Does your website use third-party services? Get GDPR compliant in minutes.

Postscript

What does Postscript do?

Postscript is a US based SMS marketing platform built primarily for Shopify merchants. It captures phone numbers via popups, checkout integrations, and keyword campaigns, then sends marketing SMS and MMS to subscribers based on segmentation rules and AI driven recommendations. Phone numbers are personal data and SMS is regulated under Art. 13 ePrivacy and consumer protection law, so any EU or UK deployment requires explicit opt in consent and full transparency on how the data is processed.

What is Postscript

Postscript is a US based SMS marketing platform founded in 2018 in San Francisco, built primarily for Shopify merchants. It captures phone numbers via on site popups, checkout integrations, and keyword campaigns, then sends marketing SMS, MMS, and conversational messages to subscribers. It is widely used by direct to consumer brands in the US, with growing adoption in the UK and EU.

Integration relies on the Postscript Shopify app, a JavaScript pixel (postscript.io), and the Postscript REST API. The pixel tracks browse, cart, and checkout events to power segmentation and abandoned cart messages.

What data does Postscript process

Postscript stores the visitor phone number, name, email (when available), Shopify customer ID, browsing events (product views, cart adds, checkout starts), purchase history, and segmentation attributes derived from the events. AI driven message personalisation may use the LLM backend, with corresponding subprocessing.

On the web, Postscript may set first party cookies for popup throttling and attribution, and store an internal subscriber identifier. None of this is strictly necessary for the website and all require consent under Art. 5(3) ePrivacy.

GDPR, ePrivacy and SMS opt in

Marketing SMS in the EU and UK falls under Art. 13 ePrivacy (unsolicited commercial communications). Postscript collects opt in via popups or checkout, but the popup wording must be clear and specific: the user must know that they are subscribing to marketing SMS from a named brand and that data will be processed by Postscript in the United States.

The browse and cart pixel is not strictly necessary and falls under Art. 5(3) ePrivacy. It must only fire after the visitor accepts the relevant consent category. Profiling for SMS personalisation builds a profile and requires Art. 6 consent.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers and Schrems II

Postscript Inc. is a US controller, hosting data on AWS US under SCCs and the EU US DPF. SMS delivery is performed via Twilio (US) and other carriers, extending the transfer chain. A TIA is required, and supplementary measures (no special category data, retention limits) are recommended.

List Postscript Inc. and Twilio in your privacy notice as processor and sub processor respectively.

AI and TCPA considerations

Postscript offers AI driven message generation and segmentation. Document the LLM provider used (OpenAI, Anthropic, etc.) as a sub processor and assess Art. 22 GDPR if outputs drive automated decisions about pricing or eligibility.

For sending SMS to US numbers, US TCPA applies and requires express written consent with specific disclosures (frequency, charges, opt out). Postscript provides the templates, but the publisher is responsible for ensuring compliance.

Practical compliance checklist

Sign the Postscript DPA. List Postscript and Twilio in your RoPA. Implement a clear and specific SMS opt in popup. Defer the Postscript pixel until consent. Provide opt out via STOP keyword and a preferences page. Document the US transfer chain.

Audit the Postscript AI features and document any LLM sub processors. Set retention to the minimum useful (typically 12 to 24 months after last engagement). Train your marketing team on Art. 13 ePrivacy and TCPA requirements.

GDPR consent category

Marketing

Websites using Postscript must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR) is required for marketing SMS and for processing the phone number for marketing purposes; Art. 13 ePrivacy requires opt in for any unsolicited electronic communications

Risk levelmedium

Applicable regulationsGDPR, UK GDPR, ePrivacy Directive (Art. 13 unsolicited communication), TTDSG (Germany), CCPA/CPRA, TCPA (US, applies extra-territorially)

DPIA considerations

Postscript processes phone numbers (highly identifying personal data), browsing data through the Shopify integration, and AI driven message generation. Key DPIA considerations: (1) phone number collection through popups must comply with Art. 13 ePrivacy (unsolicited communications) and CNIL guidance on prospection, requiring a clear and specific opt in; (2) browse and cart tracking via the Postscript pixel falls under Art. 5(3) ePrivacy and requires cookie consent; (3) data is transferred to the United States under SCCs / DPF, requiring a TIA; (4) AI features that personalise messages may fall under Art. 22 GDPR if they produce significant effects; (5) Postscript integrates with Twilio for SMS delivery and may use other US carriers, extending the processor chain; (6) special category data (health offers, sensitive products) require additional safeguards; (7) US TCPA applies extraterritorially when sending to US numbers, with its own consent standards (express written consent).

