Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
TomiAI is a marketing AI platform that predicts conversion intent, churn risk, and audience scores from website behaviour and CRM data, with a JavaScript SDK that captures events and a scoring API that powers personalisation, lead scoring, and audience activation.
TomiAI is a marketing artificial intelligence platform that helps brands predict conversion intent, churn risk, and audience affinity from a combination of website behaviour, CRM data, and transactional history. The product offers a JavaScript SDK that captures events on the advertiser site, server side connectors with Shopify, HubSpot, and Salesforce, and a scoring API that returns predicted scores and recommended audiences. Marketing teams use TomiAI to drive personalisation on the homepage and product pages, to feed audience exports into ad platforms, and to prioritise leads in the CRM. The platform sits at the intersection of predictive analytics and customer data activation.
TomiAI is implemented through a JavaScript SDK that writes a first-party cookie carrying a TomiAI visitor identifier and forwards pageviews, form submits, add to cart, signup, and purchase events to the TomiAI ingestion endpoint. Hashed email addresses and CRM identifiers can be added to the events to support cross device matching with the customer record. The cookie has a long lifetime and is used to persist the visitor identifier across sessions, which means that ePrivacy Article 5(3) applies and consent is required before the SDK is loaded for personalisation, scoring, and AI driven audience building.
When a brand uses TomiAI, the brand is the controller and TomiAI acts as a processor under Article 28 GDPR for behavioural events and CRM data. The AI models are trained on aggregated data and require a clear legal basis, including consent for non strictly necessary scoring and legitimate interest with a balancing test for some CRM scoring use cases. The EDPB guidelines on automated decision making and profiling apply, especially when scores influence the offers presented to customers, and the EU AI Act adds transparency obligations and a categorisation that may classify some use cases as limited risk profiling.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Behavioural scoring that targets visitors with personalised messages or audiences relies on Article 6(1)(a) GDPR consent. The CNIL recommendation on profiling for direct marketing and the EDPB guidance confirm that storing identifiers, building profiles, and serving personalised content require prior consent, and that the refuse option must be as accessible as the accept option. Some narrow CRM scoring on existing customers can rely on legitimate interest with a documented balancing test and a clear right to object, but TomiAI default deployments lean towards consent because they combine web events, CRM data, and AI driven personalisation.
TomiAI ingestion and AI training run on US infrastructure for most customers, with optional EU residency for the event store. Transfers must be documented under Standard Contractual Clauses and, where TomiAI is certified, the EU: US Data Privacy Framework, and a transfer impact assessment in line with the EDPB recommendations. Supplementary measures include IP truncation, hashing of identifiers, field level encryption, and limited retention. Customers should also map the access of US support and engineering teams to EU customer data and document the relevant safeguards.
Treat TomiAI as a high risk profiling service that requires consent for non strictly necessary uses. Configure the consent management platform to load the SDK only after consent for personalisation and AI driven analytics, and ensure that no event is sent before consent. Sign the data processing agreement and the data protection addendum, request the latest sub processor list, and document the supplementary measures enabled. Update the cookie policy and the privacy notice to mention TomiAI as a processor, the categories of data, the retention, the AI use cases, and the transfer mechanism. Run a DPIA before go live.
Websites using TomiAI must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for most TomiAI deployments because the platform performs systematic profiling, automated scoring of conversion intent and churn, and combines website behaviour with CRM and transactional data. Document the categories of personal data, the AI models used, the scoring outputs, the human oversight applied to high impact decisions, and the supplementary measures used for transfers to the United States. Reference the EDPB guidelines on automated decision making and profiling, the CNIL position on customer scoring, and the EU AI Act categorisation for the relevant use cases.
Sample consent text
We use TomiAI to predict your interests and to personalise our communications. With your consent, we set a first-party cookie and send your interactions on this site to the TomiAI scoring API in the United States to compute audience and intent scores. You can change or withdraw your choice at any time from the cookie settings link in the footer.
Third-party domains contacted
tomi.aiapi.tomi.aievents.tomi.aicdn.tomi.aiapp.tomi.aiCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _tomi_uid | first_party | 1 year | First-party identifier set by the TomiAI SDK to recognise the visitor across sessions and to feed AI scoring and audience activation. |
| _tomi_sess | first_party | Session | Short-lived cookie used by the TomiAI SDK to group events of the current visit before they are sent to the scoring API. |
| _tomi_consent | first_party | 6 months | Stores the visitor consent state shared with the TomiAI SDK so that scoring and personalisation only run after consent. |
| _tomi_aud | first_party | 180 days | Caches the audience and intent scores returned by TomiAI for the current visitor to power on site personalisation. |
TomiAI places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. TomiAI sets a first-party cookie that carries the TomiAI visitor identifier and is used to persist the visitor across sessions, link events to a profile, and feed the AI scoring models. The cookie is non strictly necessary because it powers profiling, personalisation, and audience activation, so ePrivacy Article 5(3) applies and consent is required before the SDK is loaded.
Yes for the behavioural scoring, personalisation, and audience activation features, which store identifiers on the visitor device and build a profile of the visitor. Some narrow CRM scoring on existing customers can rely on legitimate interest with a documented balancing test, but the default web SDK requires Article 6(1)(a) GDPR consent collected through a compliant cookie banner.
The web SDK relies on Article 6(1)(a) GDPR consent. CRM scoring on existing customers can rely on Article 6(1)(b) performance of contract or Article 6(1)(f) legitimate interest where the controller has documented a balancing test, in line with the EDPB direct marketing guidelines. Special categories should not be sent to TomiAI unless a specific lawful basis under Article 9 applies.
Most processing runs on Amazon Web Services in the United States, with optional EU residency in Frankfurt for the event store. Transfers rely on Standard Contractual Clauses and the EU: US Data Privacy Framework where TomiAI is certified, and a transfer impact assessment with supplementary measures such as IP truncation and field level encryption.
Yes. The platform performs systematic profiling, AI driven scoring, and combines web behaviour with CRM data, which the EDPB DPIA guidelines and the lists adopted by the CNIL and the AEPD identify as high risk processing. Document the categories of data, the models, the human oversight, and the supplementary measures, and consider the EU AI Act categorisation.
Configure the consent management platform to expose a personalisation and AI scoring purpose, and load the TomiAI SDK only after consent for that purpose. Ensure that no first-party cookie is set before consent and that the visitor identifier is generated only after opt in. Make the refuse option as accessible as the accept option, and document the configuration.
When consent is refused, fall back to non personalised content and to aggregated CRM scoring built on transactional data only. Server side scoring of existing customers can run without web events, and personalisation can rely on context and content categories rather than visitor identifiers. The TomiAI SDK does not load, no first-party cookie is written, and no behavioural event is sent.
List TomiAI as a processor for behavioural scoring, personalisation, and AI driven audience activation. Describe the cookie it sets, its duration, and purpose, and mention the categories of events captured by the SDK. State that data is transferred to the United States, reference the EU: US Data Privacy Framework and the Standard Contractual Clauses, and link to the TomiAI privacy notice. Provide the channels for data subject access, erasure, and objection requests.