Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ThriveCart is a US based shopping cart and checkout platform for digital products and online courses that embeds a JavaScript checkout into the merchant site and orchestrates upsells, affiliate tracking and marketing pixels.
ThriveCart is a hosted checkout and sales funnel platform operated by ThriveCart LLC (Phoenix, Arizona). It provides high converting one page checkouts, one click upsells, downsells and bumps, affiliate management, subscription billing through Stripe, PayPal and Authorize.Net, and a lifetime licence model that has made it popular with European information product creators. ThriveCart embeds on the publisher domain via JavaScript or as a full redirect to a thrivecart.com page.
On the publisher domain ThriveCart sets the first party cookies tc_pixel_v (visitor identifier for the abandonment funnel, 1 year), tc_session (current cart session, 30 minutes) and __tc_affiliate (affiliate referral id, 60 days). On the checkout subdomain thrivecart.com the platform writes its own session, security and CSRF cookies (PHPSESSID, __cf_bm, _tc_csrf). When the publisher activates the ThriveCart Pixel, an additional tc_pixel cookie tracks behaviour across pages for retargeting.
The checkout flow itself is contractual: performance of the sale (GDPR art. 6(1)(b)), legal obligation to keep invoices (GDPR art. 6(1)(c)) and legitimate interest in fraud prevention. The strictly necessary cookies (session, CSRF, PHPSESSID) are exempt from consent under ePrivacy art. 5(3). The ThriveCart Pixel and the affiliate cookie are non essential and require prior consent. The merchant must also comply with the PSD2 strong customer authentication for any payment above 30 EUR and with the EU consumer rights directive (right to withdraw within 14 days).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
ThriveCart LLC is certified under the EU US Data Privacy Framework since 27 October 2023. Customer data is hosted on AWS US East (Virginia) and on Google Cloud Iowa. The Cloudflare CDN serves static assets globally. Card data is tokenised by the payment processor (Stripe, PayPal, Authorize.Net) so it does not transit through ThriveCart in raw form. The ThriveCart DPA incorporates the EU Standard Contractual Clauses and is accepted automatically when the customer signs the terms.
Gate the ThriveCart Pixel behind the marketing category of your CMP. Disable the affiliate tracking cookie if you do not run an affiliate programme. Display the price including VAT for European customers and integrate a VAT MOSS report through the ThriveCart EU VAT module. Provide the right to withdraw within 14 days for distance contracts. Document ThriveCart LLC and the payment processors in your records of processing (GDPR art. 30) and in the privacy notice. Run a DPIA if the cart processes special categories of data (health products, religious content).
Direct alternatives include SamCart, ClickFunnels, PayKickStart, Kajabi (US bundle), Podia, and EU options like Lemon Squeezy (Merchant of Record based in Ireland), Paddle (UK and Ireland), Digistore24 (Germany), and Stripe Checkout when paired with a self hosted shop.
Websites using ThriveCart must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because ThriveCart processes payment, billing and behavioural data of European customers in the US. Document the categories, retention and Schrems II safeguards.
Sample consent text
We use ThriveCart, a US based shopping cart provided by ThriveCart LLC, to process your purchase. The checkout itself relies on the contract you place with us (GDPR art. 6(1)(b)) and on the legal obligation to keep accounting records; we therefore do not ask for cookie consent to display it. The ThriveCart Pixel that powers cart abandonment retargeting and behavioural analytics is only loaded if you accept the marketing or analytics category in our cookie preferences. Your name, email, billing data and payment metadata are processed by ThriveCart in the United States under the EU US Data Privacy Framework and the EU Standard Contractual Clauses.
Third-party domains contacted
thrivecart.comthrivecart.comcart.thrivecart.comcart.thrivecart.comthrivecart-static.s3.amazonaws.comapi.thrivecart.comcdn.thrivecart.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| TC_SESSID | First party (ThriveCart) | Session | Maintains the cart and checkout session for the customer. |
| tc_session | first_party | session | Maintains the buyer checkout session and cart state on the ThriveCart subdomain. |
| tc_session | http_cookie | Session | Strictly necessary first party cookie that stores the checkout session identifier so the buyer can move between steps (order bump, upsell, confirmation) without losing the order context. |
| TC_AFF | First party (ThriveCart) | 60 days | Stores the affiliate referrer used to attribute the sale. |
| tc_cart | first_party | 30 days | Recovers the abandoned cart contents if the buyer returns before completing the checkout. |
| tc_cart | http_cookie | 30 days | Cookie that remembers the items in the current cart so a returning visitor can resume an abandoned checkout, classified as functional unless the merchant also uses it for behavioural targeting. |
| tc_affiliate | http_cookie | 60 days | Marketing cookie that stores the JV partner identifier responsible for the click that brought the visitor to the checkout, used by the ThriveCart affiliate program for commission attribution. |
| TC_VISITOR | First party (ThriveCart) | 13 months | Anonymous visitor identifier used by the analytics module. |
| tc_affiliate | first_party | 60 days (configurable) | Attributes the sale to a JV affiliate partner; not strictly necessary, requires consent under ePrivacy Art. 5(3). |
| TC_PREP | First party (ThriveCart) | 14 days | Stores cart preparation state to prefill information when the customer returns. |
| _fbp | first_party | 90 days | Set by the optional Facebook Pixel integration to identify browsers for ad attribution. |
| tc_coupon | http_cookie | 7 days | Functional cookie that pre fills the discount code that the buyer initially clicked on, so it survives across page reloads during the conversion funnel. |
| _gcl_aw | first_party | 90 days | Set by the optional Google Ads conversion tag for attribution and remarketing. |
ThriveCart uses cookies for user preferences — inform visitors with a consent banner.
