Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mginex is a cloud-hosted online store builder used to launch e-commerce sites with a built-in cart, checkout and admin back office. Its servers are located in the CIS region, most likely the Russian Federation. The platform sets functional cookies for session and shopping cart, plus optional analytics. EU merchants must obtain consent for non-essential cookies and address the international transfer to a non-adequate country.
Mginex is a cloud-hosted online store builder used to launch and operate e-commerce websites without managing infrastructure. The merchant signs up on Mginex, picks a template, configures products, taxes and shipping rules, then connects a custom domain. The storefront, the cart, the checkout and the admin back office are all delivered by Mginex servers, which means the platform is in the data path for every page view and every order.
Public-facing pages run on the merchant domain via Mginex hosting, while account management, order history and admin tasks happen on Mginex application servers. According to Wappalyzer and the platform documentation, the infrastructure is operated from the CIS region, most likely from inside the Russian Federation. This shapes both the legal qualification of the processing and the international transfer assessment that a European operator has to carry out.
Mginex sets a small set of strictly necessary cookies: a session identifier, the cart payload, a CSRF token and an authentication cookie for logged-in customers. These cookies are required to deliver the service the visitor requested and fall under the ePrivacy strict necessity exemption. Beyond cookies, Mginex stores customer accounts, addresses, order history, product views and basic behavioural data used to optimise the storefront.
In addition, the platform offers an optional analytics layer that loads a script from Mginex infrastructure and sets an analytics cookie capturing pages viewed, time on page, conversion funnels and aggregated user journeys. This analytics layer is not strictly necessary and therefore requires prior consent on EU-facing sites. The same logic applies to any marketing pixel that the merchant chooses to wire to Mginex audiences.
Mginex acts as a processor for the merchant on order data and customer accounts, and as an independent or joint controller for platform-level analytics and product telemetry. A signed data processing agreement is mandatory, and the merchant must add Mginex to the record of processing activities and to the privacy notice with a clear description of the purposes. Customers must be able to exercise their access, erasure, rectification and portability rights against the merchant, which means the merchant must verify that Mginex offers operational tooling for those requests.
Under Article 5(3) ePrivacy, analytics cookies must be blocked until the visitor opts in via a compliant consent banner. The strictly necessary cart, session, CSRF and authentication cookies can be loaded by default. Pre-ticked boxes and dark patterns are prohibited, and reject must be at least as easy as accept.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because Mginex servers are located in the CIS region, most likely in the Russian Federation, transfers from the EEA require Article 46 safeguards. The Standard Contractual Clauses adopted in 2021 are the most common mechanism, accompanied by a Transfer Impact Assessment that evaluates lawful access risk under local legislation and the effectiveness of supplementary measures such as encryption in transit, encryption at rest and pseudonymisation of customer identifiers.
Russian Federal Law 152-FZ also imposes local storage of personal data of Russian residents, which can affect how Mginex segments its databases and processes erasure requests from EU customers. Following Schrems II, European data protection authorities expect the controller to demonstrate that residual risk is low after technical and organisational measures, or to choose an alternative if it is not.
Given that analytics processing and transfers to a non-adequate country are involved, a DPIA is recommended. It should map the data categories (account data, order data, behavioural data), the actors (merchant, Mginex, payment processors, shipping providers), the retention periods and the transfer chain. The consent banner should describe the analytics scripts, the cookies they set and the destination country, and must offer a granular choice between strictly necessary and analytics categories.
Concretely: keep cart and authentication cookies active by default, gate Mginex analytics and any marketing pixel behind the consent banner, sign and archive the data processing agreement, complete the Transfer Impact Assessment and reference it in your records of processing activities. List Mginex and its destination country explicitly in the cookie table and the privacy notice. If residual risk stays high, evaluate EU-hosted store builders such as Shopify with EU data residency, Shopware Cloud (Germany), PrestaShop on EU hosting, or BigCommerce with EU regions.
Websites using Mginex must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended. Mginex hosts the entire storefront and admin, so it processes customer accounts, addresses, orders, behavioural analytics and payment metadata. The DPIA should map data categories, retention, recipients in the CIS region, lawful access risk under Russian law, supplementary measures and the proportionality of the transfer compared with an EU-hosted store builder.
Sample consent text
We run this store on Mginex, which hosts our site on servers located in the CIS region, primarily the Russian Federation. Strictly necessary cart and login cookies are always active. Analytics cookies that help us understand site usage are only set if you click Accept. You can Reject them or change your choice at any time from the cookie preferences page.
Third-party domains contacted
mginex.comcdn.mginex.comadmin.mginex.comanalytics.mginex.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mginex_sid | Strictly necessary | Session | Server-side session identifier used to maintain browsing context across page loads. |
| mginex_cart | Strictly necessary | 30 days | Stores the cart contents so the visitor can return and complete the order without losing items. |
| mginex_auth | Strictly necessary | 30 days | Authentication cookie for logged-in customer accounts. |
| mginex_csrf | Strictly necessary | Session | Anti-CSRF token protecting form submissions in the storefront and the admin. |
| mginex_pref | Functional | 6 months | Stores language, currency and display preferences chosen by the visitor. |
| mginex_an | Analytics | 12 months | Aggregated analytics identifier used to measure traffic, conversion and merchandising performance. |
Mginex uses cookies for user preferences — inform visitors with a consent banner.
Mginex sets strictly necessary cookies for session, cart, authentication and CSRF protection, a functional cookie for language and display preferences, and an analytics cookie when the optional measurement layer is enabled. Only strictly necessary cookies can be loaded before consent; functional preferences and analytics require an opt-in on EU-facing sites.
Yes, for the optional analytics layer and any non-essential functional cookie. Strictly necessary cart, session, CSRF and authentication cookies fall under the ePrivacy exemption and can be set by default. The consent banner must mention the analytics scripts, the cookies they place and the destination country.
Order data and customer accounts rely on performance of the contract (Article 6(1)(b) GDPR). Strictly necessary cookies rely on the same basis combined with the ePrivacy exemption. Functional preferences and analytics rely on consent (Article 6(1)(a) GDPR), and accounting retention rests on a legal obligation (Article 6(1)(c)).
Mginex hosts data in the CIS region, most likely the Russian Federation, a country without an EU adequacy decision. Transfers from the EEA require Article 46 safeguards (Standard Contractual Clauses) and a Transfer Impact Assessment evaluating lawful access risk under local law and the effectiveness of supplementary measures such as encryption and pseudonymisation.
A DPIA is recommended. Mginex hosts the entire storefront and admin, processes customer accounts and behavioural analytics, and transfers data to a non-adequate country. These factors taken together justify a formal Article 35 GDPR assessment of the processing, the transfer chain and the residual risk for data subjects.
Keep strictly necessary cookies running, gate the analytics layer and any marketing pixel behind a compliant CMP, sign the data processing agreement and SCCs, complete the Transfer Impact Assessment, list Mginex in the cookie table and the privacy notice with the destination country, and align retention with operational needs rather than indefinite storage.
Yes. Consider Shopify with EU data residency, Shopware Cloud (Germany), PrestaShop hosted in the EU, BigCommerce with EU regions, WooCommerce on a managed EU host, or Sylius. These options keep storefront, customer data and analytics inside the EEA and avoid the Russia-region transfer risk that dominates the Mginex assessment.
Add a dedicated row in the cookie table for each Mginex cookie (mginex_sid, mginex_cart, mginex_auth, mginex_csrf, mginex_pref, mginex_an), with type, duration and purpose. In the international transfers section, identify the CIS region or the Russian Federation as the destination country, cite the SCCs and reference your Transfer Impact Assessment.