Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Selless is a Russian all-in-one e-commerce and social auto-commerce platform that powers high-volume merchant stores. It sets functional cookies for cart persistence, session continuity and conversion attribution, and routes visitor data through infrastructure located in the Russian Federation. Operators embedding Selless on EU-facing sites must obtain prior consent for non-essential cookies and document the international transfer risk.
Selless is a Russian all-in-one e-commerce platform that positions itself as a social auto-commerce engine for high-volume merchants. Stores built on Selless combine a hosted storefront, checkout, cart, inventory and a marketing layer designed to convert traffic coming from social networks, messengers and paid acquisition. The platform is delivered as a managed service, so the merchant configures products and campaigns inside the Selless dashboard while the underlying servers, databases and tracking endpoints are operated by the vendor.
From an integration standpoint, Selless is typically embedded by pointing a merchant domain at Selless infrastructure or by loading a script that bootstraps the store. Either way, the merchant brand appears in the browser address bar while the actual processing happens on Selless servers. This first-party setup is convenient for conversion rates, but it has direct consequences for GDPR scoping because cookies set under the merchant domain are still controlled by Selless from a regulatory perspective.
Selless relies on cookies for several purposes. Strictly necessary cookies hold the session identifier and the cart payload so a visitor can browse, add items and proceed to checkout without losing state. Functional cookies remember language and merchandising preferences. Marketing and conversion cookies attach a visitor identifier that survives across pages and campaigns, allowing the platform to attribute purchases back to a traffic source and to power the social auto-commerce features that are central to the product.
Beyond cookies, Selless captures the IP address, the user agent, page paths, time on page, products viewed, checkout steps reached, order totals and any contact details provided at checkout. For merchants connecting paid channels, conversion events are also forwarded to Selless analytics endpoints. Personal data is therefore involved well before a purchase is completed, which means GDPR applies to a large share of the visitor journey, not only to the order itself.
Under Article 5(3) of the ePrivacy Directive, any storage of or access to information on a user device requires prior consent unless the cookie is strictly necessary to deliver a service the user explicitly requested. Cart and session cookies fall under that exemption, but conversion, marketing and functional preference cookies do not. They must be blocked until the visitor has provided a freely given, specific, informed and unambiguous opt-in via a compliant consent banner.
Under GDPR, Selless is a processor acting on behalf of the merchant for order data and a joint or independent controller for the platform analytics that feed its product. A signed data processing agreement is therefore mandatory, and the merchant must list Selless in the record of processing activities and in the privacy notice. The retention period for cart, behavioural and conversion data must be defined and documented, and visitors must be able to exercise access, deletion and objection rights against both the merchant and Selless.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
This is the most sensitive issue with Selless for EU operators. The platform processes data on infrastructure located in the Russian Federation, and the European Commission has not adopted an adequacy decision for Russia. Article 46 GDPR therefore requires a valid transfer mechanism, typically the 2021 Standard Contractual Clauses, together with a documented Transfer Impact Assessment that evaluates lawful access risk under Russian legislation and the effectiveness of supplementary measures such as encryption and pseudonymisation.
Following the Schrems II reasoning, the controller must assess whether local authorities can compel disclosure of EU personal data and whether the data subject has effective remedies. Given the current geopolitical and legal context, many EU data protection authorities consider transfers to Russia as carrying an elevated baseline risk. The merchant must be able to demonstrate that supplementary measures actually neutralise that risk, or accept that the transfer should not take place and adopt an EU-hosted alternative.
Because conversion and marketing cookies are involved and because data leaves the EU to a non-adequate country, a Data Protection Impact Assessment is strongly recommended. The DPIA should map the data categories, the actors, the retention periods, the cookie inventory and the transfer chain, then assess the residual risk after technical and organisational measures. The consent banner must offer a reject option as prominent as accept, must avoid pre-ticked boxes and must clearly mention that data is transferred to the Russian Federation.
