Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Flowbox is a Swedish user generated content and influencer marketing platform used by 1000+ brands across 40 markets. It collects, moderates and publishes social content from Instagram, TikTok, Facebook, Pinterest, YouTube and Twitter into product pages, lookbooks, emails and ads. Flowbox is hosted in the European Union and offers a cookieless mode via the allowCookies parameter, but its analytics tracking is still subject to the GDPR and the ePrivacy Directive.
Flowbox is a Swedish SaaS platform dedicated to user generated content and influencer marketing. It lets brands aggregate social content from Instagram (hashtags, mentions, stories), TikTok, Facebook, Pinterest, YouTube and Twitter, moderate it, secure media rights from the authors, link it to products, and publish it across product pages, category pages, lookbooks, email widgets, mobile apps, in store screens and dynamic product ads.
Flowbox is integrated through a small JavaScript snippet that loads the chosen flow into a container on the merchant page. Each widget can run with cookies enabled or disabled via the allowCookies parameter, which is unusual for this category of tool and a valuable feature for compliance heavy markets.
With cookies enabled, Flowbox sets first party cookies on the merchant domain to recognise returning visitors, group engagement events (impressions, clicks, conversions on linked products) and feed the analytics dashboard. With allowCookies set to false, the widget runs without persistent identifiers and only logs aggregated, non identifying signals.
Beyond visitor data, Flowbox processes the personal data of the original content authors: names, profile pictures, social handles, captions and photos pulled from social platforms. The platform also runs a Visual Search engine, which can apply image recognition to the UGC pool.
When Flowbox is configured with cookies, the analytics tracking is not strictly necessary under Article 5(3) of the ePrivacy Directive and prior consent is required. When Flowbox runs in cookieless mode, the consent banner can fall back to a simple notice in the privacy policy, provided no other identifier is set client side.
For UGC ingested from third party platforms, the merchant becomes a data controller for the new processing activity (display on the storefront, use in newsletters, in ads). The Flowbox media rights workflow helps document author consent for that re publication.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Flowbox is headquartered in Stockholm with offices in Barcelona, Amsterdam and Copenhagen. The core processing infrastructure is hosted in the European Union, which means the visitor and UGC data does not leave the EU under the default configuration. This is a meaningful compliance advantage compared with US based UGC vendors.
Onward transfers can still happen when the UGC DPA feature is used to feed Meta or TikTok dynamic product ads, since those platforms operate globally. That secondary flow must be assessed under Chapter V of the GDPR, with the appropriate safeguards.
To use Flowbox on a website that targets EU or UK visitors, you should: decide upfront whether you need analytics tracking or whether the cookieless mode is enough, gate the widget behind consent with a CMP such as FlowConsent when cookies are enabled, name Flowbox in your cookie and privacy policies, sign the Data Processing Addendum, run a DPIA when the UGC DPA retargeting feed is activated, and document the rights granted by each UGC author through the Flowbox media rights workflow.
For brands looking for an EU hosted UGC stack, Flowbox is one of the strongest options on paper. Comparable vendors include Photoslurp (now part of Flowbox), Stackla and Bazaarvoice for the high end, and Avis Verifies or Trusted Shops when the focus is on reviews rather than visual UGC. To reduce the risk further, run Flowbox with allowCookies set to false on regions where you do not need analytics tracking, and only enable UGC DPA on segments where the social retargeting transfer is documented in your privacy notice.
Websites using Flowbox must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is recommended when Flowbox is used at scale, especially with the UGC DPA retargeting feature that pushes UGC into Meta and TikTok ad platforms. Key risks: indirect collection of personal data from third party authors (names, photos, social handles), engagement tracking of EU visitors, and onward transfer to social platforms when UGC DPA is enabled. Document the lawful basis, the necessity test and the rights of the original content authors, including their ability to request removal.
Sample consent text
We use Flowbox to display user generated content and influencer photos on our website. The Flowbox widget can place a small first party cookie to measure engagement and conversion. Our platform supplier is based in Sweden, so the core data stays in the European Union. You can accept, refuse or customise these cookies and you can withdraw your consent at any time from our cookie preferences page.
Third-party domains contacted
getflowbox.comjs.getflowbox.comapi.getflowbox.comcdn.getflowbox.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| flowbox | first_party | 1 year | First party visitor identifier set on the merchant domain when allowCookies is true, used to recognise returning visitors and group engagement events such as impressions, clicks and conversions on linked products |
| flowbox_session | first_party | session | Session level identifier used to group widget interactions within a single visit, only set when allowCookies is true |
Flowbox places tracking cookies for advertising — comply with GDPR using FlowConsent.
When the widget is loaded with allowCookies set to true, Flowbox places a small first party cookie on the merchant domain to recognise returning visitors and group engagement events such as impressions, clicks and conversions on linked products. When allowCookies is set to false, no persistent identifier is stored and only aggregated, non identifying signals are sent to the analytics dashboard.
It depends on the configuration. With cookies enabled, Flowbox is an analytics and engagement tool that falls outside the strictly necessary exemption of Article 5(3) of the ePrivacy Directive, so prior consent is required. With cookieless mode (allowCookies false) and no other identifier set, the consent banner can be lighter, but the privacy policy must still mention Flowbox and the UGC ingestion.
For visitor tracking with cookies, the lawful basis is consent under Article 6(1)(a). For the UGC pulled from social platforms, the merchant relies on the original platform terms combined with the rights granted by the author via the Flowbox media rights workflow and, when needed, on legitimate interests under Article 6(1)(f) with a documented balancing test.
Flowbox is operated by a Swedish SaaS company and hosts its core processing infrastructure in the European Union. Visitor data and UGC do not leave the EU under the default configuration. Onward transfers can occur when the UGC DPA feature pushes content into Meta or TikTok ad platforms, in which case Chapter V GDPR safeguards apply on that secondary leg.
A DPIA is recommended when Flowbox is deployed at scale, especially with the UGC DPA retargeting feed enabled. The combination of engagement tracking, indirect collection of personal data from third party authors, and onward transfer to social ad platforms triggers several criteria from the EDPB DPIA list. Document the lawful basis, the data flows, the safeguards and the rights of all data subjects.
Decide whether you need analytics tracking or whether the cookieless mode is enough. Block the widget behind consent through a CMP such as FlowConsent when cookies are enabled, classify it under analytics or marketing, name Flowbox in your privacy and cookie policies, sign the Data Processing Addendum, run a DPIA when UGC DPA is activated, and use the Flowbox media rights workflow to document author consent for republication.
Flowbox is one of the strongest EU hosted UGC vendors on the market. Comparable options include Photoslurp (now part of Flowbox), Stackla and Bazaarvoice for the high end, and Avis Verifies or Trusted Shops when the focus is on reviews rather than visual UGC. For lighter use cases, native Shopify or PrestaShop reviews extensions can also work without third party tracking.
List Flowbox in your cookie policy under the analytics or marketing category when allowCookies is true. Specify the cookie name, the purpose (engagement tracking and conversion measurement), the duration, the controller and processor roles, and the fact that the data stays in the European Union by default. Mention Flowbox in your privacy policy regardless of the cookie configuration, since UGC ingestion involves processing of third party authors data.