Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Swaven is a French brand commerce platform that lets FMCG and consumer brands embed where to buy widgets on their websites. When the visitor clicks a product, Swaven displays the list of online and offline retailers selling it, with an Add to cart click out that redirects to the chosen retailer. Swaven captures the click, the product, the visitor IP and a persistent identifier to attribute sell out and demand to the right retailer. As a French data processor, it operates primarily on EU infrastructure, but its widgets still need consent like any third party tag.
Swaven is a brand commerce platform built in Paris. FMCG and consumer brands embed Swaven widgets to bridge the gap between brand websites and the retailers that actually sell their products: a product page becomes a where to buy widget, a campaign becomes a click, out to retailer baskets, and a brand catalogue becomes an attribution dashboard that tracks demand across every distribution channel.
The Swaven widget sets a persistent swaven_uid cookie (1 year) that is shared across every brand using Swaven, a session cookie, a locale cookie and an optional swaven_consent cookie when Swaven displays its own mini consent layer. It records IP, User, Agent, product viewed, retailer chosen and the timestamp of each click, out. Brands receive aggregated sell out reports plus raw, per, click data in their dashboard.
Persistent identifiers and click, out tracking are not strictly necessary, so prior consent under Article 5(3) ePrivacy is required. The brand acts as controller, Swaven SAS as processor. When the click, out leads to a retailer outside the EEA, that retailer becomes the receiving controller for everything that happens after the redirect, and the brand''s privacy notice should make this transfer visible to the user before they click.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Production data is hosted on AWS eu, west, 3 (Paris) and stays within the EU. Swaven is a French SAS regulated by the CNIL. Sub, processors are typically European. Third, country exposure exists only through the redirect target retailer and through optional integrations the brand chooses (Google Analytics, Mixpanel) that the brand must declare separately.
Block the Swaven widget behind the CMP consent gate. Use a click, to, load placeholder for users who refuse. Add Swaven SAS to the privacy notice as a processor. List the swaven_uid, session, locale and consent cookies in the cookie policy. Sign the Swaven DPA and verify EU only hosting in the order form. Document the retailer click, out chain in the processing register and flag the non, EEA retailers.
Websites using Swaven must obtain user consent under GDPR regulations.
DPIA considerations
Swaven processes product clicks, retailer choice, IP, User, Agent and a persistent visitor identifier to attribute demand and click, out volume to the right retailer. Key DPIA considerations: (1) although infrastructure is EU based, the click, out redirects the visitor to retailer domains that may be outside the EEA (Amazon US, AliExpress); (2) the persistent identifier (swaven_uid) enables cross, brand profiling because the same identifier is reused across all brands using Swaven, raising a re, identification risk; (3) where the brand additionally enables Swaven's newsletter or sample request module, Article 13 ePrivacy marketing consent applies; (4) where Swaven exposes sell out reports tied back to IPs or campaign IDs, the brand and Swaven should clarify their controller / processor roles; (5) integration with a price intelligence module brings retailer pricing data into scope and may trigger competition law obligations alongside the GDPR. A DPIA is generally not required for standard where to buy use but is recommended for any deployment combining lead capture and cross, brand identifiers.
Sample consent text
To help you find our products online, we use Swaven (Swaven SAS, Paris, France), a European where to buy service. Swaven loads its script in your browser, sets cookies to remember your product selection and records the retailer you click through to. Data stays within the European Union. Personal data leaves the EU only if you click through to a retailer based outside the EEA, in which case the retailer becomes the data controller for what you do next.
Third-party domains contacted
swaven.comapi.swaven.comwidget.swaven.comcdn.swaven.comclick.swaven.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| swaven_uid | Marketing | 1 year | Persistent visitor identifier shared across every brand that uses Swaven. Allows cross, brand attribution of where to buy clicks and audience modelling. |
| swaven_session | Functional | Session | Identifies the current widget session and groups events (product view, retailer selected, click, out) for analytics. |
| swaven_locale | Functional | 180 days | Stores the language and country detected for the visitor so the widget shows the relevant retailers and currencies. |
| swaven_consent | Strictly necessary | 6 months | Stores the visitor's decision in the Swaven, native mini consent layer when the publisher does not provide its own CMP. |
Swaven uses cookies for user preferences — inform visitors with a consent banner.
Swaven sets swaven_uid (1 year, cross, brand persistent ID), swaven_session (session), swaven_locale (180 days, language preference) and swaven_consent (6 months, mini consent layer when no CMP is present). All cookies are on Swaven domains.
Yes. Persistent cross, brand identifiers and click, out tracking go beyond strictly necessary, so prior consent under Article 5(3) ePrivacy is required. Use a click, to, load placeholder.
Consent for analytics and the persistent visitor identifier. Legitimate interest can sometimes carry the click, out attribution metric (no persistent identifier on click, out alone) but the widget itself needs consent.
By default no: Swaven hosts in Paris (AWS eu, west, 3). Transfers appear only when a click, out lands on a non, EEA retailer (e.g. Amazon US), in which case that retailer becomes the receiving controller.
Not for a standard where to buy use case. A DPIA becomes useful when you add lead capture (sample requests, newsletter sign, up) or when you build cross, brand audiences using the swaven_uid identifier.
Lazy, load the widget behind the CMP. List Swaven SAS in the privacy notice. Sign the Swaven DPA and ask for an EU only hosting confirmation. Audit the retailer list to flag non, EEA destinations. Use a static fallback for users who decline cookies.
Yes: Mikmak (US), Channel Sight, Bonsai (UK), Productsup (Germany), or building a custom retailer locator backed by your own catalogue. Swaven is generally the most EU friendly option for FMCG where to buy.
List the four Swaven cookies with domain, duration and purpose. Add Swaven SAS as a processor based in Paris. Mention the United States only if your retailer list contains US storefronts the user can click through to.