Privacy, GDPR & the AJAX Endpoint

June 5, 2026

What data the plugin touches, what it returns, and the implications for privacy and GDPR. Short version: the plugin itself collects and stores no personal data — it relies on WooCommerce’s existing pricing and geolocation.

What the AJAX endpoint receives and returns

  • Receives: a list of product IDs, plus the visitor’s normal WooCommerce cookies / session (sent automatically by the browser) so WooCommerce can resolve the correct price for their location.
  • Returns: only public price and (optionally) stock HTML for published products. No customer data, account data, or order data is returned. Draft, private, and scheduled products are never exposed.
  • It performs no writes and changes no state.

Geolocation

Per-visitor pricing uses WooCommerce’s own geolocation (IP-based) and your tax settings to decide the tax location. This is WooCommerce processing the visitor’s IP exactly as it already does for tax — the plugin doesn’t add a new data collector, it triggers WooCommerce’s existing logic inside the AJAX request. If your privacy policy already covers WooCommerce geolocation, nothing new is introduced.

Cookies

The plugin sets no cookies of its own. Client-side it only reads the existing woocommerce_cart_hash cookie — and only to optionally skip AJAX pricing once a cart has items.

Data the plugin stores

Only its settings (a handful of wc_ajax_pricing_* options) and — via the shared Super Speedy settings — your licence key and cached licence/update status (transients). No visitor or customer data is stored. See Uninstall & Data Cleanup for the full list.

The one PII caveat: verbose logging

If a developer enables WC_AJAX_PRICING_VERBOSE_LOGGING (off by default) to debug the VAT/tax logic, the server error log will include the resolved customer tax location (country / state / postcode / city). Treat that log as containing personal data while it’s enabled, and disable it and clear the log afterwards. See Debugging with Verbose Logging.

GDPR checklist

  • ✔ No new personal-data collection beyond WooCommerce’s existing geolocation.
  • ✔ No personal data returned by the endpoint (public price/stock only).
  • ✔ No plugin-set cookies.
  • ✔ Verbose logging is the only path that writes location data to disk — keep it off in production.

Cross-links: Debugging with Verbose Logging, Architecture (security model), Developer Reference, Uninstall & Data Cleanup.

×
1/1