Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Raku-Uru Cart is a Japanese hosted shopping cart and checkout solution operated by GMO Make Shop in Tokyo. It lets merchants embed a complete e-commerce cart, product catalogue and checkout into any website via a JavaScript snippet. Because Raku-Uru Cart stores order, customer and basket data in Japan and writes session and cart cookies on the visitor browser, EU operators using it must rely on the EU Japan adequacy decision for transfers and on the strictly necessary cookie exemption combined with prior consent for analytics modules.
Raku-Uru Cart is a hosted shopping cart and checkout service developed by GMO Make Shop, a long established Japanese e-commerce provider headquartered in Tokyo. Merchants embed a JavaScript snippet on their website to expose a complete cart, product catalogue, payment and order management flow without having to operate their own e-commerce stack. The service is mainly used by Japanese SMEs and craft brands, but it also serves European exporters selling Japanese goods (cosmetics, tea, snacks, lifestyle) to international audiences.
When the Raku-Uru Cart widget is embedded, the script sets a third party session cookie that binds the visitor to a basket on the GMO Make Shop infrastructure, a persistent cart cookie that retains items across visits, and an authentication cookie once the customer signs in. On the server side the platform processes the order itself: name, billing and shipping address, payment metadata, email, phone and any optional fields configured by the merchant. Optional analytics modules add measurement and conversion identifiers.
Because the visitor data is transferred to Raku-Uru Cart servers in Japan, the operator must comply with the GDPR transfer rules (Articles 44 to 49). Since 2019 the European Commission has adopted an adequacy decision for Japan, which means transfers to Raku-Uru Cart can take place without Standard Contractual Clauses. The strictly necessary session and cart cookies fall under the ePrivacy Article 5(3) exemption and do not require consent. Optional analytics and marketing cookies do require consent under section 25 TTDSG in Germany or its equivalents in other EU member states.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Contract performance under Article 6(1)(b) GDPR is the proper basis for storing and processing the personal data needed to deliver an order: identity, addresses, payment, tracking. Consent under Article 6(1)(a) GDPR is required for analytics, marketing personalisation and any retention beyond what is necessary for the contract. Legitimate interest under Article 6(1)(f) GDPR can support fraud prevention checks and security logging when supported by a balancing test. A data processing agreement with GMO Make Shop under Article 28 GDPR remains necessary even with the adequacy decision in place.
Japan has been recognised as offering an adequate level of data protection by Commission Implementing Decision (EU) 2019/419, after the Japanese Personal Information Protection Commission adopted Supplementary Rules to align with the GDPR. EU operators therefore do not need Standard Contractual Clauses to send order data to Raku-Uru Cart, but they must update their privacy notice to mention the transfer, the recipient (GMO Make Shop, Tokyo) and the adequacy decision as the transfer mechanism. They should also confirm whether the merchant uses payment service providers that re transfer data outside Japan.
Add the strictly necessary Raku-Uru Cart cookies to your cookie inventory but mark them as exempt from consent. Block any analytics or marketing add ons behind your CMP, sign the data processing agreement, mention GMO Make Shop and Japan in your privacy notice and rely on the Japan adequacy decision as the transfer mechanism. Configure clear order data retention periods and provide a documented procedure for handling data subject rights (access, deletion, portability) so requests can be relayed to GMO Make Shop when they target data stored in Japan.
Websites using Raku-uru Cart must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not generally required for using Raku-Uru Cart on a small or mid sized European storefront, because the platform focuses on transactional e-commerce and the EU Japan adequacy decision substantially mitigates the transfer risk. A DPIA becomes relevant for sensitive product verticals (cosmetics with health claims, alcohol with age verification, supplements) or when the operator combines Raku-Uru Cart with profiling, behavioural recommendation or large scale fidelity programmes that systematically build customer profiles.
Sample consent text
Our store uses Raku-Uru Cart, a Japanese shopping cart service by GMO Make Shop. Strictly necessary cookies are placed to remember the items in your basket and to process your order; these do not require your consent. With your permission we also enable optional analytics and marketing cookies, and we transfer your order data to Japan, which is recognised by the European Commission as offering an adequate level of data protection.
