Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Omnisend is a Lithuanian email and SMS marketing automation platform aimed at e-commerce merchants. Headquartered in Vilnius and built on AWS EU regions, it provides newsletter campaigns, automation workflows, popups and forms, segmentation, and integrations with Shopify, WooCommerce, BigCommerce, Magento, and others. Omnisend sets first-party cookies via its JavaScript tracker to identify visitors and tie their browsing behaviour to customer profiles.
Omnisend (Soundest UAB) is a Lithuanian email and SMS marketing automation platform aimed at e-commerce merchants. Founded in 2014 and headquartered in Vilnius, it serves over 100,000 merchants, with deep integrations into Shopify, WooCommerce, BigCommerce, Magento, PrestaShop, and other e-commerce platforms. Omnisend bundles email campaigns, SMS messaging, push notifications, automated workflows (welcome, abandoned cart, browse abandonment, post-purchase), popups and forms, segmentation, and reporting.
From the website: a visitor identifier set in first-party cookies, page views, e-commerce events (product views, cart updates, checkout steps, orders) ingested via the JavaScript tracker, and form submissions captured by Omnisend forms. From integrations: customer records, order history, product catalogue. From outbound campaigns: email opens and clicks, SMS delivery and reply status. Phone numbers and SMS opt-in proof are stored when the SMS channel is enabled.
The Omnisend tracker sets non-essential first-party cookies and must be gated behind a consent banner under ePrivacy and TTDSG. Email and SMS marketing rely on Art. 6(1)(a) consent (or the strict soft opt-in conditions for similar products in some jurisdictions). Transactional notifications can rely on Art. 6(1)(b) contract performance. SMS marketing requires explicit opt-in, easy opt-out, and proof of consent retention. Lithuania (the controller jurisdiction) has its own electronic communications law that aligns with ePrivacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Omnisend is EU-based and the primary processing happens on AWS EU regions. Some subprocessors used for SMS routing or AI features may be outside the EEA. The Omnisend DPA and subprocessor list document each transfer with the relevant SCCs and (where applicable) the EU-US Data Privacy Framework certifications.
Sign the Omnisend DPA, gate the Omnisend JavaScript tracker behind your Consent Management Platform, configure double opt-in for email marketing, capture explicit SMS opt-in with timestamp and IP, keep proof of consent for the legal retention period, document the integration scope in your RoPA, and exclude special category data from segmentation logic.
Websites using Omnisend must obtain user consent under GDPR regulations.
DPIA considerations
Omnisend processes visitor browsing behaviour, e-commerce events (cart, checkout, order), email addresses, phone numbers, and SMS opt-in status. Key DPIA considerations: (1) the tracker cookies and the cross-site identifier are non-essential and require consent under ePrivacy and TTDSG; (2) SMS marketing carries heightened requirements (explicit opt-in, easy STOP keyword, retention of consent proof); (3) integration with the e-commerce platform pulls customer purchase history into Omnisend, increasing the data set; (4) automation flows can trigger sensitive notifications (abandoned cart, browse abandonment, post-purchase) at scale; (5) AI features (subject line generator, send-time optimisation) involve automated processing under GDPR.
Sample consent text
We use Omnisend, a Lithuanian email and SMS marketing platform, to send our newsletters and automated marketing messages. Omnisend sets first-party cookies via our website to recognise you across visits and to tie your browsing behaviour to your customer profile. SMS and email marketing are sent only after your explicit consent. Data is processed in the European Union. You can manage your consent and unsubscribe at any time.
Third-party domains contacted
omnisend.comwww.omnisend.comapp.omnisend.comomnisnippet1.comapi.omnisend.comcdn.omnisrv.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| omnisendContactID | Marketing / Identification | 1 year | Persistent first-party identifier used to associate website behaviour with a contact record in the Omnisend marketing platform. |
| omnisendSessionID | Marketing / Session | Session | Identifies the current browsing session so the Omnisend tracker can group events and trigger automation flows like browse abandonment. |
| omnisendCampaignID | Marketing / Attribution | 30 days | Stores the campaign identifier of the inbound marketing email or SMS that brought the visitor to the site, used for revenue attribution in reporting. |
| omnisendAnonymousID | Marketing / Identification | 1 year | Anonymous visitor identifier used before any contact details are submitted, later merged with the omnisendContactID once an email or phone number is captured. |
Omnisend places tracking cookies for advertising — comply with GDPR using FlowConsent.
Omnisend sets first-party cookies via your domain, including omnisendContactID (visitor identifier, up to 1 year), omnisendSessionID (session identifier), and omnisendCampaignID (campaign attribution). All are non-essential and require consent.
Yes. The tracker cookies and the cross-visit identifier are non-essential under ePrivacy and TTDSG and must be gated behind a consent banner. Marketing emails and SMS require explicit Art. 6(1)(a) consent and a clear opt-out path.
Consent (Art. 6(1)(a)) for tracker cookies, marketing email, and SMS. Contract performance (Art. 6(1)(b)) for transactional notifications (order confirmation, shipping). Legitimate interest (Art. 6(1)(f)) for fraud and abuse prevention.
Primary processing is in EU AWS regions. Some subprocessors used for SMS routing or AI features may be located outside the EEA; transfers in that case are governed by Standard Contractual Clauses under Art. 46(2)(c) GDPR. Omnisend publishes its subprocessor list.
Document a short DPIA if you operate SMS marketing at scale, segment customers by sensitive criteria, or use AI features. The Lithuanian DPA aligns with the EDPB position requiring DPIAs for large-scale profiling.
Sign the Omnisend DPA, gate the tracker behind your CMP, enable double opt-in for email, capture explicit SMS opt-in with timestamp and IP, keep consent proof, configure data retention to the minimum necessary, and exclude special category data from segmentation logic.
EU-based email/SMS marketing alternatives include Brevo (France), Mailjet (France), Klaviyo (US, EU residency available), GetResponse (Poland), Smartmessaging (Belgium), and self-hosted alternatives like Mautic.
Add a section listing the Omnisend cookies with their name, purpose, duration, and category. Specify that the controller is Soundest UAB (Lithuania), the EU AWS processing region, and the CMP toggle that allows visitors to refuse the Omnisend marketing tracker.