Lemon Squeezy

Lemon Squeezy

Lemon Squeezy is a payment and subscription platform for selling digital products and software. Its scripts embed checkout overlays and payment forms on websites, handle secure payment processing through iframe-based flows, and may set cookies to maintain cart state and attribute purchase sessions.

Back to Vendor Library

Overview

Lemon Squeezy is a merchant-of-record payment platform for indie developers and digital product creators, handling the full commerce stack including checkout, tax compliance, subscription billing, and license key delivery. Acquired by Stripe in 2024, it competes with Paddle in the merchant-of-record space. Its client-side scripts appear on websites that have embedded a Lemon Squeezy checkout overlay or buy button, enabling in-page purchases without redirecting to an external URL.

What This Script Does

Lemon Squeezy's embed script (loaded from assets.lemonsqueezy.com) initializes an overlay checkout system and performs the following:

  • Overlay initialization: The script injects a modal or sidebar checkout iframe loaded from lemonsqueezy.com when a purchase trigger is activated. The iframe handles all payment form rendering within Lemon Squeezy's secure origin.
  • Cart state cookies: A session cookie is set to maintain cart contents and checkout progress during the purchase flow. This cookie typically expires at session end and is necessary for the checkout to function.
  • Affiliate tracking: If the operator has enabled Lemon Squeezy's affiliate program, referral parameters in the URL are captured and persisted in a first-party cookie (similar to how Rewardful functions) with a 30-day default expiry.
  • Purchase session attribution: The script may set a persistent cookie to attribute the conversion to a traffic source or affiliate, surviving across browser sessions until the purchase is completed.
  • Post-purchase events: After a successful purchase, the script fires a JavaScript event and may trigger third-party integrations the operator has configured (such as Google Analytics or Facebook Pixel conversion events) by calling their respective APIs.

Sensitive payment data (card numbers, billing addresses) is handled entirely within the Lemon Squeezy iframe and never exposed to the host page's JavaScript context.

Consent & Compliance

GDPR and ePrivacy: The checkout overlay relies on session cookies that are necessary to provide the service requested by the user (completing a purchase), which qualifies as essential under the ePrivacy Directive — no consent is required for these. However, the affiliate tracking cookie and any post-purchase analytics or marketing pixels loaded by the script are non-essential and require prior consent. Operators should configure their consent management platform to allow the core checkout script but gate any affiliate tracking or marketing event firing behind consent.

CCPA/CPRA: As a Stripe subsidiary, Lemon Squeezy processes payment and purchase data under established financial services data handling practices. Affiliate tracking data and behavioral attribution cookies constitute personal information under CCPA. Operators must disclose this data collection and provide opt-out mechanisms for non-essential tracking.

This vendor falls in the mixed category (essential + functional). Core checkout functionality is essential; affiliate attribution and marketing event integrations are not.

Should You Block This Without Consent?

Conditional.

The core Lemon Squeezy checkout script serves an essential transaction function and may load without consent when a user actively initiates a purchase. The affiliate tracking cookies and any marketing event fires configured within the integration must be gated behind consent. Structure your consent configuration to allow the essential checkout flow while blocking non-essential tracking components.

Visit website

Consent Categories

Essential
Functional

Also Known As

lemon squeezylemonsqueezylemon squeezy checkoutdigital product paymentslemon squeezy consent

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (1)

lemonsqueezy.comEssential

Frequently Asked Questions

Is cookie consent required for Lemon Squeezy checkout?

Generally no for the core checkout, but it depends on usage. Lemon Squeezy's overlay sets session cookies to maintain cart state, which is essential for purchases. However, its affiliate tracking features set persistent cookies for referral attribution, which require marketing consent under GDPR and ePrivacy.

What cookies does Lemon Squeezy set on buyer browsers?

Lemon Squeezy's embed script from assets.lemonsqueezy.com loads a checkout overlay iframe and sets a session cookie for cart contents and progress. This cookie expires at session end. If affiliate tracking is active, a persistent cookie attributes the purchase to a referral partner for commission payouts.

How does ConsentStack manage Lemon Squeezy scripts?

ConsentStack detects Lemon Squeezy's checkout scripts and classifies them as essential and functional. The core checkout overlay loads for transaction completion. If affiliate tracking cookies are present, ConsentStack separately gates those under marketing consent, ensuring purchases work while respecting privacy.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Lemon Squeezy

ConsentStack automatically detects and manages Lemon Squeezy trackers so your site stays compliant with global privacy regulations.

Get started free