Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Engaga (engaga.com, also known as Engaga Spark) is a SaaS popup and on site marketing platform that lets website owners run signup forms, exit popups, promotional banners, and call to action overlays. It collects form data and basic visitor analytics through a JavaScript snippet.
Engaga, also branded Engaga Spark, is a SaaS marketing platform that lets website owners build and display popups, signup forms, exit intent overlays, promotional banners, and announcement bars without developer effort. The publisher embeds a small JavaScript snippet, configures campaigns from the Engaga dashboard, and Engaga decides when and to whom each popup should appear. Engaga is positioned as a generalist conversion optimisation widget similar to OptinMonster, Sumo, or Hello Bar.
The Engaga snippet typically sets cookies to throttle frequency (so the same popup is not shown repeatedly), to remember dismissals, and to track conversion attribution. It also captures the URL, referrer, screen size, language, an anonymous visitor identifier, and the content of any form submitted by the user (often an email address, name, or phone number). When the publisher integrates Engaga with an email service such as Mailchimp or Klaviyo, those identifiers are forwarded to the downstream platform.
Because Engaga writes cookies that are not strictly necessary for a service the user has explicitly requested, ePrivacy Art. 5(3) requires prior consent before the snippet runs. The processing of email addresses and form data is personal data under GDPR and needs a lawful basis. Marketing popups generally rely on Art. 6(1)(a) consent, complemented by the soft opt in rules of national law for follow up emails. The publisher remains the controller, while Engaga acts as processor and must offer an Art. 28 contract.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The cookie banner must offer accept and refuse with equal prominence, name Engaga as a recipient, and disclose the US hosting before the script loads. CNIL, BfDI, AEPD, and the Italian Garante stress that refusing must not block access, and that a popup must not act as a dark pattern that forces users to consent. The form itself should include a separate, unticked opt in for marketing communications and a privacy notice link, in line with EDPB Guidelines 05/2020 on consent.
Engaga operates on US infrastructure, so any deployment in the EU triggers GDPR Chapter V on international transfers. The controller should confirm whether Engaga self certifies under the EU US Data Privacy Framework, otherwise rely on Standard Contractual Clauses combined with a Transfer Impact Assessment. Supplementary measures such as IP minimisation, encryption in transit and at rest, and limiting the form fields exposed to the snippet help reduce residual risk.
Sign a GDPR Art. 28 DPA with Engaga, gate the snippet behind your consent management platform, and only load it after the user accepts marketing or functional cookies according to your taxonomy. Use a separate marketing opt in inside the popup, store proof of consent, and align retention with your CRM or email service. Update the privacy policy and the cookie table with Engaga, the cookies it sets, the data categories collected, the US transfer, and a link to its privacy notice.
Websites using Engaga must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is rarely mandatory for a popup tool, but a short impact assessment is recommended when Engaga is used to collect email addresses, behavioural triggers, or to combine with email marketing platforms. Document the data captured, the trigger logic (exit intent, scroll, time), the retention, the US hosting and transfer mechanism, and the opt in workflow. CNIL, AEPD, BfDI, and EDPB Guidelines 04/2022 on the calculation of administrative fines and 03/2022 on dark patterns are useful references.
Sample consent text
We use Engaga to display popups and signup forms and to remember whether you have already seen or dismissed them. With your consent, Engaga sets cookies and may transfer technical and form data to servers in the United States under Standard Contractual Clauses. You can change your choice at any time in our cookie settings.
Third-party domains contacted
engaga.comspark.engaga.comcdn.engaga.comapi.engaga.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| engaga_seen | third_party | 30 days | Records that the visitor has already seen a given popup so it is not shown again too soon. |
| engaga_dismiss | third_party | 90 days | Stores the user choice to dismiss a popup or signup form for a defined cooldown period. |
| engaga_uid | third_party | 1 year | Anonymous visitor identifier used to attribute conversions and orchestrate campaign frequency capping. |
| engaga_session | third_party | Session | Maintains state for the current session, including which campaign rules have been evaluated. |
Engaga places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. The Engaga snippet sets cookies to throttle popup frequency, remember dismissals, and track conversions. None of these cookies is strictly necessary for a service explicitly requested by the user, so they fall under ePrivacy Art. 5(3) and require prior consent in the EU.
Yes. Loading the Engaga snippet writes cookies and processes user data for marketing purposes, which requires consent under both ePrivacy and GDPR. The popup itself must include a separate, unticked opt in for any follow up email marketing, with a clear privacy notice.
Consent under GDPR Art. 6(1)(a) is the standard basis for marketing popups and email collection. Legitimate interest is generally not appropriate because the processing is overtly marketing oriented. National rules, such as French law on commercial emails, may add a soft opt in option for existing customers.
Yes. Engaga is hosted in the United States. Transfers should rely on Standard Contractual Clauses and, where Engaga self certifies, the EU US Data Privacy Framework. A Transfer Impact Assessment and supplementary measures are recommended.
A full DPIA is rarely mandatory for a popup widget, but a short impact assessment is recommended when popups collect email addresses or use behavioural triggers (exit intent, scroll, dwell time). Document data flows, retention, US transfer, and the opt in workflow.
Place the snippet behind your CMP, default it to off, and load it only on the marketing or functional category according to your taxonomy. Add a clear, unticked marketing opt in inside the form, store proof of consent, and align fields with your data minimisation policy.
Comparable tools include OptinMonster, Sumo, Hello Bar, Privy, Sleeknote, Wisepops, and self hosted overlays in your CMS. Some EU based vendors offer similar features with EU only hosting, which may simplify the transfer story.
List Engaga explicitly with its purpose (popups, signup forms, exit overlays), the cookies it sets, their duration, the data categories collected, the hosting country (United States), the transfer mechanism, and a link to engaga.com privacy notice. Update the policy whenever you change campaigns or integrations.