Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Ucommerce is a Danish e-commerce platform distributed by Avensia Ucommerce ApS that runs on top of Umbraco, Sitecore and Kentico CMS. The product writes a small set of strictly necessary cookies for cart, session, authentication and anti forgery, and offers optional analytics or personalisation modules subject to consent. The privacy posture mainly depends on the integrations the merchant activates.
Ucommerce is a flexible e-commerce platform distributed by Avensia Ucommerce ApS, a Danish vendor based in Aarhus and acquired by Avensia AB. It is shipped as a .NET package that integrates with Umbraco, Sitecore and Kentico content management systems and runs on the merchant infrastructure of choice. Ucommerce ships with catalogue management, baskets, multi store currency support, tax engines and a payment provider abstraction. Because it is self hosted, the merchant remains the data controller for every personal data processing operation.
By default Ucommerce writes the ASP.NET_SessionId for state, the .ASPXAUTH cookie for authenticated visitors, the Ucommerce.Basket cookie that holds the anonymous basket reference and the Ucommerce.Language cookie that stores the front office language. Anti forgery and SignalR cookies may also appear when the back office is reached. None of these cookies contain personal data outside the random server side identifier and the language code. The platform processes shipping address, billing address, payment card token and order data through standard checkout flows.
Session, basket, language and authentication cookies fall under the strictly necessary exemption of Article 5(3) of the ePrivacy Directive and recital 66, since they are required to deliver the shopping service explicitly requested by the user. Customer registration, account management and order tracking rely on the contract performance basis of Article 6(1)(b) GDPR. Optional analytics, retargeting, personalisation and abandoned cart modules require consent and must be blocked by a Consent Management Platform until accepted.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
There is no built in transfer to a third country, but typical Ucommerce shops integrate Stripe, PayPal, Adyen, Klarna, Google Analytics 4, Mailchimp or Sitecore Personalize. Each of these processors transfers data outside the EEA and falls under the EU US Data Privacy Framework or Standard Contractual Clauses. Map every integration in your record of processing activities and confirm the certification or transfer mechanism of each vendor.
Host the application in Microsoft Azure West Europe, North Europe or another EEA region, pin every cookie to Secure and HttpOnly with SameSite=Lax, list payment and analytics integrations in your privacy notice, sign Data Processing Agreements with Avensia and every connected vendor, block optional trackers behind a Consent Management Platform such as FlowConsent and document a retention schedule for orders, customer accounts and abandoned baskets.
Websites using Ucommerce must obtain user consent under GDPR regulations.
DPIA considerations
A standard Ucommerce deployment with strictly necessary cookies and EU hosting is low risk. A DPIA becomes relevant when the merchant activates Sitecore Personalize, Google Analytics 4, retargeting pixels or large scale customer profiling. Document the modules enabled, the third party data flows and the legal basis for each processing operation. Pay particular attention to payment processors which qualify as separate controllers.
Sample consent text
This shop runs on Ucommerce. Only strictly necessary cookies are written to keep your basket, login and security tokens functional. Additional analytics, personalisation or marketing cookies require your explicit consent and can be managed at any time from the cookie preferences link.
Third-party domains contacted
ucommerce.netavensia.comucommerce.dkCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ASP.NET_SessionId | first_party | Session | Stores the ASP.NET session identifier required to maintain server side application state across requests. |
| Ucommerce.Basket | first_party | 1 year | Stores the reference to the anonymous shopping basket so that the cart contents persist across visits. |
| Ucommerce.Language | first_party | 1 year | Stores the front office language and culture preference selected by the visitor. |
| .ASPXAUTH | first_party | Session | Stores the encrypted forms authentication ticket for visitors who have logged into the customer or back office area. |
Ucommerce uses cookies for user preferences — inform visitors with a consent banner.
By default Ucommerce writes ASP.NET_SessionId for the application state, .ASPXAUTH for authenticated users, Ucommerce.Basket to keep the anonymous basket reference and Ucommerce.Language for the front office language. Anti forgery and SignalR cookies may appear when administrators access the back office.
No. Session, basket, authentication and anti forgery cookies are strictly necessary under Article 5(3) of the ePrivacy Directive and recital 66, since they are required to deliver the shopping service explicitly requested by the user. Optional analytics, advertising or personalisation modules require consent.
Order processing, account management and authentication rely on contract performance under Article 6(1)(b) GDPR. Marketing, personalisation, abandoned cart recovery and behavioural analytics require consent under Article 6(1)(a). Anti fraud monitoring and security logs may rely on legitimate interest under Article 6(1)(f).
Ucommerce itself is self hosted, so the merchant chooses the region and the platform itself does not transfer data outside the EEA. However, payment processors such as Stripe and PayPal, plus optional analytics like Google Analytics 4, do transfer data to the United States and rely on the EU US Data Privacy Framework or Standard Contractual Clauses.
For a basic shop a DPIA is rarely mandatory. A DPIA becomes appropriate when you activate Sitecore Personalize, behavioural recommendations, large scale loyalty programs or third party retargeting. Document the criteria of Article 35 GDPR and consult the CNIL, AEPD or DSK list of mandatory DPIA scenarios.
Host the application in the EEA, configure cookies with Secure and HttpOnly and SameSite=Lax, sign Data Processing Agreements with Avensia and every payment, marketing or analytics processor, block optional trackers behind a Consent Management Platform, document retention rules and run regular tag scans.
Common alternatives include Optimizely Commerce, Sitecore OrderCloud, Commerce Tools, Spryker, Adobe Commerce (Magento), BigCommerce, Shopify Plus and Saleor for headless deployments. Each platform comes with different cookie behaviour, hosting model and integration ecosystem.
List the strictly necessary cookies (ASP.NET_SessionId, .ASPXAUTH, Ucommerce.Basket, Ucommerce.Language) with their purpose and lifetime, document each connected processor (payment, analytics, email), describe the EU hosting region, and provide a clear consent management link to allow users to update their preferences.