Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
THG Ingenuity is the end to end direct to consumer commerce platform from The Hut Group, providing storefront, order management, global fulfilment, marketing and analytics for brands operating online stores worldwide.
THG Ingenuity is the commerce platform and services arm of The Hut Group (THG plc), a British ecommerce conglomerate listed on the London Stock Exchange. It powers complete direct to consumer online stores for global brands, combining a storefront builder, order management, fulfilment from warehouses across the United Kingdom, United States, Australia and the European Union, digital marketing, content production and translation. Brands use THG Ingenuity as the technology, logistics and operations backbone of their own branded stores.
Because THG Ingenuity runs the entire storefront on the brand domain, it processes a broad set of personal data: account and identity information, billing and shipping addresses, payment tokens, full order and return history, device and browser metadata, IP address, page views, clickstream and basket events, A/B test assignments, marketing attribution identifiers and behavioural segments. Typical cookies include thg_visitor_id, thg_session_id, thg_cart, thg_ab_test, _thg_consent and various payment and fraud prevention tokens.
Most THG Ingenuity cookies fall outside the strict necessity exemption of Article 5(3) of the ePrivacy Directive and the German TDDDG, so they require prior informed consent before being set. The brand acts as data controller for its customers and THG Ingenuity acts as processor under Article 28 GDPR, requiring a written data processing agreement, documented sub processors, security measures and assistance with data subject requests. Behavioural profiling and personalisation also trigger transparency obligations under Articles 13 and 14 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Order fulfilment, payment processing and core account functions can rely on contract performance under Article 6(1)(b) GDPR and on the strict necessity exemption for the corresponding cookies. Analytics, A/B testing, marketing tags, retargeting, personalisation and behavioural segmentation require prior, freely given, specific, informed and unambiguous consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy. Consent must be collected through a compliant banner before any non essential THG script or pixel loads.
THG Ingenuity hosts primarily in the United Kingdom with United States and EU Frankfurt regions for global brands. Transfers from the EU to the UK rely on the European Commission adequacy decision adopted in 2021 and subject to periodic review, while transfers to the United States rely on Standard Contractual Clauses and, where applicable, the EU US Data Privacy Framework. Practical steps include signing the THG data processing agreement, mapping sub processors, deploying a consent management platform that blocks non essential tags, configuring data retention, and documenting transfer impact assessments.
Websites using THG Ingenuity must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended. THG Ingenuity operates the entire commerce stack, processing identity, account, order, payment, behavioural and marketing data at large scale, combined with international transfers to the UK and US and extensive profiling for personalisation and A/B testing.
Sample consent text
We use THG Ingenuity to run our online store. With your consent we set analytics, A/B testing and marketing cookies to personalise content, measure performance and show relevant offers. Order fulfilment and payment cookies are strictly necessary.
Third-party domains contacted
thgingenuity.comcdn.thgingenuity.comthg.comanalytics.thg.comapi.thg.comcdn.thg.comstatic.thgingenuity.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| thg_visitor_id | first_party | 1 year | Persistent visitor identifier used to recognise the device across sessions for analytics, A/B testing assignment and marketing attribution on the THG Ingenuity storefront. |
| thg_session_id | first_party | Session | Maintains the current browsing session, links page views and cart actions, and supports basic security and load balancing on the storefront. |
| thg_cart | first_party | 30 days | Stores the cart token so that the visitor can return to a populated basket; strictly necessary for the contractual checkout function. |
| thg_ab_test | first_party | 6 months | Persists the visitor allocation to A/B and multivariate test variants so that experiences remain consistent across page views. |
| _thg_consent | first_party | 6 months | Records the visitor cookie consent choices per category (necessary, analytics, marketing, personalisation) so the storefront can gate non essential scripts. |
| thg_marketing_id | first_party | 1 year | Marketing and attribution identifier used for retargeting, audience segmentation and measurement of advertising campaigns driving traffic to the storefront. |
THG Ingenuity uses cookies for user preferences — inform visitors with a consent banner.
THG Ingenuity sets first party cookies on the brand domain, typically including thg_visitor_id, thg_session_id, thg_cart, thg_ab_test, _thg_consent and payment and fraud tokens. Exact names depend on the storefront configuration and the marketing tags activated.
Strictly necessary cookies for the cart, checkout and payment can run on contract performance, but analytics, A/B testing, marketing, retargeting and personalisation cookies require prior, informed consent under ePrivacy and the German TDDDG before any related script is loaded.
Order fulfilment, account management and payments rely on Article 6(1)(b) GDPR (contract). Analytics, behavioural tracking, marketing and personalisation rely on Article 6(1)(a) GDPR (consent). Some fraud prevention may use Article 6(1)(f) legitimate interests with documented balancing.
Yes. Primary hosting is in the United Kingdom, with US and EU regions (AWS Frankfurt) for global brands. UK transfers rely on the 2021 EU adequacy decision and US transfers on Standard Contractual Clauses and, where applicable, the EU US Data Privacy Framework.
Yes, a DPIA is strongly recommended. The platform processes identity, order, payment, behavioural and marketing data at scale, performs profiling and personalisation, and involves international transfers, all factors that the EDPB considers indicative of high risk processing.
Sign the THG data processing agreement, document sub processors, deploy a CMP that blocks non essential tags until consent, configure retention periods, surface clear privacy and cookie notices, and run regular transfer impact and security reviews.
Alternatives include Shopify Plus, Salesforce Commerce Cloud, Adobe Commerce (Magento), commercetools (German, EU hosted), Spryker (German), BigCommerce, Centra (Swedish) and Mirakl (French) for marketplace use cases. Each has its own data residency and compliance profile.
List the THG cookie families (visitor, session, cart, A/B testing, consent, payment) with purpose, duration and category, name THG Ingenuity as a processor, disclose UK and US transfers and the safeguards used, and link to your CMP for granular control.