Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Snipcart is a Canadian drop in shopping cart for any website, operated by Snipcart Inc. in Quebec City (acquired by Duda in 2021). The script loaded from cdn.snipcart.com lets developers turn any static or CMS based site into an e commerce store with a cart drawer and a hosted checkout. Snipcart sets non strictly necessary cookies on the seller's page and processes orders on AWS Canada and Frankfurt. The Canadian adequacy decision keeps the GDPR risk low.
Snipcart is a drop in HTML/JavaScript shopping cart developed by Snipcart Inc. in Quebec City, Canada, and now part of the Duda website builder group. Developers add a script tag from cdn.snipcart.com to any static site, Jamstack project, Hugo, Eleventy or CMS based site and define products with HTML data attributes. Snipcart injects a cart drawer and a checkout iframe that handles the full purchase flow, with payment routed through Stripe, Square, Authorize.Net or Mollie.
Once the Snipcart script loads, the cart drawer writes first party Snipcart cookies on the seller''s domain (snipcart_session, snipcart_locale, snipcart_cart) to keep the in progress cart and remember language and currency. The checkout iframe served from app.snipcart.com sets additional session and CSRF cookies. Stripe and other payment processors add their own cookies during the payment step. Snipcart''s dashboard uses Google Analytics 4 and Sentry.
Until the visitor opens the cart, Snipcart cookies are not strictly necessary, so Art. 5(3) ePrivacy requires prior consent in the EU. A pragmatic option is to defer the Snipcart script to a consent gated tag manager, or to use Snipcart''s cookieless mode which only writes cookies after Add to cart. Once the customer initiates the checkout, the strictly necessary cookies are exempt and the processing relies on contract performance.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Snipcart processes EU customer data on AWS Canada Central and AWS Frankfurt. Canada has an adequacy decision under Art. 45 GDPR for commercial entities subject to PIPEDA, so the transfer is treated like an intra EEA flow. The Snipcart DPA also incorporates the EU SCCs as a fallback. Payment processors apply their own transfer mechanisms.
Sign the Snipcart DPA, gate the script behind a CMP toggle or use the cookieless Add to cart mode, list Snipcart and the payment processors in your privacy notice and Article 30 record, document the Canadian adequacy and the onward transfers and update your terms so refunds, taxes and disputes are handled by the seller (Snipcart is not the merchant of record).
Websites using Snipcart must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for a small shop using Snipcart. It can become relevant for stores combining Snipcart with extensive customer profiling, AI driven recommendation and special category data tied to the customer base.
Sample consent text
Sales on this site are powered by Snipcart (Snipcart Inc., Canada), a drop in shopping cart provider. Snipcart sets functional cookies, opens an iframe to its hosted checkout and processes orders on AWS Canada and Frankfurt. Canada benefits from an EU adequacy decision and payment processors handle the card data under their own SCCs and DPF.
Third-party domains contacted
snipcart.comcdn.snipcart.comapp.snipcart.comjs.stripe.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| snipcart_session | first_party | Session | Snipcart session cookie set on the seller domain to keep the in progress cart for the visitor. |
| snipcart_locale | first_party | 1 year | Functional cookie used by Snipcart to remember the visitor's language and currency preference between visits. |
| snipcart_cart | first_party | 30 days | Persistent cart cookie used by Snipcart to recover the visitor's cart contents across sessions. |
| asp_session | third_party | Session | Snipcart session cookie on the app.snipcart.com checkout iframe to keep the in progress order. |
| asp_csrf | third_party | Session | CSRF protection token for the Snipcart hosted checkout iframe. |
Snipcart uses cookies for user preferences — inform visitors with a consent banner.
Once the Snipcart script loads, it writes first party Snipcart cookies on the seller domain (snipcart_session, snipcart_locale, snipcart_cart) and on the app.snipcart.com checkout iframe (session and CSRF cookies). Stripe and other payment processors add their own cookies during the payment step.
Yes for the cart cookies set as soon as the script loads. Art. 5(3) ePrivacy requires prior consent in the EU. Use a CMP toggle or Snipcart's cookieless Add to cart mode. Once the visitor initiates the checkout, the cookies become strictly necessary and are exempt.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for the cart cookies on the seller domain. Contract performance (Art. 6(1)(b)) for the checkout. Legal obligation (Art. 6(1)(c)) for the seller's tax record keeping (Snipcart is a processor, not the merchant of record).
Primarily no. Snipcart Inc. is established in Canada, which has an EU adequacy decision for PIPEDA. EU customer data is processed on AWS Canada Central and AWS Frankfurt. Onward transfers occur to Stripe and similar processors under their own SCCs and DPF.
Not for a small shop. A DPIA may be appropriate if Snipcart is combined with extensive customer profiling, AI recommendations and special category data tied to the customer base.
Sign the Snipcart DPA, gate the script behind a CMP or use the cookieless mode, list Snipcart and the payment processors in your privacy notice and Article 30 record, document the Canadian adequacy and the onward transfers, and update your terms so refunds and disputes are handled by you (Snipcart is not the merchant of record).
Drop in cart alternatives include Foxy.io (US with EU friendly setup), Ecwid (US with EU servers), Shopify Lite (US with EU AWS), Sellfy (Latvia), Mollie Tip Jar / Mollie Checkout (Netherlands) and self managed Stripe Checkout. For Jamstack stacks, you can also wire a custom cart on top of Stripe Payment Links.
List the Snipcart cookies in your cookie policy with their categories and durations. In your privacy notice describe Snipcart as your cart processor, the Canadian adequacy, the EU hosting on AWS Frankfurt and the onward transfers to Stripe and similar processors.