An online shop processes customer and payment data at scale — names, addresses, orders, card details — plus marketing, cookies and analytics. Most shops fire Google Analytics and the Meta Pixel before anyone consents, send marketing with no valid opt-in, and pipe customer data into US tools with no transfer safeguards. Convenient, and a textbook GDPR breach waiting to happen.
The reality
None of this is malicious — it's just how online stores are set up by default. But each one is a real GDPR gap a customer, a competitor or a regulator can act on.
The cookie banner is cosmetic: Google Analytics and the Meta Pixel fire on page load, before the visitor clicks anything. That's tracking without valid consent — one of the most reported issues in e-commerce.
Customers get added to newsletters and promo lists just for buying, with no freely given consent and no easy, working unsubscribe in every email.
Card numbers saved in the shop database or order records instead of being handled by a compliant payment processor — a serious breach risk you don't need to carry.
The admin / store dashboard has no multi-factor authentication and shared logins passed around the team — the single richest target in your whole setup.
No data-processing agreements with Stripe/PayPal, Mailchimp, Google Analytics or your hosting provider — all of whom process your customers' data on your behalf.
Customer records kept indefinitely with no retention rule, and US tools (analytics, email, hosting) used with no transfer safeguards such as Standard Contractual Clauses.
It only takes one. A cookie/consent complaint, a customer asking "what data do you hold on me?", or a single breach of your store database — any of these can turn into a complaint to the data protection authority. The fix is far cheaper than the incident.
The fix
We don't hand you a policy and leave. We change how data actually flows through your store, with tools your team and your customers will actually use.
A consent solution that genuinely blocks Google Analytics, the Meta Pixel and other non-essential trackers until the visitor actively opts in — not just a banner over the top.
Clean, documented consent capture at checkout and signup, plus a working unsubscribe in every email — so your marketing stays lawful.
We take full card data off your systems and move you to a PCI-compliant processor flow (Stripe/PayPal) that tokenises payments so sensitive data never touches your server.
Multi-factor authentication and named, role-based logins on the store back office — no more shared credentials on your most valuable target.
Data-processing agreements with your payment, marketing, analytics and hosting providers — so your whole supply chain is covered.
A retention schedule with automated clean-up, Standard Contractual Clauses (SCCs) for international transfers, and a simple breach procedure with the records an authority will ask for.
How we work
We follow a real order end-to-end: which cookies fire, where customer and payment data goes, and into which tools and countries.
We flag the non-compliant flows and the concrete risks — prioritised, in plain language, not a 90-page report.
We set up consent that blocks trackers, remove card storage, add MFA, and put DPAs, retention and SCCs in place.
A short team briefing, a breach plan and the records of processing — so it stays compliant day to day.
FAQ
The questions shop owners ask us most.
Tell us what tools your store runs today. We'll show you the gaps and the fix — response within 4 working hours, no commitment.
EN
IT
ES