Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Klickly is a US based commerce centric advertising platform that serves AI powered shoppable ads on premium publishers and social inventory. Direct to consumer brands plug their product catalogues into Klickly and let the platform build audiences, run dynamic creative tests and optimise for return on ad spend. Because Klickly uses third party cookies for retargeting and transfers data to the United States, GDPR compliant deployment requires explicit consent and a documented data transfer chain.
Klickly is a US headquartered commerce advertising platform that creates and serves AI driven shoppable ads. Direct to consumer brands connect their product catalogue (Shopify, BigCommerce, Magento) to Klickly, which then runs cross publisher creative testing, audience building and bid optimisation. The platform targets high intent shoppers on premium publishers and social properties, with attribution to revenue and a focus on return on ad spend.
Klickly collects conversion events, product views, add to cart and checkout actions, IP addresses, user agents, referrers, UTM parameters, click identifiers and an anonymous Klickly cookie identifier. Advertisers may optionally send first party data through the Conversions API (hashed email, phone) for audience matching across the publisher network.
Klickly is a third party advertising processor. Its cookies are not strictly necessary, so they require prior consent under Art. 5(3) of the ePrivacy Directive. Behavioural advertising and retargeting must rely on consent under Art. 6(1)(a) GDPR, as the EDPB and several national authorities have ruled out legitimate interest for these purposes.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Klickly pixel through your Consent Management Platform. Only fire the tag and Conversions API after consent for marketing is granted. Hash first party identifiers before transmission and apply Google Consent Mode v2 signals when combined with Google Ads campaigns.
Klickly Inc. is certified under the EU US Data Privacy Framework, which provides an adequacy mechanism for transfers to the United States. Operators must still document a Transfer Impact Assessment, sign Klickly Standard Contractual Clauses and monitor any legal challenge to the DPF post Schrems II.
Sign the Klickly DPA and SCCs, gate the pixel and the Conversions API in your CMP, list Klickly in your Article 30 register, hash personal data before transmission, update your privacy notice to mention the US transfer and partner publishers, and offer a self service opt out so customers can revoke consent at any time.
Websites using Klickly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Klickly is deployed for large scale retargeting, when product data is combined with customer CRM identifiers through the Conversions API, or when advertising activity targets users in regulated sectors.
Sample consent text
We use Klickly, a US based shoppable advertising platform, to display targeted product ads on partner publishers, measure conversions and personalise our retargeting. This involves transferring your personal data to the United States.
Third-party domains contacted
klickly.comklickly.comcdn.klickly.comcdn.klickly.compixel.klickly.comapi.klickly.compixel.klickly.comtrack.klickly.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| klk_uid | Marketing | 1 year | Unique Klickly identifier used to track a shopper across publishers and tie behaviour to a Klickly profile. |
| klkvid | third_party | 12 months | Long lived advertising visitor identifier used to recognise the browser across sessions, devices and partner properties for retargeting, audience building and frequency capping. |
| klk_session | Marketing | Session | Tracks the current shopping session, including product views and add to cart events for attribution. |
| klksess | third_party | session | Session cookie that scopes the current visit, links pageviews and in unit interactions to a single browsing session and helps detect invalid traffic. |
| klk_match | Marketing | 30 days | Cookie matching identifier used to synchronise Klickly audiences with publisher and DSP partners. |
| klk_optin | first_party | 12 months | Consent and opt in flag that records the choice made by the user in the cookie banner so that the pixel only fires when advertising consent is present. |
| klk_attr | third_party | 30 days | Attribution cookie that links a click or an in unit engagement to a later purchase on the merchant site for conversion tracking and commission calculation. |
| klk_aud | third_party | 6 months | Advertising audience cookie that stores pseudonymous segment identifiers used to build lookalike audiences and to personalise the products shown in the ad unit. |
Klickly places tracking cookies for advertising — comply with GDPR using FlowConsent.
Klickly sets a small group of cookies and similar identifiers when the pixel and the ad unit load. They typically include a long lived visitor identifier used to recognise the browser across sessions and partner sites, a session cookie that scopes the current visit, an opt in or consent flag that records the user choice, and one or more attribution cookies that link a click or in unit engagement to a later purchase. These cookies are mostly third party, set on Klickly controlled domains, and are classified as advertising and marketing cookies under most cookie taxonomies.
Klickly sets a unique visitor identifier, a session cookie for shopping attribution and a cookie matching identifier used to synchronise audiences with downstream publishers and DSPs. These cookies are marketing cookies and require prior consent.
