Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Spryker is a German headless commerce platform for B2B, B2C and marketplace scenarios, delivered as Cloud Commerce OS on AWS or as on premise PaaS+ stack with a composable architecture and EU based data centres.
Spryker is a German headless and composable commerce platform operated by Spryker Systems GmbH (Berlin). It targets B2B, B2C and enterprise marketplaces such as ALDI Sourcing, Toyota, Hilti, ZF Friedrichshafen and many DACH retailers. The platform is delivered either as Spryker Cloud Commerce OS (PaaS on AWS) or as a self managed installation. Spryker provides a glue layer (Spryker Glue REST and GraphQL APIs) that lets the publisher build any frontend (Next.js, Nuxt, mobile app, voice) on top of the commerce capabilities.
The default Yves storefront writes first party cookies on the publisher domain: PHPSESSID (session, browser session), spryker_csrf (CSRF protection, 1 hour), spryker_cart (anonymous cart id, 30 days) and spryker_customer (logged in customer flag, browser session). All of these cookies fall under the strictly necessary category and are exempt from prior consent under ePrivacy art. 5(3) and the EDPB guidelines 2/2023. When the publisher activates marketing integrations (Google Tag Manager, Klaviyo, Adobe Experience Platform), additional cookies are loaded by those vendors and require consent.
The commerce flow itself relies on performance of contract (GDPR art. 6(1)(b)) for the order, legal obligation (art. 6(1)(c)) for invoicing and customs documents, and legitimate interest (art. 6(1)(f)) for fraud prevention and stock management. Cart abandonment emails and personalised recommendations are non essential and require consent or, for existing customers and similar products, the soft opt in of ePrivacy art. 13(2). PSD2 strong customer authentication applies to payments above 30 EUR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Spryker Cloud Commerce OS for EU customers runs on AWS Frankfurt and Dublin. Customer commerce data stays in the EEA. The Spryker DPA is fully German law compliant and lists the sub processors (AWS, Datadog, Sentry, Spryker SaaS support entities). Customers self hosting Spryker keep full control over the data location. The Spryker Composable AI features rely on Microsoft Azure OpenAI Service in the European region; the publisher must accept the additional AI addendum.
Sign the Spryker DPA and select the EU Cloud Commerce region. Disable the analytics features that need consent (Customer Insights, Recommender) until the CMP allows them. Document Spryker Systems GmbH in your records of processing (GDPR art. 30) and the privacy notice. Implement the right to erasure and the right of access via the Spryker Customer API. For B2C retailers, configure the 14 day right of withdrawal as required by the EU consumer rights directive. Run a DPIA if the Composable AI features take decisions affecting customer offers or pricing.
Direct competitors include commercetools (Germany), SAP Commerce Cloud (Germany and US), Salesforce Commerce Cloud (US), Adobe Commerce ex Magento (US, EU hosted optional), Shopify Plus (Canada, EU hosted in Ireland) and BigCommerce (US). For B2B specific scenarios, Sana Commerce (Netherlands) and OroCommerce (US and France) are also relevant.
Websites using Spryker must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for large scale B2C deployments because Spryker processes customer accounts, orders and behavioural data. Document storefront tags separately.
Sample consent text
This site is built with Spryker, a German headless commerce platform operated by Spryker Systems GmbH in Berlin. The Spryker storefront writes strictly necessary cookies (session id, cart id, CSRF token) that do not require consent. We process your name, billing and shipping address, order history and payment metadata to fulfil your order under GDPR art. 6(1)(b) and the legal obligation to keep accounting records. Spryker Cloud Commerce OS hosts your data on AWS Frankfurt and Dublin; no transfer outside the European Economic Area takes place unless we explicitly enable a non EU integration.
Third-party domains contacted
spryker.comspryker.comcloud.spryker.comspryker.cloudstatic.spryker.comglue.mysprykershop.comyves.mysprykershop.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | http_cookie | Session | Strictly necessary session cookie set by the Yves storefront to identify the visitor across requests and maintain the cart and login state. |
| yves_session | First party (Spryker) | Session | Maintains the customer session on the Yves storefront. |
| spryker_customer | http_cookie | 90 days | Persistent first party cookie that stores a customer reference for returning authenticated buyers so the storefront can restore preferences and personalised pricing. |
| PHPSESSID | First party (Spryker) | Session | Default PHP session cookie used by the Spryker storefront. |
| spryker_csrf | First party (Spryker) | Session | CSRF protection token used during form submissions. |
| csrf_token_* | http_cookie | Session | Strictly necessary CSRF token rotated per form submission to prevent cross site request forgery against checkout and account endpoints. |
| cart_reference | http_cookie | 30 days | Functional cookie that stores the cart reference so the basket can be restored when the buyer returns within the validity window. |
Spryker uses cookies for user preferences — inform visitors with a consent banner.
