Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
plug pay is a Brazilian payment orchestration and checkout platform that lets merchants accept credit cards, Pix and other local payment methods through a hosted checkout or a JavaScript SDK embedded in their site.
plug pay is a Brazilian payment orchestration and checkout platform. Merchants embed its hosted checkout or its JavaScript SDK to accept credit cards, Pix, boleto and other local payment methods. The platform tokenizes card data and routes the transaction to the selected acquirer or sub acquirer.
During checkout plug pay sets cookies such as pp_session for the active payment session, _plug_sid for visitor identification and _plug_pay_token to bind a tokenized card to the session. The SDK collects device fingerprint signals (user agent, screen size, time zone, IP address) for fraud scoring, plus the buyer name, email, billing address and chosen payment method.
The actual payment processing relies on Article 6(1)(b) GDPR as the execution of a contract. Antifraud signals fall under Article 6(1)(f) GDPR (legitimate interest in preventing payment fraud). Non strictly necessary cookies and analytics scripts loaded by the checkout require consent under Article 5(3) ePrivacy Directive and Section 25(1) TTDSG.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
plug pay is hosted on AWS in Brazil. Each transaction involves a transfer of personal data from the EU to Brazil. There is no European Commission adequacy decision for Brazil, so transfers must rely on Standard Contractual Clauses 2021/914 and a transfer impact assessment that takes Brazilian surveillance laws and the LGPD into account.
A DPIA under Article 35 GDPR is recommended because the processing involves financial data, automated fraud scoring and an international transfer. It should describe data minimisation, retention of card tokens, the antifraud logic, the rights of the buyer when a transaction is refused and the PCI DSS scope.
Sign Standard Contractual Clauses with Plug Pagamentos, complete a transfer impact assessment, list plug pay in the privacy notice and cookie banner, block non essential cookies until consent, scope PCI DSS responsibilities and keep evidence of the antifraud legitimate interest balancing test.
Websites using plug pay must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever a European controller embeds plug pay, because the integration involves systematic processing of payment data, antifraud profiling, device fingerprinting and a transfer of personal data from the EU to Brazil. The DPIA must address the transfer impact assessment, the contractual safeguards in place, the retention of card tokens and the rights of the data subject when fraud rules block a transaction.
Sample consent text
To process your payment we send checkout data to plug pay in Brazil, which sets cookies on your device for the payment session and fraud prevention. Do you accept the use of plug pay to complete this order?
Third-party domains contacted
api.plugpay.com.brcheckout.plugpay.com.brjs.plugpay.com.brcdn.plugpay.com.brrisk.plugpay.com.brCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| pp_session | session | Session | Maintains the active payment session and ties the buyer to the merchant order while the checkout is open. |
| _plug_sid | first_party | 1 year | Persistent visitor identifier used by plug pay to recognise returning buyers and stop duplicate or replay submissions. |
| _plug_pay_token | first_party | 30 minutes | Holds the short lived token that represents a tokenized payment instrument before the transaction is authorised. |
| _plug_fp | first_party | 6 months | Stores a device fingerprint hash used in antifraud scoring to detect suspicious buyer behaviour. |
| _plug_locale | first_party | 1 year | Stores the preferred language and currency for the hosted checkout interface. |
plug pay uses cookies for user preferences — inform visitors with a consent banner.
plug pay sets first party cookies including pp_session for the live payment session, _plug_sid as a visitor identifier and _plug_pay_token to bind a tokenized card to the buyer. Additional antifraud cookies and localStorage entries are written by the JavaScript SDK during the order flow.
Strictly necessary payment cookies do not require consent under the ePrivacy Directive. Analytics or marketing scripts loaded by the same checkout and any optional fingerprinting beyond fraud prevention require prior consent from the buyer.
Article 6(1)(b) GDPR covers the payment as part of the sales contract. Article 6(1)(f) GDPR covers antifraud signals under a documented legitimate interest. Article 6(1)(a) GDPR covers non essential analytics and marketing cookies loaded by the checkout.
Yes. plug pay operates from Brazil, so every transaction transfers personal data from the EU to Brazil. There is no European Commission adequacy decision for Brazil, so Standard Contractual Clauses and a transfer impact assessment are required.
Yes, a DPIA is recommended. The integration combines large scale payment processing, automated fraud scoring and an international transfer, which together meet several criteria of Article 35 GDPR and the EDPB lists of high risk processing.
Sign SCCs and a data processing agreement, complete a transfer impact assessment, embed the SDK only on the pages that need it, block non essential cookies until consent, document antifraud rules and confirm the split of PCI DSS responsibilities with Plug Pagamentos.
In the EU, alternatives include Stripe, Adyen, Mollie and Worldline. Brazilian alternatives include Pagar.me, Stone and Cielo. Each option has its own hosting region, transfer mechanism and antifraud model that must be assessed before switching.
List the strictly necessary payment cookies (pp_session, _plug_sid, _plug_pay_token), the antifraud and any analytics cookies, the controller relationship with Plug Pagamentos, the EU to Brazil transfer mechanism and a link to the plug pay privacy notice.