Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
iZooto is a web push notification and audience marketing platform aimed at publishers. It uses the browser Push API to deliver push messages outside the website and tracks subscriber behaviour to segment audiences. Because iZooto stores a unique push subscription token tied to the device and runs behavioural cookies, it is fully subject to GDPR consent rules and the ePrivacy Directive in Europe. Data is processed in India and the United States, both third countries.
iZooto is a web push notification platform tailored to publishers and content brands. It builds and engages owned audiences by collecting browser based push subscriptions and broadcasting alerts when new articles or offers are published. iZooto also offers behavioural segmentation, RSS triggered campaigns and automated drips, all delivered server side via the Web Push protocol.
iZooto stores a Web Push subscription endpoint (FCM or Mozilla Autopush) tied to the browser, plus first party cookies (izt_uid, izt_session) for tracking subscriber behaviour and segmenting audiences. It collects URLs visited, click patterns on push notifications, country, browser type and device. The push token is the equivalent of a persistent device identifier.
Article 5(3) of the ePrivacy Directive requires consent before storing the push subscription token in the browser. Article 6 GDPR requires consent for sending direct marketing notifications. The CNIL has reminded publishers that browser native push prompts cannot serve as a substitute for prior consent: a layered banner must precede the prompt.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Implement a custom permission overlay that explains the purposes (push alerts, content recommendations) before triggering the browser native prompt. Behavioural segmentation cookies must be blocked until consent. Provide a clear unsubscribe path inside the website and not only in the browser settings.
iZooto operates from India with US infrastructure. India lacks an EU adequacy decision; transfers must rely on Standard Contractual Clauses (Module 2 controller to processor) and a documented Transfer Impact Assessment. The DPDP Act 2023 in India provides additional safeguards but does not equal GDPR.
Sign the iZooto DPA with SCCs, configure a custom opt in overlay, integrate with your CMP so the iZooto SDK loads only after consent, define a retention policy for inactive subscribers (e.g. 6 to 12 months), document iZooto in the record of processing and update the cookie banner to mention India and US transfers.
Websites using iZooto must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when iZooto is used at scale or combined with behavioural segmentation. Risks include unsolicited push messages, retention of subscription tokens beyond user expectation and transfers to a non adequate jurisdiction (India).
Sample consent text
We use iZooto to send web push notifications about our latest content. With your consent we also analyse which articles you read so we can send relevant alerts. You can revoke consent at any time in your browser settings or via the cookie preferences below.
Third-party domains contacted
izooto.comcdn.izooto.comapi.izooto.comfcm.googleapis.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| izt_uid | persistent | 12 months | Persistent first party cookie storing the unique iZooto subscriber identifier for behaviour tracking and audience segmentation. |
| izt_session | session | Session | Session cookie maintaining the browsing context for a subscriber while the iZooto SDK is active on the page. |
| izt_pn | persistent | 12 months | Stores the push notification preferences and topic subscriptions selected by the user inside the iZooto opt in flow. |
iZooto places tracking cookies for advertising — comply with GDPR using FlowConsent.
iZooto stores a Web Push subscription endpoint (FCM or Mozilla Autopush) plus first party cookies (izt_uid, izt_session) used to track subscriber behaviour and segment audiences. The push token acts as a persistent device identifier.
Yes. Storing the push subscription token is a non essential write to the browser triggering Article 5(3) ePrivacy. Sending direct marketing notifications also requires consent under Article 6(1)(a) GDPR.
Consent is the only legal basis. Soft opt in does not apply because push notifications are pushed outside the website, beyond the existing customer relationship exception of Article 13 ePrivacy.
Yes. Subscriber data is processed in India (head office) and the United States (infrastructure). India lacks an adequacy decision; the US is covered by the DPF when iZooto certifies. SCCs and a TIA are required.
A DPIA is recommended for large publishers using iZooto with behavioural segmentation, since storing push tokens combined with profiling represents systematic large scale processing.
Show a custom layered consent overlay before the browser native prompt, gate the iZooto SDK behind your CMP, sign the DPA with SCCs, document the service in your record of processing and configure retention policies for inactive subscribers.
Alternatives include OneSignal (US), Pushwoosh (US/CY), Webpushr (US), VWO Engage (formerly PushCrew, IN), and EU based options like Notix (EU) and Adcuri. Consider data residency and the existence of an EU adequacy mechanism for each.
List iZooto as a marketing notification processor with cookies izt_uid and izt_session, push subscription token storage, retention period, sub processors (Google FCM, Mozilla Autopush), India and US transfers, SCC reference and link to the iZooto privacy policy.