Out of the box, the Yves storefront sets PHPSESSID for the session, a customer reference cookie for authenticated users, a CSRF token (csrf_token_*) and a basket reference cookie. These are strictly necessary. Any other cookie comes from optional Spryker modules (tracking, recommendations) or third party integrations that the merchant has activated.
Spryker storefronts set technical cookies (yves_session, PHPSESSID, spryker_csrf) that are strictly necessary for the cart and session. Third party analytics or marketing cookies are added by you, not by Spryker itself.
No. The default Spryker cookies are strictly necessary under Article 5(3) ePrivacy because they maintain the cart, the login state and CSRF protection. Consent becomes mandatory when the merchant enables the Spryker Tracking module, recommendation engines or third party integrations that store information for analytics or marketing purposes.
No consent is required for strictly necessary storefront cookies. Consent is required for any analytics, advertising or personalisation tag you add on top of Spryker (Google Analytics, Meta Pixel, etc.).
Account creation, order processing, payment and fulfilment rely on Article 6(1)(b) GDPR (performance of contract). Statutory invoice and tax retention relies on Article 6(1)(c) (legal obligation). Fraud prevention can be based on Article 6(1)(f) (legitimate interest). Personalisation and marketing tracking require consent (Article 6(1)(a)).
Contract performance (Art. 6(1)(b) GDPR) for the storefront and account features. Legitimate interest (Art. 6(1)(f)) for fraud prevention. Consent (Art. 6(1)(a)) for optional storefront tags.
Spryker Cloud Commerce OS does not. All environments run in AWS Frankfurt, Dublin or Stockholm and support staff outside the EU access data only through audited bastion sessions. However, merchants commonly integrate US based services (Salesforce, Algolia, Twilio); those transfers are out of Spryker scope and need to be assessed separately.
Spryker Cloud customers in Europe default to AWS Frankfurt. No transfer outside the EU for the platform itself. AWS as the hosting layer is covered by EU SCCs and the EU US Data Privacy Framework as a sub processor.
A DPIA is recommended when the deployment combines marketplace functionality (joint controllership with sellers under Article 26), large scale profiling (recommendation engines, customer segmentation), B2B account hierarchies that mix personal and corporate data, or special category processing (health, finance). For a vanilla B2C storefront without behavioural tracking, a DPIA is generally not required.
A DPIA is recommended for large scale B2C deployments processing many customer records, or for B2B sales with personal contacts. Document Spryker as a processor and the storefront tags separately.
Sign the Spryker DPA, document the AWS region in your record of processing, gate every optional tracking module behind your CMP, integrate Google Consent Mode v2 or the equivalent in the Yves storefront and Glue API responses, and expose the GDPR self service endpoints (access, rectification, erasure, portability) via the Customer Account API. Update the privacy notice when activating each new module or integration.
Sign the Spryker DPA, host in EU regions, document retention, expose Subject Access and Deletion endpoints via the customer account, integrate a CMP for storefront analytics/marketing tags, and audit your storefront tags regularly.
Composable commerce alternatives in Europe: commercetools (Germany), Salesforce Commerce Cloud (US), SAP Commerce Cloud (Germany/Bulgaria), VTEX (Brazil/US), BigCommerce (US), Shopify Plus (Canada). For open source: Sylius (France), Saleor (Poland), OroCommerce.
Direct alternatives in the composable commerce space include commercetools (Germany), Vendure (UK, open source), BigCommerce, Salesforce Commerce Cloud, SAP Commerce Cloud (Hybris), Shopware (Germany) and Adobe Commerce (Magento). commercetools and Shopware are the closest European competitors with EU hosting; Salesforce, SAP and Adobe Commerce typically run on US infrastructure unless EU region is explicitly configured.
Re scan the storefront with your CMP after every release because new merchandising modules (Algolia search, Cloudinary images, customer reviews) can introduce additional cookies. Update the cookie register with each new module or integration, including the duration and recipient, and synchronise the privacy notice when Spryker adds a new sub processor or AWS region.
List the strictly necessary storefront cookies. Add separate entries for every analytics, marketing or personalisation tag you deploy on top of Spryker. Mention the EU hosting region and the Spryker DPA.