ThriveCart sets strictly necessary cookies (tc_session, tc_cart) to maintain the checkout state, plus tc_affiliate to attribute the sale to a JV partner (typically 60 days, configurable). Any Facebook Pixel (_fbp, _fbc), Google Ads (_gcl_aw) or TikTok pixel that the merchant enables in the dashboard is loaded by the same script and falls under the marketing category.
First party cookies TC_SESSID (cart session), TC_AFF (affiliate referrer, 60 days), TC_VISITOR (visitor tracking, 13 months) and TC_PREP (cart preparation, 14 days). Stripe and PayPal may also set their own cookies during the payment step.
Consent is not required for the checkout cookies that are strictly necessary to complete the purchase under Article 5(3) ePrivacy. Consent is required for any affiliate cookie and any marketing pixel deployed through ThriveCart, because these cookies are not strictly necessary and combine personal data for advertising purposes.
Strictly necessary cookies (session, fraud) can be loaded without consent. Affiliate and analytics cookies are non essential and require prior consent under Art. 5(3) ePrivacy.
The processing of buyer name, email, address and payment details is based on Article 6(1)(b) GDPR, performance of contract. Tax related processing falls under Article 6(1)(c), legal obligation. Marketing pixels and affiliate cookies rely on Article 6(1)(a), consent. Some fraud prevention processing can rely on Article 6(1)(f), legitimate interest.
Contract performance (Art. 6(1)(b) GDPR) for processing the order. Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) for affiliate or analytics cookies. Legal obligation (Art. 6(1)(c)) for accounting and tax retention.
Yes. Buyer data is processed on AWS US East (Virginia) by ThriveCart LLC. The EU US Data Privacy Framework decision of 10 July 2023 covers the transfer when ThriveCart is certified; otherwise the DPA includes Standard Contractual Clauses and a documented Transfer Impact Assessment is recommended.
Yes. All checkout and customer data is processed in US AWS regions. Transfers rely on EU SCCs; ThriveCart is not currently certified under the EU US Data Privacy Framework, so complete a Transfer Impact Assessment.
A DPIA is advisable when ThriveCart is used for high volume sales, subscriptions, sensitive verticals (health, finance, minors) or when affiliate audiences are exported to advertising networks. The DPIA must analyse the US transfer leg, the joint controllership for affiliate tracking and the chain of payment processors that handle card data.
A DPIA is recommended because of the US transfer, payment data and customer profiling for affiliate marketing. Document the safeguards and retention period.
Sign the DPA from the ThriveCart admin, use a CMP that exposes the consent state via Google Consent Mode v2, enable the pixel only after the visitor has opted into the marketing category, and proxy the checkout under your own subdomain when possible to reduce third party cookie issues in Safari and Firefox. Display the affiliate cookie duration in the cookie policy.
Sign the DPA, complete an SCC backed TIA, list ThriveCart in your Article 30 record as a processor in a third country, block analytics/affiliate cookies behind your CMP, inform customers in the privacy notice and the checkout footer.
EU alternatives: Digistore24 (Germany), CopeCart (Germany), Affilo Connect (Spain), Plug'n Paid (Cyprus). For broader checkout: Paddle (Merchant of Record, UK), Mollie (Netherlands), Stripe Checkout (with EU contracting), SamCart (US), Shopify Checkout.
Alternatives include SamCart, Kajabi Payments, Stripe Checkout combined with FastSpring or Paddle (which act as merchant of record), Lemon Squeezy, and EU based options like SendOwl or Quaderno Connect. Paddle and FastSpring shift the seller of record relationship outside the EU, which simplifies VAT but changes the consent footprint.
Re scan your checkout with your CMP after every change (new pixel, new affiliate program, new payment processor), update the cookie register with the new tc_ or pixel cookies, and synchronise the privacy notice when ThriveCart adds new sub processors. Subscribe to the ThriveCart change log to be notified of new integrations.
List each TC_* cookie with purpose, retention and legal basis. Mention ThriveCart, LLC as a processor located in the US with SCCs, and a link to ThriveCart's privacy policy. Note any payment gateway cookies (Stripe, PayPal) under their own entries.