Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
French all-in-one online business platform offering sales funnels, websites, email marketing, online courses, automation and affiliate programs for solopreneurs and small businesses.
Systeme.io is a French all in one online business platform created by Aurelien Amacker in 2018. The legal entity is registered in Mauritius (Systeme.io Ltd) with a strong commercial footprint in France and Europe. The platform bundles sales funnels, websites, email marketing, online courses, marketing automation, affiliate programs and ecommerce in a single subscription. Infrastructure is hosted on Amazon Web Services in the European Union with a global content delivery network via Amazon CloudFront. It is widely used by solopreneurs, infopreneurs and small businesses, particularly across French speaking markets.
On a public page served by Systeme.io, the platform drops a strictly necessary session cookie (PHPSESSID) and several functional or analytics cookies tied to funnel attribution and visitor identification (for example _sio_visitor and _sio_funnel_* variants). It records IP address, user agent, referrer, page views and conversions on funnel steps. In email campaigns it embeds a 1x1 tracking pixel to measure opens, and rewrites links to capture clicks. For course members it stores progress, login state and payment metadata. The data is therefore a mix of strictly necessary, behavioural and identifying personal data within the meaning of Art. 4(1) GDPR.
Funnel tracking cookies, behavioural analytics and email open or click pixels are not strictly necessary to deliver a service expressly requested by the user. Under Art. 5(3) of the ePrivacy Directive, transposed into Art. 82 of the French Data Protection Act and into national laws across the EEA, these require prior, freely given, specific, informed and unambiguous consent. The CNIL guidelines of 2020 (deliberation 2020:091) confirm that this also applies to first party analytics that are reused for marketing. Performance of contract (Art. 6(1)(b) GDPR) only covers the strict delivery of the course, the membership area and the payment, not behavioural profiling for upsells.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Before any non essential Systeme.io cookie or tracking pixel is set, the user must be presented with a CMP (consent management platform) banner that allows: accept, refuse with the same number of clicks (per CNIL guidance), and granular choice by purpose. Email marketing consent must be collected via a clear opt in (double opt in is recommended for B2C in France and Germany). A consent record (timestamp, IP, banner version, choices) must be stored to demonstrate compliance under Art. 7(1) GDPR. Refusal must be just as easy as acceptance and the user must be able to withdraw consent at any time.
Although primary hosting is on AWS in the European Union, CloudFront edge locations are global and may serve static assets from outside the EEA. The legal entity itself sits in Mauritius, a third country whose adequacy is not recognised by the European Commission. Some sub processors (email deliverability and payment processing) operate in the United States or the United Kingdom. Transfers outside the EEA must be framed by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and a Transfer Impact Assessment per the EDPB Recommendations 01:2020 following Schrems II.
Sign the DPA offered by Systeme.io and keep it on file. Map all Systeme.io sub processors and document them in your Record of Processing Activities (Art. 30 GDPR). Configure the consent banner to block funnel tracking scripts and the email pixel until consent is given. Add a Systeme.io section to your privacy policy listing cookies, retention and recipient categories. Set retention limits on inactive contacts (for example 36 months for prospects per CNIL). Train marketing staff on respecting opt out requests within one month (Art. 12(3) GDPR) and on the right to erasure (Art. 17).
Websites using Systeme.io must obtain user consent under GDPR regulations.
DPIA considerations
A formal DPIA under Art. 35 GDPR is generally not mandatory for standard use of Systeme.io (funnels, email marketing, course delivery) where data subjects are existing customers or opted in subscribers. A DPIA becomes advisable when Systeme.io is combined with extensive behavioural profiling, large scale processing of sensitive categories (health, financial coaching), or automated decision making in affiliate scoring. Document: categories of personal data collected via forms and funnels, retention periods, sub processor map (AWS, CloudFront, SMTP providers), legal basis per processing activity, and the appropriateness of Standard Contractual Clauses for any transfer outside the EEA.
Sample consent text
We use Systeme.io to manage our website, sales funnels and email communications. With your consent, Systeme.io places cookies on your device to remember your visit, attribute conversions across our funnels and measure the performance of our marketing emails (open and click tracking). You can accept, refuse or customise these cookies at any time. Without consent, only strictly necessary session cookies (PHPSESSID) are used to keep the site functional.
Third-party domains contacted
systeme.ioapp.systeme.iocdn.systeme.iotrack.systeme.iosysteme-files.s3.amazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | session | Session (until browser close) | Strictly necessary session identifier for the Systeme.io PHP application, keeps the user logged in to the member area, the funnel editor or the checkout. No consent required. |
| _sio_visitor | persistent | 12 months | Identifies a unique visitor across funnels and pages, used for conversion attribution and basic behavioural analytics. Non essential, requires prior consent under Art. 5(3) ePrivacy. |
| _sio_funnel_* | persistent | 30 to 90 days | Stores the funnel and step the visitor is currently engaged with, enables next step routing and conversion attribution per funnel. Non essential, requires consent. |
| _sio_aff | persistent | 60 days | Tracks the affiliate that referred a visitor for commission calculation in the Systeme.io affiliate program. Non essential, requires consent. |
| XSRF-TOKEN | session | Session | Cross site request forgery protection token used by the Systeme.io application for authenticated forms and admin panel. Strictly necessary, no consent required. |
Systeme.io places tracking cookies for advertising — comply with GDPR using FlowConsent.
On a public page Systeme.io sets a strictly necessary session cookie (PHPSESSID) and several non essential cookies: _sio_visitor (visitor identification, around 12 months), _sio_funnel_* (funnel step attribution, typically 30 to 90 days) and optional ad attribution cookies if you connect a paid traffic source. Email campaigns add an open tracking pixel and link redirects for click tracking.
Yes. The funnel tracking script, the visitor cookie and the email pixel are not strictly necessary, so Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR require prior, freely given, specific, informed and unambiguous consent. Only PHPSESSID may be set without consent because it is required for the website to function.
Two main bases: consent (Art. 6(1)(a) GDPR) for marketing cookies, email tracking and behavioural analytics, and performance of contract (Art. 6(1)(b) GDPR) for delivering the purchased course, the member area and the payment. Legitimate interest (Art. 6(1)(f)) can rarely be invoked for tracking that requires ePrivacy consent.
Partly. Primary hosting is on AWS in the EU, but CloudFront edge nodes are global and some sub processors (email deliverability, payment processors, anti fraud) operate in the US or UK. Such transfers must be covered by Standard Contractual Clauses under Art. 46(2)(c) GDPR and a Transfer Impact Assessment per EDPB Recommendations 01:2020.
For standard funnel and email use a DPIA under Art. 35 GDPR is usually not required. It becomes necessary when you combine Systeme.io with large scale behavioural profiling, special categories of data (health coaching, financial advice) or automated decision making on affiliates or customers.
Use a CMP that blocks Systeme.io scripts and email pixels by default. Tag the funnel script and pixel as marketing or analytics. Only load them after explicit consent. Confirm the cookie list (PHPSESSID, _sio_visitor, _sio_funnel_*) in the CMP cookie scanner and align purposes with your privacy policy.
Alternatives that combine funnels, email and courses with EU hosting include LearnyBox (France), Webmecanik (France, marketing automation), Brevo (France, email and CRM) and Plezi (France, B2B marketing automation). They are not feature equivalent but reduce non EEA exposure.
List each Systeme.io cookie name, purpose (session, visitor identification, funnel attribution), retention period and whether it is first or third party. Mention the email tracking pixel and link rewriting. Add a section on international transfers naming AWS, CloudFront and the SMTP provider, and reference the Standard Contractual Clauses.