Yes. Because Klickly stores and reads information on the user device for advertising, profiling, retargeting and measurement, prior consent is required under Article 5(3) of the ePrivacy Directive and under the corresponding national rules, such as the French Data Protection Act, the German TTDSG and the Spanish LSSI CE. The lawful basis under GDPR is Article 6(1)(a) consent. The pixel must remain blocked until the user has given consent and it must be possible to withdraw consent at any time, as easily as it was given.
Yes. Klickly is a third party advertising platform whose cookies are not strictly necessary. Art. 5(3) of the ePrivacy Directive and Art. 6 GDPR require explicit consent before the pixel fires and before any first party data is sent via the Conversions API.
The applicable lawful basis is consent under Article 6(1)(a) GDPR, combined with the consent requirement of Article 5(3) of the ePrivacy Directive for storing or reading information on the terminal. Legitimate interests under Article 6(1)(f) is not appropriate because the processing involves cross site tracking, large scale behavioural profiling and personalised advertising, which the European Data Protection Board considers to require consent and to fall outside the scope of legitimate interests as a sole basis.
Consent (Art. 6(1)(a) GDPR). Legitimate interest cannot justify cross context behavioural advertising under EDPB Guidelines 8/2020 and 2/2023, a position reinforced by the 2024 binding decisions against Meta and TikTok.
Yes. Klickly Inc is established in the United States and operates its infrastructure primarily from there, so personal data of EU and UK users is transferred outside the European Economic Area. Transfers should rely on the EU US Data Privacy Framework where Klickly is certified, or on the European Commission Standard Contractual Clauses with supplementary measures such as encryption, pseudonymisation and access controls. A Transfer Impact Assessment is recommended to document the assessment of US surveillance laws and the safeguards put in place.
Yes. Klickly Inc. is based in Los Angeles. The transfer relies on the EU US Data Privacy Framework, supplemented by Standard Contractual Clauses and a Transfer Impact Assessment.
In most deployments a Data Protection Impact Assessment under Article 35 GDPR is required. Klickly typically involves systematic monitoring of online behaviour, profiling, large scale processing and use of innovative advertising technology, which match several criteria of the European Data Protection Board guidelines on DPIAs and the lists published by national authorities such as the CNIL, the Spanish AEPD and the German supervisory authorities. The DPIA should document the data flows, the international transfers, the necessity and proportionality, the rights of data subjects and the technical and organisational measures.
A DPIA is recommended when Klickly is used at scale for retargeting, when combined with first party CRM identifiers, or when targeting categories with regulatory sensitivity. It can be mandatory under Art. 35 GDPR if the risk is high.
A compliant deployment starts with a consent management platform that blocks the Klickly pixel and ad unit until the user opts in for advertising cookies. The cookie banner must offer accept and reject choices with equal prominence, and provide granular options for marketing and analytics purposes. The privacy policy and cookie policy must name Klickly Inc as a recipient, describe the categories of data, the retention periods and the international transfers, and reference the legal basis. A data processing agreement with reference to the SCCs and the Data Privacy Framework, a Transfer Impact Assessment and a process for handling data subject rights complete the setup.
Gate Klickly behind a Consent Management Platform, sign the DPA and SCCs, document a Transfer Impact Assessment, hash first party identifiers before transmission, and disclose Klickly Inc. and its US transfer in your privacy notice.
Yes. European shoppable advertising and product ads networks such as Criteo (France), RTB House (Poland), Adverity (Austria with EU hosting), and Awin (Germany) offer comparable functionality with EU data residency.
Alternatives include other commerce focused programmatic and retargeting platforms such as Criteo, AdRoll, Rokt, Outbrain, Taboola and Bloomreach, as well as the demand side platforms offered by Google, Meta, Microsoft Advertising and Amazon Ads, each with their own privacy posture. For European operators looking for stronger data sovereignty, options include EU based DSPs and contextual advertising solutions that do not rely on cross site profiling, which can reduce the legal complexity associated with US transfers and behavioural tracking.
The cookie policy should list each Klickly cookie or identifier by name, describe its purpose, its category as advertising or marketing, its retention period and whether it is first party or third party. The policy should also identify Klickly Inc as the recipient, mention the United States as the destination of the transfer, refer to the EU US Data Privacy Framework and to the Standard Contractual Clauses as transfer mechanisms, and explain how the user can accept, reject and withdraw consent at any time through the cookie settings.
List Klickly cookies (klk_uid, klk_session, klk_match) with purpose, duration and provider. Disclose Klickly Inc. as a sub processor in the United States and mention the partner publishers used for shoppable ads. Re trigger the consent banner.