GDPR & UK GDPR generator for non-EU sellers
Generate compliant privacy policies and cookie consent for Shopify / Next.js stores collecting EU/UK traffic.
New to consent? Read the GDPR basics guide first.
Do non-EU websites need a GDPR or UK GDPR cookie banner for EU visitors?
Detecting EU/UK traffic and showing the right consent notice
GDPR and UK GDPR apply to any business that processes personal data of EU/UK residents, regardless of where your company is based. If you have EU or UK visitors to your website, you must provide a compliant cookie consent mechanism. Use geolocation detection (IP address or browser settings) to determine if a visitor is from the EU/UK and show the appropriate consent banner.
Blocking analytics and ads until consent is given
Under GDPR, you cannot load non-essential cookies (like Google Analytics, Facebook Pixel, TikTok Pixel) until the user has given explicit consent. Your consent management platform must block these scripts from loading until consent is obtained. Essential cookies (like session cookies or shopping cart cookies) can be loaded without consent, but all tracking and advertising cookies require opt-in.
UK GDPR: extra disclosures and data-transfer wording
Post-Brexit, the UK has its own version of GDPR (UK GDPR) which largely mirrors EU GDPR but requires specific wording for data transfers. If you transfer data from the UK to non-UK countries (including the EU or your home country), your privacy policy must disclose this and explain the safeguards you use (such as Standard Contractual Clauses or adequacy decisions).
72-hour breach notification basics
Both GDPR and UK GDPR require you to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. If the breach poses a high risk to individuals, you must also notify affected users without undue delay. Have an incident response plan ready: identify the breach, assess the risk, contain it, document it, and notify authorities/users as required.
Data-processing agreements (DPA) when using EU processors
If you use EU-based service providers (like email marketing platforms, payment processors, or cloud storage), you need Data Processing Agreements (DPAs) with them. Most reputable providers offer standard DPAs. Ensure these DPAs specify: the scope and purpose of data processing, duration of processing, types of data involved, your rights to audit, and their obligations to delete or return data upon request.
Letting users update or revoke cookie choices
GDPR requires that users can withdraw consent as easily as they gave it. Provide a clear way for users to change their cookie preferences at any time — typically via a footer link labeled "Cookie Settings" or "Manage Preferences". When users revoke consent, immediately stop loading those tracking scripts and delete cookies where technically possible.
How to log and store DSAR actions inside your SaaS
Maintain an audit log of all Data Subject Access Requests (DSARs) and related actions: date received, type of request (access, rectification, deletion, portability, objection), identity verification steps, data provided or actions taken, and completion date. This log demonstrates compliance if you're audited by a supervisory authority. EU Market Ready can store these logs automatically as part of your compliance dashboard.
Privacy policy and cookie policy generator for cross-border stores
Our generator creates tailored privacy and cookie policies based on your specific data collection practices. Answer questions about: what data you collect (names, emails, addresses, payment info, browsing behavior), why you collect it (contract fulfillment, marketing, analytics), who you share it with (payment processors, shipping partners, marketing platforms), how long you retain it, and whether you transfer data outside the EU/UK. The generator produces policies with all required GDPR and UK GDPR disclosures.
DSAR (data subject access request) intake form template
GDPR and UK GDPR grant individuals several rights: the right to access their data, the right to rectify incorrect data, the right to delete data ("right to be forgotten"), the right to data portability, and the right to object to processing. Provide a DSAR intake form on your website where users can submit these requests. The form should collect: type of request, user identification (to verify identity), description of the request, and contact information. You must respond within 30 days (extendable by 2 more months if complex).
Connecting consent with other EU & UK market-entry rules
How GDPR/UK GDPR links to DSA website disclosure
Both GDPR/UK GDPR and the Digital Services Act (DSA) require disclosures about your business and how you handle user data. Your privacy policy satisfies part of your GDPR obligations, while your DSA disclosure covers business identification and complaint mechanisms. These are complementary — your DSA disclosure should link to your privacy policy, and your privacy policy should reference your DSA contact information.
Country-specific consumer-rights pages
Some EU countries require additional consumer protection disclosures: France requires clear return policies and consumer dispute resolution options, Germany requires specific cancellation/return forms (Widerrufsbelehrung), Italy mandates clear pricing including all taxes and fees. While GDPR is EU-wide, these national consumer laws add extra requirements for sellers targeting those markets.
Generated HTML snippets for Shopify / Next.js / MkSaaS
EU Market Ready generates ready-to-use HTML/React code for your cookie banner, privacy policy page, and DSAR form. For Shopify, we provide Liquid template code. For Next.js / MkSaaS, we provide React components that you can drop into your project. All code follows best practices for accessibility (WCAG 2.1 AA), mobile responsiveness, and SEO.
How to announce policy changes to returning visitors
When you update your privacy or cookie policy, show a prominent notice to returning users on their next visit. This can be a banner at the top of the page or a modal notification. The notice should briefly explain what changed and link to the updated policy. For significant changes (like adding new data collection practices), you may need to re-request consent from existing users.