Third-party domains contacted
raku-uru.jprakuurucart.comshop.makeshop.jpcdn.makeshop.jpCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rs_session | third_party | Session | Session identifier set by Raku-Uru Cart to bind the visitor to a shopping basket on GMO Make Shop infrastructure during the current visit. Strictly necessary for checkout. |
| rs_cart | third_party | 30 days | Persistent cart identifier used by Raku-Uru Cart to retain the basket between visits and reattach it once the visitor returns. Strictly necessary for cart functionality. |
| rs_auth | third_party | 30 days | Authentication identifier created by Raku-Uru Cart after the visitor signs in to their account to keep them logged across pages. |
| rs_pref | third_party | 12 months | Stores currency, language and storefront preferences chosen by the visitor to provide a consistent experience across visits. |
Raku-uru Cart uses cookies for user preferences — inform visitors with a consent banner.
When the Raku-Uru Cart widget is loaded, it sets a third party session cookie that binds the visitor to a basket on the GMO Make Shop infrastructure, a persistent cart cookie that retains items across visits and an authentication cookie once the customer signs in. Optional analytics or marketing modules add measurement and conversion identifiers. The core cookies are first to third party depending on how the widget is embedded, and they are strictly necessary for the shopping flow.
The strictly necessary cookies (session, cart, authentication) do not require consent because they fall under Article 5(3) ePrivacy Directive as strictly necessary for the service requested by the visitor. Any optional analytics, marketing or recommendation cookies loaded on top of the cart do require prior consent, and the visitor must be informed that personal data is transferred to Japan, even though that transfer relies on the EU adequacy decision.
Order processing, account creation and shipping are based on contract performance (Article 6(1)(b) GDPR). Marketing communications and behavioural personalisation require consent (Article 6(1)(a) GDPR). Fraud prevention and security can rely on legitimate interest (Article 6(1)(f) GDPR) with a documented balancing test. Statutory tax retention obligations are based on legal obligation (Article 6(1)(c) GDPR).
Yes, order and customer data is transferred to Japan, where GMO Make Shop hosts the platform. This transfer is covered by the European Commission adequacy decision for Japan (Decision (EU) 2019/419), so no Standard Contractual Clauses are needed. The privacy notice must still disclose the transfer, the recipient and the adequacy decision as the transfer mechanism, and must mention any onward transfers triggered by the payment service provider chosen by the merchant.
For typical B2C stores selling non sensitive goods the DPIA is not required. It becomes recommended when the operator combines Raku-Uru Cart with profiling, behavioural recommendations or loyalty programmes that build long term customer profiles, when sensitive products (health, alcohol) are sold, or when very large volumes of orders are processed. In those cases the Article 35 GDPR criteria are likely to be met.
List the strictly necessary cart cookies in your privacy notice but exempt them from CMP gating, block any optional analytics and marketing modules behind consent, sign the data processing agreement with GMO Make Shop, declare the EU to Japan transfer in your records of processing activities, and rely on the adequacy decision as the transfer mechanism. Configure the cart so that account creation is optional for one off purchases to minimise data.
For EU operators wanting a similar embeddable cart without third country transfers, the closest alternatives are Snipcart (hosted in Canada, also adequacy), Shopify Buy Button (US), Foxy.io (US), Ecwid (US) and CommerceLayer (EU based). EU hosted SaaS alternatives such as Shopware Cloud (Germany) and Lightspeed eCom (Netherlands) avoid the third country transfer altogether and may simplify the privacy notice.
Add a section in the cookie policy describing the Raku-Uru Cart session, cart and authentication cookies with their name, duration and purpose, and note that they are strictly necessary. Add a separate section in the privacy notice covering the transfer to GMO Make Shop in Japan, citing the EU adequacy decision. If optional analytics or marketing modules are enabled, document them in the marketing or analytics consent category and make them re consentable through the CMP.