Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ShopBase is a hosted e-commerce platform built by OpenCommerce Group, specialised in dropshipping, print on demand and cross border retail. It targets merchants who sell from the US, Vietnam and Eastern Europe to global audiences, including EU shoppers. ShopBase includes a complete checkout, a built in marketing stack (Facebook Pixel, Google Ads, TikTok Pixel) and runs on US based AWS infrastructure, which triggers GDPR transparency, consent and transfer obligations for European visitors.
ShopBase is a hosted e-commerce platform built by OpenCommerce Group, with a strong focus on dropshipping, print on demand and cross border retail. It is positioned as a Shopify alternative for merchants in the United States, Vietnam and Eastern Europe who sell to global audiences, including EU shoppers. Beyond storefront and checkout, ShopBase ships native integrations with Facebook Pixel, Google Ads, TikTok Pixel, Klaviyo and a print on demand catalogue, making it an end to end stack for direct to consumer brands.
At minimum ShopBase sets a session cookie, an authentication cookie and a persistent cart cookie. The platform processes customer accounts, order data, addresses, payment metadata, support history and product browsing history. The optional marketing pixels (Facebook, Google Ads, TikTok) add tracking identifiers, conversion identifiers and remarketing cookies that go beyond strictly necessary.
The session and cart cookies fall under the Article 5(3) ePrivacy strictly necessary exemption. The marketing and analytics pixels are non strictly necessary and require prior consent. The transfer of customer data to US infrastructure triggers Article 44 GDPR and must rely on Standard Contractual Clauses or the EU US Data Privacy Framework. Order, account and address data are processed under contract performance under Article 6(1)(b) GDPR, with transparency obligations under Articles 13 and 14 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cart, login and order processing rely on contract performance (Article 6(1)(b) GDPR). Marketing pixels, behavioural analytics and remarketing rely on consent (Article 6(1)(a) GDPR). Fraud prevention relies on legitimate interest (Article 6(1)(f) GDPR). Tax retention relies on legal obligation (Article 6(1)(c) GDPR). The merchant is the controller; OpenCommerce Group is a processor under Article 28 GDPR.
ShopBase hosts its production environment on US based AWS regions, with global edge caching. Personal data of EU shoppers is therefore transferred to the United States, with onward transfers to Meta (Facebook Pixel), Google (Ads), TikTok (Pixel) and other marketing sub processors. All these transfers require Standard Contractual Clauses or the EU US Data Privacy Framework certifications, listed in the privacy notice and reflected in the records of processing activities.
Sign the OpenCommerce DPA, list OpenCommerce Group as a processor in the privacy notice, mention the US AWS hosting and all marketing pixel sub processors. Integrate a CMP that can block Facebook, Google and TikTok pixels until consent, ensure that the cart and checkout cookies remain active for the booking session, and run a DPIA covering the full data flow from storefront to fulfilment, including dropshipping logistics that may involve additional third country transfers.
Websites using ShopBase must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for most ShopBase deployments serving EU shoppers because the platform combines US based hosting, behavioural marketing pixels (Facebook, TikTok, Google Ads), large scale customer data processing and frequent dropshipping flows with international logistics. These factors typically meet several Article 35 GDPR criteria (large scale processing, profiling, third country transfers) and require a documented DPIA.
Sample consent text
Our online shop runs on ShopBase, a hosted commerce platform by OpenCommerce Group. Strictly necessary cookies operate the cart, login and checkout without your consent. With your permission we also load optional Facebook, Google Ads, TikTok and analytics pixels. Your order and account data is hosted on US AWS infrastructure under Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
shopbase.comadmin.shopbase.comcdn.shopbase.comopencommerce.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _session_id | first_party | Session | Storefront session identifier set by ShopBase to bind the visitor to a server side session. |
| _cart | first_party | 30 days | Persistent cart identifier used by ShopBase to retain the basket between visits. |
| _customer | first_party | 12 months | Identifies the authenticated customer once they sign in. |
| sb_ab | first_party | 90 days | Variant cookie for the built in A/B testing module. Requires consent. |
ShopBase uses cookies for user preferences — inform visitors with a consent banner.
A default ShopBase storefront sets a session cookie, an authentication cookie after sign in and a persistent cart cookie that keeps the shopping basket between visits. The optional marketing pixels (Facebook, Google Ads, TikTok) add their own tracking and remarketing cookies, all non strictly necessary and consent gated.
Consent is not required for the strictly necessary cart, login and checkout cookies. Consent is required for the marketing pixels, behavioural analytics and remarketing cookies enabled by the merchant. These cookies must stay blocked in the CMP until the visitor opts in.
Cart, login, order and payment processing rely on contract performance under Article 6(1)(b) GDPR. Marketing and analytics rely on consent under Article 6(1)(a) GDPR. Fraud prevention relies on legitimate interest under Article 6(1)(f) GDPR. Tax retention relies on legal obligation under Article 6(1)(c) GDPR.
Yes. ShopBase hosts on US AWS infrastructure, with OpenCommerce Group as the US controller. Personal data of EU shoppers is therefore transferred to the United States. Standard Contractual Clauses and the EU US Data Privacy Framework apply, and the marketing pixels (Facebook, Google, TikTok) add their own US sub processing layers.
Recommended, because of the combination of US hosting, behavioural marketing pixels and frequent dropshipping flows. These trigger several Article 35 GDPR criteria and require a documented DPIA, especially when the operator targets large EU audiences.
Sign the ShopBase DPA, list OpenCommerce Group as a processor, mention the US AWS hosting and all marketing pixel sub processors in the privacy notice. Integrate a CMP that can block the marketing pixels until consent, run a DPIA, and align retention with the local accounting and consumer protection rules.
For dropshipping and cross border e-commerce, alternatives include Shopify, BigCommerce, Wix eCommerce, WooCommerce and Lightspeed eCom. From a GDPR perspective, EU based options such as Shopware and Lightspeed eCom offer a simpler transfer chain.
List the strictly necessary cookies (cart, login, session) with names and durations. List each marketing and analytics pixel cookie with purpose, duration and recipient. Mention OpenCommerce Group and the marketing pixel operators (Meta, Google, TikTok) as recipients, describe the US transfers and the applicable transfer mechanisms.