerce, Sitecore OrderCloud, SmartStore, Optimizely Commerce and Sana Commerce for the Microsoft stack, and PrestaShop, WooCommerce, Sylius or Saleor for PHP and Python or JavaScript stacks. Cloud SaaS options include Shopify, BigCommerce and Centra. Each carries different hosting, data residency and transfer profiles, so the choice should weigh data control, EU hosting availability, third party dependencies and the operational team capacity.
The cookie policy should list the strictly necessary cookies that Umbraco issues for the Merchello shop: ASP.NET session, basket key, antiforgery, authentication. State the name, purpose, type (session or persistent), duration and the fact that consent is not required because these cookies are necessary for the online shop service. Add a separate section for any analytics, marketing or personalisation cookies bolted on the shop and gate them behind a granular consent banner. Update the policy whenever you change payment, shipping or marketing providers.