Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Saleor is an open source headless e commerce platform developed in Poland by Saleor Commerce. It exposes a GraphQL API used by custom storefronts and apps. Saleor itself is privacy friendly: it stores order and customer data on the operator infrastructure and does not include third party trackers by default. The compliance footprint depends on the chosen hosting region (Saleor Cloud EU or US) and on the tracking pixels that operators add to their custom storefront.
Saleor is an open source headless e commerce platform developed by Saleor Commerce sp. z o.o., based in Wroclaw, Poland. It is written in Python (Django, GraphQL) and is used by retailers and DTC brands across Europe and the Americas. Saleor exposes a GraphQL API that can be consumed by any storefront framework: Next.js, Astro, mobile apps, point of sale terminals or marketplaces. It is available both as Saleor Core (self hosted, MIT licensed) and as Saleor Cloud, a managed offering with EU and US regions.
Saleor processes the data a typical e commerce backend needs: customer accounts (email, name, address, phone), order history, baskets, payment statuses, refunds, vouchers and loyalty rewards. It logs IP addresses and user agents for fraud prevention and stores admin user accounts for staff. The platform does not ship with marketing analytics, advertising pixels or third party trackers; any such tracking is added by the storefront developer.
Saleor falls under standard GDPR rules for e commerce: lawfulness of processing, data minimisation, security, retention and data subject rights. Strictly necessary cookies for cart, login and checkout are exempt from consent under Art. 5(3) of the ePrivacy Directive. Any optional cookies added by the storefront (analytics, retargeting, A/B testing) require prior consent and must be blocked until the visitor accepts.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Saleor core platform does not require visitor consent for its own operation. Consent obligations stem from the front end stack: analytics tags, marketing pixels, third party search and personalisation widgets. Implementing a Consent Management Platform that blocks these scripts by default is the cleanest way to keep the storefront compliant with GDPR and ePrivacy across all EU member states.
When Saleor is self hosted in the EU or deployed in a Saleor Cloud EU region, no transfer outside the EU is required. Saleor Cloud US regions involve a transfer to the United States, which currently relies on the EU US Data Privacy Framework or Standard Contractual Clauses. The deployment region must be documented in the Article 30 register and disclosed in the privacy notice.
Choose an EU region for Saleor Cloud or self host inside the EU, sign the Saleor DPA, harden Saleor admin access with MFA and IP restrictions, enable detailed audit logs, and configure retention rules for inactive customers. On the storefront side, integrate a CMP that blocks every non essential tag, document each Saleor App that adds external processors, and review payment processors and shipping carriers in your privacy notice.
Websites using Saleor must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not generally required for Saleor itself when used for standard order processing. A DPIA becomes appropriate when the storefront layered on Saleor implements large scale behavioural tracking, scoring or profiling, or when sensitive product categories are sold.
Sample consent text
This online store is powered by Saleor, an open source e commerce engine. Strictly necessary cookies are used to manage your cart, your account and your checkout. Optional cookies for analytics, advertising or personalization are only set after you give your consent.
Third-party domains contacted
saleor.iocloud.saleor.ioapi.saleor.ioeu.saleor.cloudus.saleor.cloudCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| refreshToken | http_only_cookie | 30 days (configurable, JWT refresh token lifetime) | Strictly necessary. Stores the JWT refresh token issued by Saleor so the user stays authenticated and can request new access tokens without re entering credentials. |
| csrfToken | first_party_cookie | Session (paired with refreshToken) | Strictly necessary. CSRF protection token required by Saleor when refreshing tokens via cookie based flows. Prevents cross site request forgery on the tokenRefresh mutation. |
| accessToken | memory_or_first_party_cookie | 5 to 15 minutes (JWT access token lifetime) | Strictly necessary. Short lived JWT access token sent in the Authorization header to call the Saleor GraphQL API. Often kept in memory, optionally in a first party cookie. |
| checkoutToken | first_party_cookie_or_localStorage | Up to 30 days or until checkout completes | Strictly necessary. Stores the identifier of the current checkout / cart so the basket persists across page reloads and devices for logged in users. |
| locale | first_party_cookie | 1 year | Functional. Remembers the language and currency selected by the visitor on the Saleor storefront. Considered strictly necessary when explicitly chosen by the user. |
| saleor_app_session | first_party_cookie | Session | Strictly necessary. Used by the Saleor Dashboard and installed Saleor Apps for authenticated admin sessions. |
Saleor uses cookies for user preferences — inform visitors with a consent banner.
Saleor Core only sets strictly necessary cookies for the admin dashboard (authentication session, CSRF token) and, when using the server side cart, a cart identifier. The platform does not include analytics or advertising cookies; any such cookies are added by the storefront layer that consumes the GraphQL API.
No consent is required for the strictly necessary cookies used by Saleor itself: cart persistence, authentication and security tokens fall under the exemption in Art. 5(3) of the ePrivacy Directive. Consent is required for any additional analytics, marketing or personalization scripts added to the storefront.
Performance of a contract (Art. 6(1)(b) GDPR) for order processing and account management, legitimate interest (Art. 6(1)(f)) for security, fraud prevention and audit, and consent (Art. 6(1)(a)) for any marketing communication or behavioural profiling layered on top of the core platform.
Self hosted Saleor stays in the region you deploy it to. Saleor Cloud EU regions keep data in the EU. Saleor Cloud US regions transfer data to the United States under the EU US Data Privacy Framework or Standard Contractual Clauses. Choose your region according to the data residency requirements of your business.
A DPIA is not generally required for a standard online shop built on Saleor. It becomes necessary when the storefront introduces large scale behavioural tracking, scoring, sensitive product categories (health, political opinions) or automated decision making that significantly affects customers.
Deploy Saleor in the EU, configure retention rules for inactive customers, restrict admin access with MFA and IP allow lists, sign a Data Processing Agreement with Saleor for Cloud deployments, document Saleor in your Article 30 register, and use a Consent Management Platform on the storefront for any optional tag.
Yes. Sylius (France) and CoreShop (Austria) are mature open source platforms with strong European communities. Shopware (Germany) and PrestaShop (France) are popular open source choices. Spryker (Germany) targets B2B enterprises. All of them allow EU only hosting and reduce the burden of international data transfers.
List each strictly necessary cookie used by Saleor (session, CSRF, cart) along with each optional cookie added by your front end (analytics, advertising, personalization). Indicate retention, processor and purpose. Re trigger the consent banner whenever a new third party integration is added through a Saleor App.