Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sailthru is a US based email marketing and personalisation platform, used heavily by retail, e commerce and media brands. Since 2021 it is part of the Marigold (formerly CM Group) family. The product combines email sending, behavioural website tracking via the sailthru.js SDK and a content recommendation engine that personalises both emails and on site experiences. The web tracker sets the sailthru_hid cookie linking website activity to email subscriber profiles, which is a high risk processing scenario under GDPR.
Sailthru is an email marketing, personalisation and customer retention platform founded in 2008 in New York. It was acquired by CM Group (now Marigold) in 2018 alongside Selligent, and the broader Marigold family now includes Campaign Monitor, Emma, Vuture and Liveclicker. Sailthru is positioned for retail, e commerce and media brands that need to combine email marketing with website personalisation. The product features a behavioural tracking SDK called sailthru.js, an email engine with templates and dynamic content, a recommendation engine (Smart Strategies) and audience segmentation tools.
On the website, sailthru.js writes the sailthru_hid cookie (Sailthru hash ID, default 1 year lifetime) on the operator''s first party domain and transmits events to Sailthru servers: page views, product views, add to cart, purchase, search queries and any custom events the operator pushes via the Sailthru SDK. When the visitor identifies themselves (sign up, login, email click), the sailthru_hid is joined to the customer''s email profile, creating a deterministic link between website behaviour and the subscriber file. The Sailthru email engine embeds open and click tracking pixels in outgoing messages, which collect the recipient''s IP, user agent and read state.
Because sailthru.js writes a persistent cookie not strictly necessary, ePrivacy Art. 5(3) requires prior informed consent. Under the GDPR, consent under Art. 6(1)(a) is the appropriate basis for the cookie and behavioural tracking. Marketing emails require their own consent or soft opt in under PECR (UK) and the ePrivacy Directive transposition in each EU member state. The recommendation engine and content personalisation features qualify as profiling under GDPR Art. 22, which adds transparency, opt out and human review obligations when decisions have material impact.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The defining feature of Sailthru is the deterministic link between the website cookie and the email subscriber profile. When a visitor clicks an email link, Sailthru attaches a sthash parameter to the URL that the SDK reads and uses to write the sailthru_hid cookie tied to the subscriber. This is more invasive than pure cookie tracking because it ties browsing history to a real identity. The DPIA must reflect this and the privacy notice must explain it to users.
Sailthru runs on US primary infrastructure with EU regional processing available on Enterprise plans. Customer profile data, email content, behavioural events and recommendation models are processed in the US by default. Marigold self certifies under the EU US Data Privacy Framework and offers Standard Contractual Clauses. EU retailers and publishers should request EU regional processing where their data residency commitments require it.
Gate sailthru.js behind a Consent Management Platform with explicit marketing or personalisation consent. Collect a separate consent for marketing email under PECR or the ePrivacy transposition. Sign the Sailthru/Marigold DPA and Standard Contractual Clauses. Document the processing in the record of processing, including the deterministic identity link, the recommendation engine and the data transfer mechanism. Run a DPIA covering the email plus website profile, the US transfer and the Art. 22 profiling considerations. Subscribe to EU regional processing if available and required.
Websites using Sailthru must obtain user consent under GDPR regulations.
DPIA considerations
Sailthru writes the sailthru_hid cookie (Sailthru hash ID, default lifetime 1 year) on the operator's first party domain to identify the visitor and join their website activity to their email subscriber profile. DPIA considerations: (1) the sailthru_hid is a persistent online identifier and personal data, and the join with email profiles creates a deterministic identity link beyond what cookie based tracking alone provides; (2) Sailthru is US headquartered with US primary processing, even though EU regional processing is available on Enterprise plans; (3) email tracking pixels embedded in messages additionally process recipient IP addresses, user agents, and read state, which is sometimes overlooked; (4) recommendation engine output combines purchase history, browsing history and email engagement, which is high risk profiling under GDPR Art. 22; (5) for retail customers, Sailthru may receive order data including transaction values and product identifiers, which require careful retention policies. A DPIA is strongly recommended.