How to handle user deletion / data export requests
For deletion requests: verify the user's identity, delete all personal data from your systems (including backups where feasible), confirm deletion to the user, but retain minimal data if required for legal obligations (like tax records). For data export requests: provide data in a structured, commonly used, machine-readable format (like JSON or CSV) containing all personal data you hold about them. Respond within 30 days.
Contact / complaints information for EU buyers
Your privacy policy must include contact information for data protection inquiries. This can be a dedicated email address (like privacy@yourdomain.com) or a contact form. For UK GDPR, you must also inform users of their right to lodge a complaint with the UK Information Commissioner's Office (ICO). For EU GDPR, reference the supervisory authority in each EU country where you process significant amounts of data.
How to version policy pages in your repo
Maintain version history of your privacy and cookie policies in your code repository. Use Git tags or separate files (e.g., privacy-policy-v2.0.md) with effective dates. This version history proves to regulators that you informed users about changes over time. EU Market Ready auto-generates versioned policy files with timestamps and changelog summaries.
Where to place French packaging number or German VerpackG notices
If you sell physical goods to France or Germany, your packaging EPR numbers (French packaging number or German LUCID number) should be visible on your website. Common placements: in the footer alongside other legal links, on a dedicated "Legal Notices" or "Compliance" page, or on your product pages if required by the marketplace. This demonstrates to regulators and marketplaces that you are compliant with packaging regulations.
How to combine privacy, cookie, returns and DSA links in one footer
A typical EU/UK-compliant footer includes: Privacy Policy, Cookie Policy, Terms of Service, Returns & Refunds, DSA Information (or Legal Notice), Contact Us, and optionally Packaging/EPR disclosures. Group these logically: legal policies together (Privacy, Cookie, Terms), customer service together (Returns, Contact), and regulatory disclosures together (DSA, EPR). Use clear labels and ensure all links are accessible from every page.
Pricing and implementation
One-off generation vs unlimited plan
One-off generation ($19): Generate a complete set of GDPR/UK GDPR policies, cookie banner code, and DSAR form once. Ideal for stable businesses that don't frequently change their data practices. Unlimited plan (Starter $19/mo or Growth $39/mo): Re-generate policies as often as needed when your data practices change, add new tracking tools, or EU/UK regulations are updated. Includes access to all other compliance modules (VAT, CBAM, EPR).
Security and storage locations
EU Market Ready stores your compliance data (generated policies, DSAR logs, report history) on secure cloud infrastructure with encryption at rest and in transit. Data centers are in the US with Standard Contractual Clauses in place for EU/UK data transfers. You own all generated content and can export it at any time. We do not sell or share your data with third parties.
Support for US / UAE / Turkey merchants
Our GDPR generator is specifically designed for non-EU merchants who serve EU/UK customers. We use examples and terminology familiar to US, UAE, Turkish, and Southeast Asian sellers. Support is available in English, with optional Chinese help text for Chinese-speaking users. Our team understands the unique challenges of cross-border compliance for businesses based outside the EU.
Disclaimer for non-EU businesses
EU Market Ready provides tools and guidance to help you comply with GDPR and UK GDPR. This is informational content, not legal advice. GDPR compliance involves legal judgments about your specific data processing activities. For complex situations or if you're unsure about your obligations, consult with a qualified data protection attorney or privacy consultant licensed in the EU/UK.
How to contact an EU counsel for edge cases
For complex GDPR scenarios (like handling large-scale data breaches, responding to supervisory authority inquiries, or determining if you need a Data Protection Officer), we recommend consulting with specialized EU privacy law firms. We maintain a referral network of attorneys experienced in cross-border e-commerce and can introduce you to the right counsel based on your situation and target markets.
Log retention and auditability
EU Market Ready retains logs of all policy generations, DSAR actions, and compliance checks for 7 years by default (to align with typical business record retention requirements). These logs can demonstrate to auditors or regulators that you took compliance seriously and responded to user requests promptly. You can export these logs at any time as PDF or CSV reports.
How to request custom clauses
If your business has unique data processing needs (like AI/ML features, biometric data, or children's data), you may need custom privacy policy clauses beyond our standard generator. Growth plan users can request custom clause assistance through our support channel. For complex customizations, we can refer you to privacy counsel who can draft bespoke clauses that integrate with our generated policies.
Team use for agencies / service providers
Agencies and service providers managing multiple client stores can use our Growth plan ($39/mo) with 3 team seats. Each team member can access the dashboard, generate policies for different clients, and manage DSAR workflows. We offer white-label options for larger agencies who want to integrate EU Market Ready into their service offerings. Contact us for agency pricing and API access.
Integrating with Stripe via MkSaaS
EU Market Ready is built on MkSaaS and uses Stripe for payment processing. All subscriptions are managed through Stripe Customer Portal, where you can update payment methods, view invoices, and cancel anytime. Stripe itself is GDPR and PCI-DSS compliant. We do not store your credit card information — Stripe handles all payment data securely.
Related guides
Generate your GDPR & UK GDPR policies now
Create compliant privacy policies, cookie banners, and DSAR forms tailored to your e-commerce business in under 5 minutes.