Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Swym Wishlist Plus is one of the most widely installed wishlist apps on Shopify and BigCommerce, developed by Swym Corporation in the United States. It lets shoppers save products to wishlists, share them, and receive back in stock or price drop notifications. The app loads a JavaScript tag on every storefront page, sets identification cookies, and transmits visitor activity, wishlist contents and (where opted in) email to Swym servers in the United States, which triggers GDPR transparency, consent and transfer obligations.
Swym Wishlist Plus is a wishlist and customer engagement application developed by Swym Corporation, a US based SaaS vendor headquartered in Bellevue, Washington. The app integrates natively with Shopify, Shopify Plus and BigCommerce, and exposes features such as multi list wishlists, save for later, back in stock and price drop notifications, share via email and social, and admin analytics. It is widely used by direct to consumer fashion, beauty and home brands serving Europe and North America.
When the Swym tag loads, it sets first party and third party cookies that store a pseudonymous visitor identifier, the wishlist contents, recently viewed products and a session identifier. On the server side Swym receives product views, add to wishlist events, share events, and email addresses or phone numbers when the visitor opts in to back in stock or price drop notifications. For signed in customers, the wishlist can be tied to the customer account through the Shopify or BigCommerce APIs, which makes the wishlist persistent across devices.
The Swym identification cookies are not strictly necessary in the sense of Article 5(3) ePrivacy Directive: a shop can function without a wishlist, so the wishlist itself is a feature requested by the visitor only when they actually click on the heart icon. The mainstream regulatory reading is that the tag should not load until the visitor either explicitly opts into wishlist features or accepts the relevant consent category in the CMP. Sending personal data (identifier, product activity, email) to the US triggers Article 44 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The lawful basis for the Swym tag is consent under Article 6(1)(a) GDPR. When the wishlist is bound to a logged in customer account, contract performance under Article 6(1)(b) GDPR can support some aspects of the processing (storing the wishlist linked to the account), but the marketing oriented features (back in stock notifications, price drop notifications) still require freely given consent under Article 6(1)(a) GDPR and the ePrivacy direct marketing rules. A data processing agreement with Swym is required.
Swym operates its production environment on AWS in US regions, with global edge caching. Personal data collected from EU shoppers is therefore stored and processed in the United States. Swym publishes Standard Contractual Clauses in its DPA and, where applicable, certifies under the EU US Data Privacy Framework, which together provide the legal mechanism for the transfer. Operators must list Swym in their privacy notice, mention the transfer to the US and link to the Swym privacy policy.
Configure your CMP to keep the Swym JavaScript tag blocked until the visitor accepts the functional or marketing category that Swym belongs to. Sign the Swym DPA, mention Swym Corporation and the US transfer in your privacy notice, and rely on the EU US Data Privacy Framework or Standard Contractual Clauses. Limit the data sent to Swym to what is strictly necessary for the feature (avoid sending full customer profiles), and document opt out and deletion procedures so that wishlist data can be removed on request.
Websites using Swym Wishlist Plus must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the use of Swym Wishlist Plus on a typical D2C store, because the personal data processed is limited to wishlist content, anonymous identifiers and optional email for notifications. A DPIA should be considered when the merchant combines Swym with broader profiling, sells sensitive products (health, financial, adult), targets minors, or activates the SMS notification module which involves additional phone number processing and third country transfers.
Sample consent text
Our store uses Swym Wishlist Plus, a wishlist and notification app by Swym Corporation in the United States. With your consent, Swym places cookies on your device to identify your wishlist between visits and may send your email address to its servers in the US when you sign up for back in stock notifications. These transfers rely on Standard Contractual Clauses and the EU US Data Privacy Framework where applicable.
Third-party domains contacted
swym.itswymrelay.comapi.swym.itcdn.swym.itCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _swym_session_id | first_party | Session | Session identifier set by Swym to link the storefront session to a Swym server side context. Cleared when the browser is closed. |
| _swym_visitor | first_party | 12 months | Pseudonymous visitor identifier used by Swym to recognise the same shopper across visits and to keep the wishlist persistent on the same device. |
| _swym_wishlist | first_party | 12 months | Stores a compact representation of the visitor wishlist locally so the wishlist can be displayed without an API call. Synchronised with Swym backend when consent is given. |
| swym_relay | third_party | 12 months | Set on the swymrelay.com domain to enable cross device wishlist features and to deliver back in stock and price drop notifications when the visitor opts in. |
Swym Wishlist Plus uses cookies for user preferences — inform visitors with a consent banner.
The Swym tag sets a small set of first party cookies that identify the visitor (a pseudonymous Swym visitor ID), keep the local wishlist state on the device, and link the storefront session to a Swym server side context. A third party cookie on the swymrelay.com domain (or the merchant Swym subdomain) is set when the visitor interacts with cross device or notification features. All these cookies are non strictly necessary and require consent.
Yes. Swym writes identifiers and stores wishlist activity that go beyond the strictly necessary scope of Article 5(3) ePrivacy Directive, and it transmits personal data (including potentially email and phone) to the United States. The Swym tag must therefore remain blocked until the visitor accepts the relevant CMP category (functional or marketing depending on how strict the operator wants to be) or explicitly engages with a wishlist feature for the first time.
The default legal basis for the Swym tag, wishlist tracking and notification subscriptions is consent under Article 6(1)(a) GDPR. For wishlists bound to a logged in customer account, contract performance under Article 6(1)(b) GDPR can support the persistence of the wishlist data linked to the account, but the marketing notifications still rest on consent and on the ePrivacy direct marketing rules.
Yes. Swym Corporation is established in the United States and operates its production environment on AWS US regions. Personal data collected from EU visitors (identifiers, wishlist content, email and phone numbers if provided) is therefore transferred to the US. Swym signs Standard Contractual Clauses with merchants and, where applicable, is certified under the EU US Data Privacy Framework, which together cover the legal mechanism for the transfer.
A DPIA is normally not required for using Swym on a typical D2C store, because the volume and sensitivity of the data are modest. A DPIA becomes recommended when the merchant combines Swym with broader customer profiling, sells sensitive categories (health, financial services, adult content), targets minors, or enables high frequency SMS notifications that increase the intrusiveness of the processing.
Block the Swym JavaScript tag in your CMP until the visitor accepts the relevant category. Sign the Swym data processing agreement, list Swym Corporation in your privacy notice as a sub processor, and mention the US transfer with the applicable mechanism. Configure the integration to send only the data needed for the feature you actually use (avoid pushing full customer profiles), and surface a way to remove the wishlist when the visitor exercises their right to erasure.
For Shopify and BigCommerce stores, alternative wishlist apps include Wishlist Hero, Wishl, Smart Wishlist by Webkul, Growave and Wishlist King. From a GDPR perspective they all process broadly similar data; Growave is built by an EU based team but also processes data outside the EEA. EU hosted SaaS alternatives are rarer in this category, so the focus is on transparent disclosure and a strong consent gate.
Add a section to the cookie policy listing the Swym cookies (visitor ID, wishlist state, session, notification preferences) with their name, duration, purpose and Swym as recipient. Add Swym Corporation to the sub processor list in your privacy notice, describe the US transfer and reference the EU US Data Privacy Framework. Mention the right to withdraw consent at any time and the procedure for deleting the wishlist data.