WooCommerce and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses WooCommerce, on its own website (WordPress with the WooCommerce plugin) it typically processes order data, customer data and payment-related data to handle online sales. WooCommerce is a plugin within the website operator's WordPress installation; processing takes place – unless the operator activates WooCommerce cloud services or external payment gateways – primarily on its own infrastructure. This page shows website operators in Germany what data WooCommerce processes, which purposes and legal bases are typically applicable, and which mandatory disclosures on WooCommerce belong in the privacy policy.

A. Purpose and Functionality of WooCommerce

WooCommerce is an open-source e-commerce plugin for the WordPress content management system that turns a WordPress website into an online shop. WooCommerce provides functions for product catalogue, cart, checkout, order management, customer management, shipping and payment processing. The provider is WooCommerce, Inc., a subsidiary of Automattic Inc.

Unlike a SaaS solution, WooCommerce runs on the WordPress installation hosted by the website operator; the operator is therefore responsible for hosting and configuration. This page focuses on the WooCommerce plugin itself. Extensions and integrations (e.g. Stripe, PayPal, Klarna plugins, WooCommerce Subscriptions, marketing plugins, external tracking) are not within the scope of this article and must be examined separately by the website operator. Where the operator additionally activates WooCommerce cloud services (e.g. WooCommerce Payments, WooCommerce.com connectivity, "Connect" functions), additional processing by Automattic and/or third-party providers is added.

B. Mandatory Disclosures in the Privacy Policy when Using WooCommerce

The GDPR requires the privacy policy to set out tool-specific minimum content in addition to general information about the website operator, data subject rights and the supervisory authority. For the use of WooCommerce this includes in particular:

• the purposes of the processing (Art. 13 para. 1 lit. c GDPR),
• the legal bases (Art. 13 para. 1 lit. c GDPR),
• where based on legitimate interests, the specific interests pursued (Art. 13 para. 1 lit. d GDPR),
• the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR) – in particular hosters and any activated cloud services,
• whether data is transferred to an insecure third country (Art. 13 para. 1 lit. f GDPR),
• the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR),
• where data is not collected directly, additionally the categories of personal data (Art. 14 para. 1 lit. d GDPR).

It is not necessary to list WooCommerce with its own boilerplate text in the privacy policy. A topic-oriented approach is more appropriate – describing processing across topics (server operations, sales/payment, user accounts, etc.) and naming the cloud service providers used – such as Automattic for activated cloud functions – in an annex of recipients. This is exactly the methodology that the matterius generator follows.

C. Provider of WooCommerce

According to the publicly available information, the provider of the WooCommerce plugin is WooCommerce, Inc., a subsidiary of Automattic Inc., based at 60 29th Street #343, San Francisco, CA 94110, USA. WooCommerce is published as an open-source plugin under the GPL; a contractual relationship between the website operator and Automattic only arises if the operator uses paid extensions, cloud services or "WooCommerce.com" functions.

To the extent that a cloud component is used: according to the publicly available information, Automattic Inc. is certified under the EU-US Data Privacy Framework (DPF); the status can be verified at https://www.dataprivacyframework.gov/s/participant-search. EU Standard Contractual Clauses are used as additional safeguards.

Automattic's privacy notice is available at https://automattic.com/privacy/. General information on WooCommerce and data protection is available at https://woocommerce.com/document/privacy-policy/ and https://woocommerce.com/document/data-handling/.

D. Data Processing by WooCommerce – Step by Step

E. Data Collected by WooCommerce

In connection with WooCommerce, the data processed typically includes IP address, timestamp, requested URL, referrer, user-agent, device and browser information, cart and order data, shipping and billing address, email address, telephone number, possibly payment information and – with customer accounts – user-account data.

The data can be classified into the following standardised data categories:

• Web server log data: IP address, timestamp, URL, referrer, user-agent, status code of the server response.
• Click paths: visits to product, category, cart and checkout pages.
• Device data: device type and operating system.
• Browser information: browser name and version.
• Coarse location data: location derived from the IP address at city or municipality level.
• User-account data: with an active customer account, username, email, one-way encrypted password, roles and permissions, login histories.
• Conversion events: order completions, visits to thank-you pages, newsletter sign-ups.

