Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mindbox is a Customer Data Platform combining customer profiles, segmentation, real time triggers, email, SMS, web push, on site personalisation and product recommendations. Its JavaScript SDK sets the mindboxDeviceUUID cookie, captures behavioural events and identifies customers across sessions. As a CDP performing cross visit tracking and operating from infrastructure outside the EU, it requires prior consent under the GDPR and the ePrivacy Directive.
Mindbox is a Customer Data Platform that bundles unified customer profiles, real time event ingestion, behavioural triggers, email, SMS, web push, mobile push, on site personalisation and product recommendations. It is widely used in retail and ecommerce, and integrates with major commerce backends and ad platforms.
The Mindbox SDK sets the mindboxDeviceUUID first party cookie on the merchant domain to recognise the device across sessions. When the customer logs in or submits a form with their email, Mindbox links the device UUID to the customer profile, turning anonymous browsing into identifiable data. Hashed email matching extends the identity resolution across channels.
The mindboxDeviceUUID cookie is not strictly necessary; Article 5(3) ePrivacy requires prior consent. The CDP processing (cross channel profiling, behavioural triggers, scoring) is opt in under the GDPR. Marketing emails, SMS and push follow national ePrivacy implementations and need their own opt in.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Mindbox SDK through your CMP until consent is granted. Disable identity resolution and behavioural triggers for visitors without consent, capture explicit opt ins for email/SMS/push and propagate the consent state to the Mindbox profile so the platform respects withdrawal across all channels.
Mindbox infrastructure is primarily in Russia, which is not covered by an EU adequacy decision. Transfers must rely on Standard Contractual Clauses combined with supplementary measures (encryption, pseudonymisation, jurisdictional risk assessment) under the Schrems II framework, and must be analysed against current EU policy on Russia.
Run a full DPIA before deploying Mindbox to EU customers, sign Standard Contractual Clauses with supplementary measures, gate the SDK on consent, set retention on profiles and events and update the privacy policy with a clear description of the CDP processing and the transfer.
Websites using Mindbox must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is necessary because Mindbox is a CDP that performs identity resolution, builds detailed customer profiles, runs behavioural triggers and may transfer personal data to a non adequate country. Additional safeguards under Schrems II must be assessed.
Sample consent text
We use Mindbox as our Customer Data Platform. With your consent, Mindbox will set the mindboxDeviceUUID cookie, record your browsing and purchase activity, link it to your customer profile and forward the data to Mindbox infrastructure outside the EEA. You can refuse or withdraw your consent at any time from the cookie settings.
Third-party domains contacted
api.mindbox.rumindbox.rucdn.mindbox.rutracker.mindbox.ruCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mindboxDeviceUUID | first_party | 2 years | Persistent device identifier set by the Mindbox SDK to recognise the device across sessions and link it to the unified customer profile in the Mindbox CDP. |
| mindbox_session | first_party | session | Stores the current Mindbox session state used to group events sent to the CDP backend. |
Mindbox places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Mindbox SDK sets the mindboxDeviceUUID first party cookie on the merchant domain, plus session storage entries that buffer events before they are sent to the Mindbox backend.
Yes. The cookies are not strictly necessary, the CDP performs identity resolution and behavioural profiling and the platform integrates marketing channels (email, SMS, push) that need their own opt in. Prior consent is required under Article 5(3) ePrivacy.
Consent for the cookies, the cross channel profiling and marketing communications. Contract performance can apply for transactional triggers tied to a purchase, but the CDP profiling itself remains opt in.
Yes. Mindbox runs primarily on infrastructure outside the EEA, with no EU adequacy decision available. Transfers must rely on Standard Contractual Clauses with Schrems II supplementary measures and a clear jurisdictional risk assessment.
Yes. The combination of identity resolution, large scale profiling, behavioural triggers and transfers to a non adequate country triggers a DPIA under Article 35 GDPR.
Run the DPIA, sign Standard Contractual Clauses with supplementary measures, gate the SDK on consent, restrict the data sent to what is strictly necessary, set retention on profiles and disclose the integration and the transfer in the privacy policy.
EU/UK based CDPs include Bloomreach Engagement (Czech Republic), Tealium AudienceStream EU, Emarsys (Austria), Salesforce Data Cloud EU region or Adobe Real Time CDP EU.
Add a section that names Mindbox, lists the mindboxDeviceUUID cookie with purpose and duration, mentions the email/SMS/push channels and discloses the transfer to Mindbox infrastructure outside the EEA with the legal mechanism used.