Sample consent text

We use Postscript to send you marketing SMS. With your explicit consent, we share your phone number with Postscript Inc. (United States) for SMS campaigns and may track your browsing and cart events on our store to personalise messages. Data is transferred to Postscript servers in the United States under Standard Contractual Clauses. You can opt out at any time by replying STOP to any SMS or via our preferences page.

Technical details

Tracking methodJavaScript SDK and Shopify app integration for browse and cart tracking, REST API for SMS delivery

Server locationUnited States (San Francisco) on AWS

Data transferred outside the EUPostscript Inc. is a US controller and processor. EU and UK phone number data, profile attributes, and behavioural events are transferred to Postscript servers in the United States on AWS infrastructure under Standard Contractual Clauses and the EU US Data Privacy Framework. SMS delivery itself relies on Twilio and other US based carriers, extending the transfer chain.

Third-party domains contacted

postscript.ioapp.postscript.iostatic.postscript.ioapi.postscript.iotwilio.com

Cookies placed

Name	Type	Duration	Purpose
ps_subscriber_id	Marketing	1 year	Stores the Postscript subscriber identifier on the visitor browser to attribute browsing and purchase events to the subscriber profile.
ps_visitor	Marketing	1 year	Persistent visitor identifier used by Postscript before sign up, to track popup display frequency and capture conversion attribution.
ps_popup_displayed	Functional	7 days	Tracks whether the SMS opt-in popup has already been displayed to avoid repeating it on every page view.
ps_session	Marketing	Session	Tracks the current Postscript session for attribution and conversion measurement.

Postscript places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does Postscript set?

On the web, Postscript writes first party cookies (such as ps_subscriber_id and ps_visitor) to associate the browser with a subscriber profile, throttle popups, and attribute conversions. LocalStorage is also used. All are non essential and require consent.

Is user consent required for Postscript?

Yes, twice. First, the website cookies and the Postscript pixel require Art. 5(3) ePrivacy consent. Second, the SMS marketing itself requires Art. 13 ePrivacy opt in. Postscript provides popups designed for this purpose, but the publisher must ensure the wording is clear, specific and standalone (not bundled with general T&Cs acceptance).

What is the legal basis?

Consent (Art. 6(1)(a) GDPR) for marketing SMS and for processing the phone number and behavioural events for marketing purposes. Transactional SMS related to a contract (order confirmations, OTP) can rest on contract performance.

Does Postscript transfer data to the US?

Yes. Data is processed on AWS in the United States under SCCs and the EU US Data Privacy Framework. SMS delivery via Twilio also involves US infrastructure. A Transfer Impact Assessment is required.

Do I need a DPIA for Postscript?

A DPIA is recommended for large scale SMS programs, especially when combined with browse and cart tracking. It should address segmentation, profile retention, AI features, US transfers, and the Twilio sub processor chain.

How do I implement Postscript compliantly?

Sign the Postscript DPA. List Postscript and Twilio as sub processors. Use a clear standalone SMS opt in (not bundled with general consents). Defer the pixel until consent. Provide STOP keyword and a preferences page. Avoid pushing special category data into Postscript.

What are the alternatives to Postscript?

Other SMS marketing platforms: Attentive (US), Klaviyo SMS (US, with EU storage option), Yotpo SMSBump (Israel/US), Tinyemail (US), Drip. EU based: Brevo (formerly Sendinblue) for SMS + email, Mailerlite, Smsmode (France). Postscript differentiator is the deep Shopify integration.

How should I update my cookie and privacy policy?

List the Postscript cookies with provider (Postscript Inc., United States), purpose (SMS marketing attribution), lifetime, and category (Marketing). In the privacy notice, describe the phone number processing, the SMS opt in mechanism, the US transfer chain (Postscript + Twilio), and the opt out via STOP / preferences page.

Get compliant — Try FlowConsent free

Free plan · 10-min setup