Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Remarkable Commerce is a UK headless eCommerce platform used by mid market and enterprise retailers to power web stores, mobile apps and in store experiences from a single product, content and order back office. The platform sets first party cookies for session, basket and checkout, exposes APIs for personalisation and integrates with payment, search, marketing and analytics tools. Retailers using Remarkable Commerce on a European storefront must collect consent for non essential cookies, comply with UK GDPR and PECR, and document the international data flows triggered by their chosen integrations.
Remarkable Commerce is a headless eCommerce platform developed in the United Kingdom and used by mid market and enterprise retailers to power web stores, native mobile apps and in store experiences. It centralises product information, content, pricing, promotions, orders and customer profiles, exposes everything through APIs and connects to specialised modules for personalisation, search, marketing automation, payments and order management. Retailers typically deploy a custom storefront on top of the Remarkable Commerce APIs, with one or several brand websites sharing the same back office.
On the storefront, Remarkable Commerce sets first party cookies for the visitor session, the cart, the checkout funnel, the chosen language and currency and the CSRF token. These cookies are strictly necessary to run the store. Once a customer authenticates, the platform stores a long lived identifier to recognise the returning shopper and to populate the wishlist and order history. Optional integrations such as analytics, AB testing, personalisation, search merchandising or marketing automation each add their own cookies and pixels.
Cookies that maintain the basket, the checkout and the authenticated session are strictly necessary and are exempt from PECR Regulation 6 and Article 5(3) of the ePrivacy Directive. All non essential cookies require prior consent, including analytics, personalisation, advertising and any embedded content such as social widgets or product reviews. The retailer is the controller of customer data and uses Remarkable Commerce as a processor through an Article 28 contract that should include the standard subprocessor clauses.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Configure your consent management platform so that all non essential cookies and integrations are blocked until the visitor opts in. The banner should distinguish strictly necessary cookies that always run from analytics, personalisation and marketing categories that the visitor controls. Provide an equally prominent Reject button, document the consent choices and propagate them to integrations such as Google Analytics, Meta Pixel and any CDP. Inside the checkout, present clear processing notices for payment and fraud prevention.
Customer and order data hosted by Remarkable Commerce typically stays in the UK or the EU. International transfers can still occur through optional integrations such as a US based payment provider, a global CDN, a US analytics or marketing tool. The retailer must map these flows, list each provider in the privacy notice, rely on the UK extension to the EU US Data Privacy Framework or on the International Data Transfer Agreement and complete a Transfer Risk Assessment for high risk recipients.
Sign the Remarkable Commerce data processing addendum and review the list of subprocessors. Apply data minimisation to customer accounts, set retention rules for guest checkout data, encrypt payment tokens at rest and integrate the platform with a PCI DSS compliant payment provider. Use a single consent management platform that controls both Remarkable Commerce optional features and external marketing tags, document the architecture in your record of processing and run an annual review of the active integrations.
Websites using Remarkable Commerce must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Remarkable Commerce is configured for personalisation at scale, when it ingests offline customer data into a Customer Data Platform, when it processes payment data through a non tokenised flow, or when it powers loyalty and clienteling features that profile shoppers. For a plain catalog and checkout deployment without behavioural personalisation, a documented legitimate interest assessment is generally sufficient.
Sample consent text
This storefront is powered by Remarkable Commerce. Strictly necessary cookies keep your basket, your session and your checkout working. With your consent, we also enable analytics, personalisation and marketing cookies that help us understand how the store is used and how to improve your experience. You can refuse or withdraw consent at any time via the cookie settings link in the footer.
Third-party domains contacted
remarkablecommerce.comcdn.remarkablecommerce.comapi.remarkablecommerce.comauth.remarkablecommerce.comassets.remarkablecommerce.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rc_session | Strictly necessary | Session | Session cookie used by Remarkable Commerce to bind the visitor to a server side session, required to navigate the storefront and to complete a purchase. |
| rc_cart | Strictly necessary | 30 days | Persists the cart contents between visits so that the shopper can return and complete the order without losing the selected products. |
| rc_csrf | Strictly necessary | Session | Cross site request forgery token used to protect every state changing request made on the storefront, including login, checkout and account updates. |
| rc_locale | Functional | 1 year | Stores the language and the currency selected by the shopper to display the storefront in the chosen locale on subsequent visits. |
| rc_customer | Functional | 1 year | Long lived identifier used to recognise a returning authenticated customer and to populate the wishlist, the order history and the saved addresses. |
| rc_analytics | Analytics | 13 months | Optional analytics cookie loaded only after consent to measure storefront performance, conversion rates and the merchandising effectiveness. |
Remarkable Commerce uses cookies for user preferences — inform visitors with a consent banner.
Remarkable Commerce sets strictly necessary first party cookies for the visitor session, the cart, the checkout funnel, the chosen language and currency and the CSRF token. Authenticated users get a long lived identifier to persist the wishlist and the order history. Any optional module activated by the retailer (analytics, AB testing, search, marketing automation, personalisation) brings its own cookies and pixels that must be governed by the consent management platform.
Consent is required for every non essential cookie loaded on a Remarkable Commerce storefront, including analytics, marketing, personalisation and embedded third party content. Strictly necessary cookies that maintain the basket, the checkout and the authenticated session benefit from the strictly necessary exemption under PECR Regulation 6 and the ePrivacy Directive and do not require consent.
The legal basis is the performance of the contract under Article 6(1)(b) UK GDPR / EU GDPR for order processing, account management and delivery. Legal obligation applies to accounting, tax and consumer rights. Consent under Article 6(1)(a) covers marketing communications, profiling and non essential cookies. Legitimate interest may cover internal security and fraud prevention, subject to a documented assessment.
The core Remarkable Commerce database is hosted in the UK or the EU, so the platform itself does not require a transfer mechanism for those flows. However retailers often integrate US based providers for payment, analytics, marketing or CDN, which trigger transfers. Each transfer must rely on adequacy, the UK extension to the EU US Data Privacy Framework or Standard Contractual Clauses, complemented by a Transfer Risk Assessment.
A DPIA is recommended when Remarkable Commerce powers large scale personalisation, when it ingests offline customer data into a Customer Data Platform, when payment data is processed in a non tokenised flow, or when loyalty and clienteling features profile shoppers. For a plain catalog and checkout deployment without behavioural personalisation, a documented legitimate interest assessment is generally sufficient.
Sign the Remarkable Commerce DPA, validate the list of subprocessors, integrate the storefront with a PCI DSS compliant payment provider and tokenise card data. Apply data minimisation to customer accounts, set retention rules for guest checkout data and use a consent management platform that controls both Remarkable Commerce optional modules and external marketing tags. Maintain documentation in the record of processing activities.
Alternative headless eCommerce platforms include commercetools, BigCommerce, Shopify Plus, Salesforce Commerce Cloud, Spryker, Adobe Commerce and SAP Commerce Cloud. Each comes with its own data residency, integration ecosystem and contractual model. The compliance posture depends less on the platform than on the retailer choices for analytics, marketing and personalisation tools layered on top.
List the strictly necessary cookies set by Remarkable Commerce (session, cart, checkout, CSRF, language, currency) and explain their role. Add a separate section for analytics, personalisation and marketing cookies enabled by your integrations. Mention Remarkable Commerce and any subprocessor in your privacy notice, document the lawful bases and refresh the page when you enable or change a module on the platform.