Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Yampi Checkout is a Brazilian e-commerce checkout solution that lets merchants accept payments through a hosted or embedded flow integrated with multiple payment gateways. It includes cart management, one-page checkout, abandoned cart recovery, A/B testing, and detailed conversion analytics. Yampi is widely used by Brazilian retailers on Shopify, WooCommerce, Nuvemshop, and other platforms. Because the infrastructure is hosted in Brazil, any use targeting EU customers raises a third-country transfer issue under the GDPR.
Yampi Checkout is a SaaS checkout product developed by Yampi, a Brazilian e-commerce platform headquartered in São Paulo. It replaces the native checkout of platforms such as Shopify, WooCommerce, Nuvemshop or Magento with an optimised cart, one-page payment, and post-purchase flow. Merchants connect Yampi to one or several payment gateways (Cielo, Stone, PagSeguro, Stripe, Mercado Pago) and offer Pix, boleto, card and digital wallets.
The checkout runs either as a redirect to seguro.yampi.com.br or as an embedded iframe. It includes abandoned cart recovery, A/B testing, upsells, and a backend that the merchant uses to monitor conversion in real time.
Yampi sets several first-party cookies. A session cookie keeps the cart linked to the visitor, a CSRF token protects checkout forms, and a customer identifier links anonymous browsing sessions to subsequent logged-in or paid sessions. In addition, Yampi may set A/B testing cookies, conversion tracking cookies, and an e-mail-capture cookie used to send abandoned cart messages.
Personal data collected typically includes name, e-mail, CPF or other tax identifier, billing and shipping address, phone number, IP address, device information, and the full order content. Some merchants enable Facebook Pixel, Google Ads or TikTok Pixel inside Yampi: those further extend the cookie footprint to advertising networks.
Strictly necessary cookies (cart session, CSRF) do not require consent under Article 5(3) of the ePrivacy Directive. However, the A/B testing, conversion tracking, e-mail capture for abandoned cart, and any advertising pixels enabled on top of Yampi do require informed prior consent. The legal basis differs accordingly: contract performance for the checkout itself, consent for marketing features.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Yampi hosts its infrastructure on cloud providers located in Brazil. Brazil benefits from a modern data protection regime (LGPD) but has not yet been granted an adequacy decision by the European Commission as of 2026. EU controllers must therefore implement appropriate safeguards: Standard Contractual Clauses, a transfer impact assessment, and supplementary measures such as encryption in transit and at rest.
The non-essential cookies set by Yampi must be blocked until the visitor opts in. The abandoned cart e-mail flow requires either consent or, in B2B contexts, a soft opt-in covered by an existing customer relationship. A DPIA is recommended because the processing combines profiling for conversion optimisation, marketing remarketing, and a transfer to a third country.
Sign a data processing addendum with Yampi including SCCs, disable A/B testing and abandoned cart capture for users who refuse marketing, document the subprocessors used by the platform, configure your consent banner to gate the non-essential Yampi cookies, and reference Yampi explicitly in your privacy policy with a clear statement on the transfer to Brazil.
Websites using Yampi Checkout must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Yampi is used on stores that target EU residents, because the combination of marketing cookies, conversion tracking, abandoned cart e-mails, and a transfer to Brazil increases the overall risk. The DPIA should cover the consent mechanism, the SCCs signed with Yampi, the retention periods of cart and transaction logs, and the safeguards applied to e-mail-based remarketing.
Sample consent text
We use Yampi Checkout to operate our cart, payment, and abandoned cart recovery. Some cookies are strictly necessary for the checkout to function; others (A/B testing, conversion tracking, marketing) require your consent. Your purchase data is processed in Brazil under Standard Contractual Clauses.
Third-party domains contacted
yampi.com.brseguro.yampi.com.brcdn.yampi.ioapi.yampi.com.brCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| yampi_session | http | session | Maintains the cart and checkout session for the visitor. |
| XSRF-TOKEN | http | session | Cross-site request forgery protection for checkout forms. |
| _yampi_cid | http | 12 months | Customer identifier that links anonymous browsing to subsequent paid sessions. |
| _yampi_ab | http | 90 days | A/B testing cookie used to assign and persist checkout experiments. |
| _yampi_cart_recovery | http | 30 days | Stores the e-mail and cart contents used for abandoned cart recovery messages. |
| _yampi_conv | http | 30 days | Conversion attribution cookie set after a successful purchase. |
Yampi Checkout uses cookies for user preferences — inform visitors with a consent banner.
Yampi sets a session cookie and a CSRF token (strictly necessary), a customer identifier that links browsing to purchase, an A/B testing cookie, a cart recovery cookie that stores e-mail and cart content, and a conversion attribution cookie. Advertising pixels (Meta, Google, TikTok) can be enabled by the merchant on top.
Yes for the non-essential layers. Cart session and CSRF cookies are exempt, but A/B testing, conversion tracking, abandoned cart e-mail capture, and any advertising pixels require informed prior consent. Block these cookies until the visitor opts in through your consent management platform.
Two distinct legal bases apply. Article 6(1)(b) GDPR (performance of a contract) covers the checkout, payment, and order fulfilment. Article 6(1)(a) GDPR (consent) covers A/B testing, conversion tracking, abandoned cart marketing, and advertising pixels enabled inside Yampi.
Yes. Yampi operates from Brazil, so EU customer data is transferred to a third country. As of 2026 Brazil does not benefit from an EU adequacy decision, so the transfer must rely on Standard Contractual Clauses, a transfer impact assessment, and supplementary measures such as encryption.
A DPIA is strongly recommended when Yampi is deployed on stores that target EU customers, because the processing combines large-scale profiling (A/B testing, conversion tracking, remarketing) with a transfer to a non-adequate third country. The DPIA should document risks, safeguards, and the consent design.
Sign a data processing addendum with SCCs, configure your consent banner to block A/B testing and marketing cookies until opt-in, disable abandoned cart e-mail capture for visitors who refuse marketing, document Yampi as a subprocessor in your records, and inform customers in your privacy policy about the transfer to Brazil.
EU-based or EU-hosted checkout solutions include Shopify Checkout (with EU data residency options), Mollie, Adyen, Stripe Checkout (EU), Bold Commerce, or building a custom checkout on top of headless commerce. These options reduce or eliminate the third-country transfer concern for European customers.
List each Yampi cookie with its name, type, duration, and purpose. Mark cart session and CSRF as strictly necessary, and A/B testing, conversion tracking, cart recovery, and any advertising pixels as subject to consent. Mention Yampi by name as a processor, reference the SCCs for the Brazil transfer, and refresh the page when Yampi updates its subprocessor list.