Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
CXDP by Wiraya is a Swedish customer experience and data platform that powers proactive voice, SMS and conversational engagement for telcos, energy, insurance and financial services on EU infrastructure.
CXDP, by Swedish vendor Wiraya, is a customer experience and data platform that ingests events from CRM, billing and payment systems, enriches them with behavioural web data, and orchestrates proactive outbound conversations across voice, SMS and conversational channels. Telecoms, energy retailers, insurers and banks use it for churn, collections, onboarding and renewal, on EU managed infrastructure. We focus on the Wiraya product, the most referenced CXDP in European privacy disclosures, but most guidance applies to any customer experience data platform combining CRM with web tracking and outbound channels.
On controller sites the tracker sets a first party visitor cookie (cxdp_visitor, plus session companion cxdp_session and longer lived wiraya_id) to deduplicate visits and link anonymous behaviour to known customers once an identifier is provided. Server side, CXDP receives data held by the controller: contact details, contract metadata, transactions, segmentation attributes and consent state, plus telemetry such as call outcomes, SMS delivery receipts and click events. Exposed domains include wiraya.com, cxdp.wiraya.com, api.wiraya.com, cdn.wiraya.com and tracker.cxdp.io.
Wiraya acts as a processor for its customers, who remain controllers. The web tracker is subject to ePrivacy as implemented nationally (German TDDDG, Swedish rules), so storing and reading the first party cookie requires prior informed consent unless strictly necessary. Outbound voice and SMS fall under ePrivacy Article 13 and national direct marketing rules, generally requiring opt in consent for promotional content while allowing service messages under contract or legitimate interest. Because CXDP supports cross channel profiling in regulated sectors, controllers should treat it as high risk.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Two consent layers apply. On the website, the cxdp_visitor cookie and tracker script must load only after the visitor accepts analytics or marketing categories in a compliant CMP. For outbound messaging, controllers rely on contract performance (Art. 6(1)(b)) for transactional communication, legitimate interest (Art. 6(1)(f)) for related service notifications after a balancing test, and explicit consent (Art. 6(1)(a)) for marketing; sector rules in telco, finance and insurance may add documentation requirements. Granular consent, easy withdrawal and clear retention should be configured per campaign.
Wiraya hosts CXDP in AWS Stockholm and Frankfurt and keeps primary processing in the EU, which limits Schrems II concerns. However, communications subprocessors such as Twilio and Sinch may route SMS or voice through US or UK infrastructure under Standard Contractual Clauses and supplementary measures, so controllers should review the subprocessor list and reflect it in their records of processing and privacy notice. Practical steps: sign the Wiraya DPA, run a DPIA for high risk campaigns, configure retention, restrict access and update the cookie policy to mention the CXDP tracker.
Websites using CXDP must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because CXDP combines CRM data, behavioural web events and outbound voice and SMS channels across regulated sectors (telco, finance, insurance, energy), enabling systematic profiling and proactive contact that can affect data subjects significantly.
Sample consent text
We use CXDP by Wiraya to coordinate proactive customer communications across voice, SMS and our website. With your consent, CXDP may set a first party visitor cookie and link your interactions to your customer record so we can send relevant service and marketing messages. You can withdraw consent at any time in your preferences.
Third-party domains contacted
wiraya.comcxdp.wiraya.comapi.wiraya.comcdn.wiraya.comtracker.cxdp.ioevents.wiraya.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cxdp_visitor | first_party | 1 year | Persistent visitor identifier used by the CXDP web tracker to deduplicate visits and link anonymous behaviour to a known customer once an identifier is provided. |
| cxdp_session | first_party | Session | Session level cookie used to group page views and events from the same browsing session for behavioural enrichment in CXDP. |
| wiraya_id | first_party | 13 months | Stable customer identifier used by CXDP to associate web events with a CRM contact across visits for cross channel orchestration. |
| cxdp_consent | first_party | 6 months | Stores the current consent state for tracking and marketing so the CXDP tracker only loads after the visitor has accepted the relevant categories. |
| cxdp_campaign | first_party | 30 days | Optional attribution cookie used to record the campaign or channel that brought the visitor, so CXDP can attribute conversions and conversations. |
CXDP places tracking cookies for advertising — comply with GDPR using FlowConsent.
On controller sites CXDP typically sets a first party cxdp_visitor cookie, a session cookie cxdp_session and a longer lived wiraya_id used to link anonymous web behaviour to a known customer once identified. Exact names depend on configuration.
Yes for the web tracker. Because the cxdp_visitor cookie is used for behavioural enrichment and marketing, ePrivacy rules require prior opt in consent through a compliant CMP before the CXDP tracker script is loaded.
Service related communications can rely on contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)). Marketing campaigns, profiling and the web tracker require consent (Art. 6(1)(a)), with sector rules in telco, finance and insurance adding extra requirements.
Wiraya hosts CXDP in AWS Stockholm and Frankfurt, so primary processing stays in the EU. Some communication subprocessors (for example Twilio, Sinch) may route SMS or voice through US or UK infrastructure under Standard Contractual Clauses.
A DPIA is strongly recommended. CXDP combines CRM data, behavioural web events and proactive outbound contact across regulated sectors, which qualifies as systematic profiling likely to significantly affect data subjects.
Sign the Wiraya DPA, map the current subprocessor list, gate the web tracker behind a CMP, configure granular consent and retention, restrict employee access, run a DPIA for high risk campaigns and document the rationale per channel.
Alternatives include Twilio Engage, Salesforce Data Cloud, Segment, mParticle, Tealium AudienceStream, BlueConic (Dutch) and Squeezely (Dutch), each with different hosting footprints and channel coverage worth comparing for your sector.
Add an entry naming Wiraya CXDP as a processor, list cxdp_visitor, cxdp_session and wiraya_id with their purpose and duration, note the EU hosting in Stockholm and Frankfurt and reference any communication subprocessors used for SMS or voice.