Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sellbe is a Polish e-commerce SaaS platform operated by Comarch that lets small and mid-sized businesses launch online stores quickly. The service is hosted on infrastructure located in Poland, which keeps merchant and customer data inside the European Economic Area. Sellbe sets first-party cookies for shopping cart and session management, plus optional analytics and marketing cookies that fall under Article 5(3) of the ePrivacy Directive and require informed consent.
Sellbe is a hosted e-commerce platform aimed at small and mid-sized merchants. It is published by Comarch S.A., a Polish technology group headquartered in Krakow, and accessible through the sellbe.com domain. Merchants pick a template, configure products, taxes and shipping rules, and the resulting storefront runs as a SaaS service. The platform integrates with Comarch ERP back-office products as well as third-party payment, shipping and accounting providers, but the operating tenant is hosted in Poland.
A standard Sellbe storefront stores first-party session cookies that link the visitor to their shopping basket, authentication cookies for logged in customers and a CSRF protection token. On the operations side it processes order data, addresses, payment references, contact details for newsletter subscribers and access logs. Optional analytics or marketing add-ons, such as Google Analytics, Meta Pixel or affiliate trackers, may set their own cookies if the merchant activates them.
The merchant is the controller of the personal data collected through the store. Comarch acts as a processor under Article 28 GDPR and provides a data processing agreement. Functional and shopping cart cookies fall outside the consent obligation of Article 5(3) ePrivacy because they are strictly necessary to provide the service explicitly requested by the user. Analytics and marketing cookies require prior, informed and freely given consent, expressed through a compliant consent banner.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sellbe runs on Comarch infrastructure located in Poland and, as such, keeps customer data within the European Economic Area by default. Transfers outside the EEA only occur when the merchant deliberately activates an integration that involves a third country processor, such as a non European payment gateway, a US analytics suite or a marketing tool. Each such integration must be assessed separately by the merchant and documented in the record of processing activities.
A standard SMB storefront does not in itself trigger the obligation of a formal DPIA. However, a record of processing activities under Article 30, an information notice under Articles 13 and 14, a configured consent banner and a data processing agreement with Comarch are mandatory. If the merchant enables behavioural advertising, customer scoring or large scale newsletter campaigns, a focused DPIA is recommended to address profiling, retention and security risks.
Merchants should publish a clear privacy notice, install a granular consent banner that separates strictly necessary, analytics and marketing cookies, sign the Comarch DPA, document subprocessors and configure retention periods inside the back office. If a fully self-hosted setup is preferred, alternatives include Shoper, PrestaShop, WooCommerce or Sylius, each of which can run on EU infrastructure with similar feature coverage.
Websites using Sellbe must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is not automatically required for a typical Sellbe store, but the merchant should document the categories of data processed (identification, contact, order, payment), the retention periods, the role of Comarch as processor and the chain of subprocessors (payment gateway, shipping carrier, marketing module). If the catalogue includes special category data, profiling features or large scale processing, a formal DPIA under Article 35 GDPR becomes necessary.
Sample consent text
This online store runs on the Sellbe platform. Essential cookies are needed to keep your basket and to complete your order. With your consent we also use analytics cookies to measure aggregated traffic and marketing cookies to display tailored offers. You can accept, refuse or fine-tune your choice at any time from the cookie preferences link in the footer.
Third-party domains contacted
sellbe.comstatic.sellbe.comapi.sellbe.comcomarch.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sellbe_session | first_party | Session | Identifies the visitor session and links it to the shopping basket. Strictly necessary for the storefront to function. |
| sellbe_cart | first_party | 30 days | Persists the contents of the shopping basket between visits so the buyer can resume the order. Strictly necessary functional cookie. |
| sellbe_auth | first_party | 14 days | Keeps the logged in customer authenticated across pages. Set only after sign in, strictly necessary for the account area. |
| sellbe_csrf | first_party | Session | CSRF token preventing cross-site request forgery on forms and checkout. Strictly necessary security cookie. |
| sellbe_consent | first_party | 12 months | Stores the visitor cookie preferences (accepted, rejected, granular categories) to enforce the consent on subsequent visits. |
| sellbe_locale | first_party | 12 months | Remembers the language and currency selected by the visitor. Functional cookie that improves the browsing experience. |
| sellbe_analytics | first_party | 13 months | Aggregated traffic measurement (page views, conversion funnel). Set only after the visitor accepts analytics cookies. |
Sellbe uses cookies for user preferences — inform visitors with a consent banner.
A default Sellbe storefront sets first-party cookies for the session, the shopping basket, authentication of logged in customers, CSRF protection, language preference and consent state. Analytics or marketing cookies are added only when the merchant activates the corresponding modules and the visitor agrees through the consent banner.
You do not need consent for strictly necessary cookies (session, cart, authentication, CSRF, consent record): they fall under the exemption of Article 5(3) of the ePrivacy Directive. You do need prior, granular consent for any analytics, advertising or personalisation cookies you decide to enable.
Order processing, payment and account management rely on contract performance (Article 6(1)(b) GDPR). Tax records and consumer law obligations rely on legal obligation (Article 6(1)(c)). Security logs and fraud prevention rely on legitimate interest (Article 6(1)(f)). Newsletter and behavioural advertising rely on consent (Article 6(1)(a) plus Article 5(3) ePrivacy).
Sellbe itself does not. Comarch hosts the platform on Polish infrastructure, keeping customer data within the EEA. Third-country transfers only happen when the merchant activates an external integration (US analytics, non European payment gateway, etc.). In that case the merchant must rely on an adequacy decision, SCCs or another Chapter V mechanism.
Not automatically. A standard SMB storefront involves moderate volumes of routine data (identification, order, payment) and presents a low risk. A focused DPIA becomes useful when the merchant enables profiling, large scale newsletter campaigns, scoring or any processing of special categories. A record of processing activities and an information notice remain required in any case.
Sign the Comarch data processing agreement, complete the privacy and cookie policy with concrete categories and retention periods, install a consent banner that allows the visitor to accept, refuse or fine tune categories, restrict access to the back-office by role and configure automatic deletion of inactive accounts. Audit any third-party module added later.
Comparable EU friendly options include Shoper (Poland), PrestaShop (France) and Sylius (Poland) for hosted or self-hosted SMB stores, plus WooCommerce on WordPress for the long tail. For larger catalogues, BigCommerce EU, Centra (Sweden) or commercetools (Germany) can be deployed on European infrastructure with mature DPAs.
List in the cookie policy each cookie set by Sellbe (name, purpose, retention) and add a row whenever you activate an analytics or marketing module. Mention Comarch as processor, the hosting location in Poland and the contact for data subject rights. Review the policy at every major release of the platform or when you add a new integration.