Concretely: load the Selless conversion and marketing tags only after consent, keep the strictly necessary cart and session cookies running, sign and archive the data processing agreement, complete the Transfer Impact Assessment, and add Selless to the cookie table of the privacy policy. Mention Russia explicitly in the international transfers section. If the residual risk remains high, consider migrating to an EU-hosted e-commerce platform such as Shopware, PrestaShop on EU infrastructure or a Shopify store with EU data residency commitments.
Websites using Selless must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended. Selless processes purchase intent, cart contents and conversion identifiers, then transfers them to a non-adequate country (Russia). Key DPIA inputs: data categories, retention, recipients inside the Russian Federation, lawful access risk under local legislation, supplementary measures (encryption in transit, pseudonymisation), and the proportionality of the transfer versus EU-hosted alternatives.
Sample consent text
We use Selless to operate our online store, remember your cart and measure conversions. These tools set functional and marketing cookies and transfer data to servers located in the Russian Federation, a country without an EU adequacy decision. Click Accept to allow these cookies, or Reject to limit processing to strictly necessary cart and session storage.
Third-party domains contacted
selless.comcdn.selless.comapi.selless.comanalytics.selless.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| selless_sid | Strictly necessary | Session | Holds the server-side session identifier so the visitor can browse and check out without losing state. |
| selless_cart | Strictly necessary | 30 days | Stores the cart contents so the visitor can return and complete the order on the same device. |
| selless_uid | Marketing | 12 months | Persistent visitor identifier used by Selless for conversion attribution and social auto-commerce features. |
| selless_src | Marketing | 90 days | Stores the original traffic source (campaign, channel, referrer) for attribution of subsequent orders. |
| selless_pref | Functional | 6 months | Saves language, currency and merchandising preferences chosen by the visitor. |
| selless_csrf | Strictly necessary | Session | Anti-CSRF token protecting form submissions and checkout actions. |
Selless uses cookies for user preferences — inform visitors with a consent banner.
Selless sets strictly necessary cookies for the session, cart contents and CSRF protection, functional cookies for language and merchandising preferences, and marketing cookies for visitor identification and conversion attribution. Only the strictly necessary cookies can be loaded before consent; functional and marketing cookies must be blocked until the visitor opts in.
Yes. The marketing and functional cookies set by Selless are not strictly necessary and therefore require prior, freely given, specific, informed and unambiguous consent under Article 5(3) ePrivacy and the GDPR. Only the cart, session and CSRF cookies can rely on the strict necessity exemption.
For order data, the legal basis is performance of a contract (Article 6(1)(b) GDPR). For functional preferences, marketing cookies and conversion tracking, the legal basis is consent (Article 6(1)(a) GDPR), aligned with the ePrivacy opt-in. Legitimate interests cannot justify the marketing and conversion cookies because the ePrivacy regime applies first.
Selless processes data on infrastructure located in the Russian Federation, a country that is not covered by an EU adequacy decision. Transfers require Article 46 safeguards (typically the 2021 SCCs) and a documented Transfer Impact Assessment. Given the lawful access context, residual risk is considered high by many EU data protection authorities.
A DPIA is strongly recommended. The combination of conversion tracking, behavioural data collection and transfers to a non-adequate country reaches at least two of the EDPB criteria that trigger Article 35 GDPR. Document data flows, categories, retention, recipients in Russia, supplementary measures and the residual risk before going live.
Block all non-essential Selless scripts and cookies until the user has accepted via a compliant CMP. Sign the data processing agreement, complete the Transfer Impact Assessment, list Selless in the privacy notice and cookie table, mention Russia as a destination country, and configure short retention periods for behavioural and conversion data.
Yes. For EU-facing storefronts, consider Shopware (Germany), PrestaShop hosted in the EU, Shopify with EU data residency, Sylius, or WooCommerce on a managed EU host. These options keep order, cart and conversion data within the EEA and avoid the Russia transfer risk that dominates the Selless assessment.
Add a dedicated row in the cookie table for each Selless cookie (selless_sid, selless_cart, selless_uid, selless_src, selless_pref, selless_csrf), with type, duration and purpose. In the international transfers section, name the Russian Federation as a destination, cite Article 46 SCCs and reference your Transfer Impact Assessment. Mention Selless among third-party processors and update at every product change.