Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sellerdeck (formerly Actinic) is a UK, born e, commerce platform popular with small and mid, market British retailers. It is delivered as a self, hosted PHP/ASP shopping cart that sits on the merchant's own server, with a desktop catalogue editor that publishes to the online store. As a self, hosted application the privacy footprint is largely controlled by the merchant: shopping cart cookies stay first, party, and third, country transfers only appear if cloud add, ons (Stripe, PayPal, Google Analytics, Trustpilot) are enabled.
Sellerdeck (born as Actinic in the late 1990s) is a UK e, commerce platform built around a desktop catalogue editor and a self, hosted shop front. The merchant edits products, categories and prices in the desktop tool and publishes the resulting site to PHP or ASP files that run on the merchant''s own web server. The vendor, Sellerdeck Ltd., supplies software updates and hosting plans, but the customer database lives entirely on the merchant infrastructure unless a cloud add, on is enabled.
Sellerdeck uses a small set of first, party cookies focused on cart and account state: AC_USERID and AC_SHIP for cart and shipping, AC_LOGIN for the remember, me token, and AC_LASTSEEN for the last category browsed. These cookies live on the merchant''s own domain and contain only opaque identifiers, no personal data is stored client, side. Optional analytics, marketing or reviews cookies appear only when the merchant integrates Google Analytics, Trustpilot, Mailchimp or similar add, ons.
Because the platform is self, hosted, Sellerdeck Ltd. is the software supplier, not a processor for the customer or order data. The merchant is the controller and remains responsible for its own backups, access controls, retention policies and breach notification obligations. A processor relationship arises only with the cloud add, ons (payment gateway, analytics provider, marketing email vendor) selected by the merchant.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
By default no third, country transfer occurs : the database is on the merchant''s UK or EU server. Transfers only occur when the merchant enables a US, based payment processor (Stripe, PayPal), a US analytics service (Google Analytics, Microsoft Clarity), a US email vendor (Mailchimp, SendGrid) or a US review service (Trustpilot data is in the UK but some sub, processors are in the US). Each integration is treated as a separate transfer and added to the privacy notice.
Keep the AC_ cookies in the strictly necessary category and load them without consent. Block any add, on cookie (GA, Mailchimp, Trustpilot) behind the CMP gate. Document the integrations you enabled in your processing register. Sign DPAs with each cloud add, on supplier. Encrypt the local customer database, restrict the desktop catalogue editor to staff machines with disk encryption, and run periodic backups stored within the EEA or the UK.
Websites using Sellerdeck must obtain user consent under GDPR regulations.
DPIA considerations
Sellerdeck is self, hosted so the merchant is the sole controller and the platform vendor (Sellerdeck Ltd.) acts only as a software supplier, not as a processor for orders. Key DPIA considerations: (1) account, cart and order data live on the merchant's own database, so a breach is a merchant, side incident; (2) any cloud add, on (payments, analytics, reviews) introduces its own controller/processor analysis; (3) the marketing module, when enabled, sends order emails through third, party SMTP providers (Mailchimp, SendGrid) that should be DPA, covered; (4) the desktop catalogue editor synchronises customer data to the local computer of the merchant, requiring endpoint security controls; (5) PCI DSS scope reduction needs review when card numbers transit the Sellerdeck server before forwarding to the payment processor. A DPIA is typically not required for a standard small, merchant deployment but becomes useful when the merchant integrates multiple cloud add, ons.
Sample consent text
Our online store runs on Sellerdeck, hosted on our own servers in the United Kingdom. Sellerdeck uses strictly necessary cookies to keep your shopping basket and account session active. Optional analytics, marketing and reviews cookies are loaded only after you give consent in the cookie banner. We do not transfer your data outside the United Kingdom or the European Economic Area unless you complete a payment with a US, based provider, in which case the relevant payment service will be named in the checkout screen.
Third-party domains contacted
sellerdeck.co.uksellerdeck.comupdates.sellerdeck.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| AC_USERID | Strictly necessary | Session | Identifies the current shopping cart and keeps cart contents associated with the visitor across pages of the checkout flow. |
| AC_SHIP | Strictly necessary | Session | Stores the selected shipping option during checkout so the same option is preserved through later steps. |
| AC_LASTSEEN | Functional | 30 days | Stores the last category browsed so the catalogue can highlight recently viewed sections on return visits. |
| AC_LOGIN | Strictly necessary | 30 days | Holds the authenticated customer token between visits when the customer ticked Remember me on the login form. |
Sellerdeck uses cookies for user preferences — inform visitors with a consent banner.
Sellerdeck sets first, party cookies AC_USERID and AC_SHIP for cart and shipping state, AC_LOGIN for the remember, me token and AC_LASTSEEN for the last category browsed. All live on the merchant's own domain and contain opaque identifiers only.
No. AC_USERID, AC_SHIP and AC_LOGIN are strictly necessary to operate the shopping cart, checkout and customer login and qualify for the Article 5(3) ePrivacy exemption. Consent is only required for any optional analytics, marketing or reviews module the merchant adds.
Contract performance (Art. 6(1)(b) GDPR) for orders and accounts, legitimate interest (Art. 6(1)(f)) for fraud prevention and basic logs, and explicit consent for marketing and analytics integrations.
Not by Sellerdeck itself : the database is on the merchant's server. Transfers only happen when the merchant enables a US, based add, on (Stripe, PayPal, Google Analytics, Mailchimp, etc.). Each add, on is treated as a separate transfer and listed in the privacy notice.
Not for a typical small or mid, market Sellerdeck shop. A DPIA becomes useful when you integrate multiple cloud add, ons, when you process special categories of data (health, biometric), or when you exceed 50,000 customer records.
Keep the AC_ cookies in the strictly necessary category. Block third, party add, ons behind the CMP. Document each cloud integration in your processing register. Sign DPAs with cloud add, on vendors. Encrypt backups and the local desktop catalogue editor machine. Set retention periods for customer accounts and abandoned carts.
Yes : PrestaShop, Shopware, JTL Shop (German), Lightspeed eCom (Dutch), Sylius (PHP, Polish/UK), Iziflux. Most are open source or EU, based and can be deployed entirely within the EEA.
List AC_USERID, AC_SHIP, AC_LOGIN and AC_LASTSEEN in the strictly necessary section of your cookie table with their duration and purpose. Add a separate section for each cloud add, on (GA, PayPal, Stripe, Mailchimp, Trustpilot) and document their respective domains and recipients.