Does your website use third-party services? Get GDPR compliant in minutes.

Paddle

PreferencesWebsite

What does Paddle do?

Paddle is a UK-based merchant of record (MoR) payment platform widely used by SaaS companies in Europe to outsource billing, EU VAT collection, fraud prevention and reporting. Primary processing happens on AWS EU regions; the UK benefits from an EU adequacy decision. Paddle hosted checkout sets only strictly necessary first-party cookies, and as merchant of record Paddle handles VAT and invoicing on behalf of the seller.

What is Paddle?

Paddle is a UK based payment platform founded in 2012 in London, operating as a merchant of record (MoR) for software and digital products. Sellers integrate Paddle Checkout or Paddle Billing API; Paddle then handles card processing, fraud prevention, EU VAT calculation and remittance, invoicing, dunning and chargebacks on behalf of the seller. It is widely used by European SaaS companies to outsource compliance heavy billing operations.

Cookies and data collected

Paddle processes payment data submitted by the customer (card number, billing address, IP, country for VAT determination), order metadata sent by the seller, risk signals required for fraud prevention and SCA, and the customer email used for receipts and invoices. On the Paddle hosted checkout overlay, only strictly necessary first party cookies are set: a session cookie, a CSRF token and a small risk score cookie used for fraud prevention. No advertising or behavioural cookies are deployed.

GDPR and ePrivacy implications

For the cookies set on the Paddle checkout, the strict necessity exemption of Art. 5(3) ePrivacy applies. Payment data is processed under contract performance (Art. 6(1)(b) GDPR) and AML, EU VAT and tax record keeping under legal obligation (Art. 6(1)(c)). Because Paddle is the merchant of record, it acts as the controller for parts of the transaction (notably tax compliance and chargebacks) and as a processor for other parts. Update your privacy notice accordingly.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers and hosting

Paddle.com Market Limited is incorporated in the United Kingdom, which benefits from a European Commission adequacy decision. Primary processing happens on AWS EU regions in Frankfurt and Dublin, with replication to the UK and limited US sub processors used for fraud prevention and observability. Standard Contractual Clauses are included in the Paddle DPA for any non adequate transfer.

Practical compliance steps

Sign the Paddle DPA from your dashboard. Mention Paddle as a merchant of record and processor in your privacy notice with the UK adequacy and the EU AWS hosting. Use the hosted Paddle Checkout to limit your PCI DSS scope. Configure SCA and risk rules to comply with PSD2. Define a retention period for transaction metadata aligned with your AML, EU VAT and tax obligations. Document the merchant of record split of responsibilities (taxes, chargebacks, refunds).

GDPR consent category

Preferences

Websites using Paddle must obtain user consent under GDPR regulations.

Legal basisContract performance (Art. 6(1)(b) GDPR) for processing payment data necessary to complete a transaction the customer has initiated. Legal obligation (Art. 6(1)(c)) for AML, EU VAT and tax record keeping (Paddle acts as merchant of record). Cookies on the Paddle hosted checkout are strictly necessary and exempt from consent under Art. 5(3) ePrivacy.

Risk levellow

Applicable regulationsGDPR, UK GDPR, ePrivacy Directive 2002/58/EC, PSD2, EU VAT Directive (Council Directive 2006/112/EC), AMLD5, PCI DSS

DPIA considerations

A DPIA is generally not required for standard SaaS subscription billing through Paddle. It may become relevant when combined with extensive customer profiling, cross border product flows or special category data tied to subscription tiers.

Sample consent text

Payments and invoicing on this site are handled by Paddle (Paddle.com Market Limited, United Kingdom), our merchant of record. Paddle processes your payment data and EU VAT under the contract and legal obligations on EU AWS infrastructure. See our privacy policy for details.

Technical details

Tracking methodmerchant of record SaaS payment platform; hosted Paddle Checkout overlay or Paddle Billing API with first party session and risk cookies on the Paddle hosted pages

Server locationEuropean Union (Paddle.com Market Limited, London, United Kingdom; primary EU processing on AWS regions in Frankfurt and Dublin)

Cookieless tracking availableYes

Data transferred outside the EUPaddle.com Market Limited is a UK company. The UK benefits from a European Commission adequacy decision under the GDPR. EU customer data is processed primarily on AWS EU regions (Frankfurt, Dublin) with replication to the UK and limited US sub processors for fraud prevention. Standard Contractual Clauses are included in the Paddle DPA for any transfer outside the EEA or the UK.

Third-party domains contacted

paddle.comcheckout.paddle.comcdn.paddle.combuy.paddle.com

Cookies placed

Name	Type	Duration	Purpose
paddle_session	first_party	Session	Strictly necessary session cookie used to maintain the customer session on the Paddle hosted checkout while a payment is in progress.
paddle_csrf	first_party	Session	CSRF protection token used to validate the payment form submission on the Paddle hosted checkout.
paddle_risk	first_party	30 minutes	Strictly necessary risk score cookie used by Paddle for fraud prevention during the transaction.

Paddle uses cookies for user preferences — inform visitors with a consent banner.

Get started free Scan your site

Frequently asked questions

What cookies does Paddle set?

On the Paddle hosted checkout overlay only strictly necessary first party cookies are set: a session cookie (paddle_session), a CSRF protection token (paddle_csrf) and a small risk score cookie (paddle_risk) used for fraud prevention during the transaction. Paddle does not set advertising or behavioural cookies.

Do I need consent to use Paddle on my website?

No banner is required to display the Paddle hosted checkout because the cookies in question are strictly necessary under Art. 5(3) ePrivacy. Consent only becomes relevant if you embed optional Paddle marketing components on your own pages, which Paddle does not require by default.

What is the legal basis for processing payment data through Paddle?

Contract performance (Art. 6(1)(b) GDPR) for processing payment data necessary to complete the transaction. Legal obligation (Art. 6(1)(c)) for AML, EU VAT and tax record keeping (Paddle is the merchant of record for those obligations). Strictly necessary cookies on the Paddle checkout rely on Art. 5(3) ePrivacy.

Does Paddle transfer data to third countries?

Do I need a DPIA for Paddle?

Standard SaaS subscription billing through Paddle does not normally require a DPIA. A DPIA may become relevant when combined with extensive customer profiling, cross border product flows or special category data tied to subscription tiers.

How do I implement Paddle compliantly?

Are there alternatives to Paddle for SaaS billing in the EU?

Other merchant of record platforms include Lemon Squeezy (US), FastSpring (US) and the EU based ConsentMagic / 2Checkout. For non MoR EU options, Stripe Billing, Mollie subscriptions and Adyen subscriptions can handle recurring payments while leaving EU VAT compliance with the seller.

How should I update my cookie policy for Paddle?

For most setups no update to the banner is needed because the Paddle hosted checkout sets only strictly necessary cookies under Art. 5(3) ePrivacy. Update your privacy notice to mention Paddle as a merchant of record and processor, the UK adequacy, the EU AWS hosting and the legal basis for each step (payments, VAT, fraud prevention).

Get compliant — Try FlowConsent free

Free plan · 10-min setup