In the order process, typical purchase and payment data is also processed (name, address, email, order positions, payment information).

F. Purposes when Using WooCommerce

Website operators use WooCommerce to handle online sales, including product display, cart, order completion, payment processing, shipping, invoicing and customer account management.

These purposes can be classified into the following standardised purpose categories:

• Provision of functionality: technical provision of the shop, display of products, cart and checkout functionality, error detection and correction.
• Contract performance: handling of the purchase contract, payment processing, invoicing.
• Security and abuse prevention: detection and prevention of order fraud and account abuse.
• Fulfilment of retention obligations: retention of order data in accordance with § 147 AO and § 257 HGB.
• Compliance: compliance with statutory requirements (e.g. EU consumer protection law).
• Legal defence: assertion, exercise or defence of legal claims, e.g. in warranty cases.
• Communication: order confirmation, customer service, shipping notifications.

G. Legal Bases when Using WooCommerce

In a first step, WooCommerce must be assigned to a tool category: it is mainly a tool from the Sales/Payment category, complemented by functions in the User account and Server operations/Hosting categories.

In a second step, the following legal bases typically come into consideration:

• For the processing of order and customer data: contract performance under Art. 6 para. 1 lit. b GDPR.
• For the retention of tax and commercial law data: legal obligation under Art. 6 para. 1 lit. c GDPR in conjunction with § 147 AO, § 257 HGB.
• For customer accounts: contract performance of the underlying legal relationship under Art. 6 para. 1 lit. b GDPR.
• For security and abuse prevention: legitimate interests in abuse prevention and security under Art. 6 para. 1 lit. f GDPR.
• For technically necessary cookies (e.g. cart session): typically § 25 para. 2 no. 2 TDDDG (necessity exception).
• For subsequent advertising email communications to existing customers: typically § 7 para. 3 UWG together with the legitimate interest in advertising, or consent.

Which legal basis is specifically applicable depends on the configuration and the extensions used and must be examined by the website operator on a case-by-case basis.

H. Particularities and Notes on WooCommerce

• Self-hosting: WooCommerce runs on the website operator's own WordPress installation. The operator is therefore the controller and responsible for the GDPR-compliant configuration and security of the installation.
• Cloud functions: If the operator activates cloud functions (e.g. WooCommerce.com connectivity, "WooCommerce Payments" via Stripe, automated tax calculation), additional processing by Automattic and/or third-party providers is added, each of which must be assessed separately.
• DPA: A data processing agreement with the hoster is generally required; activated cloud functions may require additional DPAs with Automattic or third-party providers.
• Extensions / plugins: Each extension (marketing plugin, tracking, newsletter, payment gateway) must be assessed separately from a data protection perspective.
• Third-country transfer: If cloud functions are activated, data may be transferred to the USA. According to the publicly available information, Automattic is certified under the EU-US Data Privacy Framework.
• Subprocessors: With activated cloud functions, a list follows from Automattic's privacy notice.
• Source note: The information is based on the provider's publicly available publications and does not replace a case-by-case assessment.

I. Frequently Asked Questions on WooCommerce and Data Protection

J. Conclusion on WooCommerce

When using WooCommerce, the website operator handles online sales on its own WordPress installation. Unless cloud functions are activated, processing takes place primarily on its own infrastructure; the operator is the controller and responsible for the GDPR-compliant configuration. Key obligations are concluding a data processing agreement with the hoster, deliberately configuring extensions and – where cloud functions are activated – a separate data protection assessment of Automattic and any other providers.

It is generally not advisable for the website operator to include a dedicated boilerplate text for WooCommerce in the privacy policy. A structured, topic-oriented approach is recommended that explains tools across topical blocks (sales/payment, user account, server operations, etc.) and only names individual service providers such as the hoster or – where cloud functions are activated – Automattic in an annex of recipients. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com