Sample consent text
We use Sailthru (Sailthru Inc., part of Marigold, New York) to send personalised marketing emails and to recommend content tailored to your interests. Sailthru places a cookie (sailthru_hid) on your device when you visit our site to link your website browsing to your email subscriber profile, and reads opens and clicks of our emails through tracking pixels. Data is transferred to Sailthru in the United States. We rely on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via our cookie settings or the unsubscribe link in any email.
Third-party domains contacted
sailthru.comak.sail-horizon.comak.sail-personalize.comsailthrucontent.commarigold.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sailthru_hid | Marketing / Personalisation | 1 year | Set by Sailthru on the operator's first party domain. The Sailthru hash ID, a persistent online identifier used to recognise the visitor across sessions and to deterministically join their website activity to their email subscriber profile when they click an email link or sign in. |
| sailthru_visitor | Marketing / Personalisation | 1 year | Set by Sailthru. Stores aggregated visitor properties (channel, source, first visit timestamp) used by the recommendation engine and segmentation rules. |
| sailthru_pageviews | Marketing / Personalisation | 1 year | Set by Sailthru. Tracks the number of pages viewed in the current session and short term aggregates used for visitor scoring and content recommendations. |
| sailthru_content | Marketing / Personalisation | 1 year | Set by Sailthru. Stores content interest tags inferred from recent page views, used by the recommendation engine to personalise emails and on site content blocks. |
| sailthru_oid | Marketing / Personalisation | 1 year | Set by Sailthru. The optional Sailthru operator ID used when the operator runs multiple Sailthru profiles or brands under one cookie domain to distinguish between subscriber files. |
Sailthru places tracking cookies for advertising — comply with GDPR using FlowConsent.
Sailthru writes the sailthru_hid cookie (Sailthru hash ID, default 1 year lifetime) on the operator's first party domain. The cookie is a persistent identifier used to recognise the visitor across sessions and to join their behaviour to the email subscriber profile. Additional cookies (sailthru_visitor, sailthru_pageviews, sailthru_content) track engagement metrics.
Yes. The sailthru_hid cookie is not strictly necessary and ePrivacy Art. 5(3) requires prior informed consent. The behavioural tracking falls under marketing/personalisation purposes and requires explicit consent under GDPR. Marketing emails require a separate consent (or soft opt in under PECR) under ePrivacy.
Consent (GDPR Art. 6(1)(a)) for the website tracking and personalisation cookies. Consent or soft opt in for marketing emails depending on the ePrivacy transposition. Contract necessity (Art. 6(1)(b)) for transactional emails tied to a service. The recommendation engine output falls under GDPR Art. 22 profiling.
Yes by default. Sailthru Inc. is part of Marigold (US). EU regional processing is available on Enterprise plans. Marigold self certifies under the EU US Data Privacy Framework and offers SCCs. A Transfer Impact Assessment is required.
A DPIA is strongly recommended. The combination of behavioural tracking, deterministic identity stitching (cookie to email profile), recommendation profiling (Art. 22 GDPR) and US data transfer adds up to high risk processing under EDPB guidance. The DPIA threshold under Art. 35 is typically met.
Gate sailthru.js behind a CMP with explicit marketing or personalisation consent. Collect a separate marketing email consent. Sign the Sailthru/Marigold DPA and SCCs. Subscribe to EU regional processing if available. Document the deterministic identity stitching in the privacy notice. Run a DPIA covering email + website profile, US transfer and Art. 22 profiling.
Other customer engagement and personalisation platforms include Bloomreach Engagement (Czech Republic, EU residency), Emarsys (Austria/SAP), Salesforce Marketing Cloud, Adobe Campaign, Mapp Cloud (Germany), Klaviyo (US), Iterable (US), Braze (US) and Selligent (also Marigold). EU based options like Bloomreach, Emarsys and Mapp avoid the US transfer issue by default.
List the Sailthru cookies (sailthru_hid, sailthru_visitor, sailthru_pageviews, sailthru_content) under marketing or personalisation. Name Sailthru Inc. (part of Marigold, New York) as a recipient and disclose the US transfer with the appropriate mechanism. Explicitly disclose the deterministic identity stitching between cookie and email profile. Provide a working consent withdrawal link.