Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Payhip is a UK based merchant of record platform run by Payhip Ltd in London. Creators use it to sell ebooks, digital downloads, courses, memberships and software, either on a hosted Payhip page or via an embed button or storefront on their own site. As merchant of record, Payhip collects EU VAT and other sales taxes and routes payments through Stripe and PayPal. The UK adequacy decision makes the main data flow EU friendly, but consent is still required for the embed and onward transfers must be documented.
Payhip is a UK based platform operated by Payhip Ltd in London that lets creators and small businesses sell digital products (ebooks, music, design assets, software), courses, memberships and physical goods. Sellers either send buyers to a hosted Payhip page (payhip.com/SELLER/PRODUCT) or embed a Buy button or full storefront on their own site through payhip.com/embed.js.
As merchant of record (MoR) for digital products, Payhip is the legal seller on the invoice, collects EU VAT and remits the net revenue. Payments are routed through Stripe and PayPal in the background. Payhip competes with Gumroad, Lemon Squeezy, Sellfy and SendOwl.
When the Payhip embed is on the seller''s site, embed.js loads from payhip.com. The embed opens an iframe to payhip.com that sets first party Payhip cookies (payhip_session, payhip_csrf, payhip_locale, an attribution cookie) and Cloudflare bot management cookies. Stripe and PayPal flows add __stripe_mid, __stripe_sid and paypal_* cookies. Payhip''s own dashboard uses Google Analytics 4 and Sentry.
Embedding the Payhip widget loads cookies before the visitor acts, which triggers Art. 5(3) ePrivacy and requires prior consent in the EU. Once the customer initiates the purchase on the hosted checkout, the strictly necessary cookies are exempt and the payment processing relies on contract performance. As merchant of record, Payhip is a separate controller for VAT and tax data.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU traffic, replace the embed with a static link to the hosted Payhip product page until the visitor has accepted the functional or marketing category in your CMP. The hosted checkout itself can run without a banner because the cookies are strictly necessary, but the privacy notice should describe Payhip, Stripe and PayPal.
Payhip processes data on AWS Europe London and Ireland. The UK has an EU adequacy decision under Art. 45 GDPR, so the data flow to Payhip is treated like an intra EEA transfer. Onward transfers occur to Stripe (Ireland and US, with SCCs and DPF) and PayPal (Luxembourg and US, with SCCs and DPF).
Sign the Payhip DPA from your seller dashboard. Gate the embed behind a CMP. List Payhip, Stripe and PayPal in your privacy notice and Article 30 record. Document UK adequacy and the onward transfers. Update your terms so refunds, VAT receipts and disputes go through Payhip as merchant of record.
Websites using Payhip must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for a small creator using Payhip. It can become relevant for media operations using Payhip memberships and courses alongside extensive analytics, profiling and AI tooling on the same customer base.
Sample consent text
Sales and memberships on this site are powered by Payhip (Payhip Ltd, United Kingdom), our merchant of record for digital products and memberships. The Payhip embed sets functional and analytics cookies, opens an iframe to payhip.com, processes payments through Stripe and PayPal and remits EU VAT on our behalf. The UK benefits from an EU adequacy decision.
Third-party domains contacted
payhip.comwww.payhip.comcdn.payhip.comjs.stripe.comwww.paypal.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| payhip_session | third_party | 2 weeks | Payhip session cookie set on payhip.com to keep an authenticated session and the in progress checkout. |
| payhip_csrf | third_party | Session | CSRF protection token for Payhip API calls during the checkout flow. |
| payhip_locale | third_party | 1 year | Functional cookie used by Payhip to remember the buyer's language and currency preference between visits. |
| payhip_attribution | third_party | 6 months | Attribution cookie used to track which seller link or affiliate brought the buyer to the Payhip checkout. |
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie set on payhip.com to distinguish humans from automated traffic. |
Payhip uses cookies for user preferences — inform visitors with a consent banner.
When the Payhip embed loads, it sets first party Payhip cookies on payhip.com (payhip_session, payhip_csrf, payhip_locale, an attribution cookie) and Cloudflare bot management cookies. The Stripe step adds __stripe_mid and __stripe_sid; PayPal flows add paypal_* cookies.
Yes. The embed sets non strictly necessary cookies before the visitor takes any action, so Art. 5(3) ePrivacy requires prior consent in the EU. Use a CMP to gate the embed and link to the hosted product page until consent is given.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for the embed cookies. Contract performance (Art. 6(1)(b)) for the purchase on the hosted Payhip checkout. Legal obligation (Art. 6(1)(c)) for EU VAT collection since Payhip is the merchant of record for digital products.
Primarily no. Payhip Ltd processes data in the United Kingdom and on AWS Europe London and Ireland. The UK has an EU adequacy decision under Art. 45 GDPR. Onward transfers happen for payments through Stripe and PayPal, covered by their own SCCs and EU US Data Privacy Framework.
Not for a small creator. A DPIA can be appropriate for media operations using Payhip memberships and courses alongside extensive analytics, profiling and AI tools on the same customer base.
Sign the Payhip DPA, gate the embed behind a CMP, list Payhip, Stripe and PayPal in your privacy notice and Article 30 record, mention the UK adequacy decision and the onward transfers, and update your terms so refunds, VAT receipts and disputes go through Payhip.
EU friendly merchant of record alternatives include Paddle (UK), Lemon Squeezy (US with DPF), Gumroad (US with DPF), FastSpring (US), Sellfy (Latvia, EU) and SendOwl (UK). Non MoR EU options include Stripe Checkout and Mollie subscriptions.
List the Payhip, Cloudflare, Stripe and PayPal cookies in your cookie policy with their categories and durations. In your privacy notice describe Payhip as your merchant of record, the embed, the iframe to payhip.com, the UK adequacy and the onward transfer to Stripe and PayPal in the US.