Does your website use third-party services? Get GDPR compliant in minutes.

Tracify

What does Tracify do?

German marketing attribution platform with server side first party tracking and deterministic plus probabilistic models for Meta, TikTok, Google, Klaviyo and Shopify.

What Tracify is

Tracify is a marketing attribution platform headquartered in Berlin (tracify.ai). It is designed for direct to consumer brands and Shopify merchants that want to bridge fragmented signals from Meta, TikTok, Google Ads, Klaviyo and other channels. Tracify combines deterministic matching, such as click identifiers and email hashes, with probabilistic models to assign credit across touch points in a multi channel customer journey.

Cookies and data flows

Tracify sets first party cookies on the merchant domain (typically tracify_uid and a session cookie) so that visits and orders can be linked over a multi day attribution window. The Tracify JavaScript snippet collects page views, click identifiers from advertising platforms, hashed email addresses provided on checkout and selected device signals. Events are then forwarded server to server to the Tracify infrastructure in the EU and, when configured, on to platform conversion APIs such as Meta CAPI or TikTok Events API.

GDPR and ePrivacy implications

Although the Tracify cookie is first party and is stored on the merchant domain, it is used for marketing attribution and therefore not strictly necessary under Article 5(3) of the ePrivacy Directive. Consent (Article 6(1)(a) GDPR) is required before the cookie is set and before any fingerprinting signal is used. The merchant is controller and Tracify acts as a processor under a Data Processing Agreement.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

International data transfers

Tracify hosts its production environment inside the European Union, which is a strong privacy point. Onward transfers can still occur when the merchant pushes conversions to Meta, TikTok, Google Ads or Klaviyo. Those destinations are independent controllers and rely on their own US transfer programmes. Document each destination and its safeguards in your record of processing.

Practical compliance steps

Block the Tracify script until the visitor accepts the marketing category in your CMP. Forward the consent state to Tracify so probabilistic matching can be disabled when consent is missing. Sign a Data Processing Agreement, document the EU hosting and run a DPIA. Hash personally identifiable parameters before sending them to ad platforms and restrict retention to the attribution window you actually need.

GDPR consent category

Marketing

Websites using Tracify must obtain user consent under GDPR regulations.

Legal basisConsent (Art 6(1)(a) GDPR) combined with Article 5(3) of the ePrivacy Directive whenever the first party Tracify cookie or any fingerprinting signal is used for marketing attribution. Strictly necessary measurement of a single transaction performance may rely on Article 6(1)(f) legitimate interest only in very narrow cases and is contested by regulators.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive 2002/58/EC, TTDSG (Germany), DSGVO, EDPB Guidelines 8/2020, CNIL cookie guidelines, UK GDPR, PECR

DPIA considerations

A DPIA under Article 35 GDPR is advisable when Tracify is deployed because the activity combines large scale online behavioural data, multi channel marketing attribution and potential probabilistic fingerprinting. Document the cookie scope on the merchant domain, the deterministic identifiers passed server to server, any fingerprinting signals, the channels receiving events such as Meta or TikTok, retention periods and the EU hosting setup that limits third country exposure.

Sample consent text

We use Tracify, an EU based attribution tool, to understand which marketing campaigns lead to our orders. With your consent we set a first party Tracify cookie and forward purchase events to advertising platforms such as Meta or TikTok. You can decline or withdraw at any time from the cookie preferences link and your shopping experience will not be affected.

Technical details

Tracking methodServer side first party tracking with a JavaScript snippet that sets a first party cookie on the merchant domain. Events are forwarded server to server to the Tracify infrastructure for deterministic and probabilistic multi touch attribution across Meta, TikTok, Google, Klaviyo and Shopify channels. Probabilistic matching may use device and browser fingerprinting signals.

Server locationGermany and other European Union locations. Tracify is headquartered in Berlin and operates its data infrastructure inside the EU.

Cookieless tracking availableYes

Third-party domains contacted

tracify.aiapi.tracify.aicdn.tracify.ai

Cookies placed

Name	Type	Duration	Purpose
_tracify_session	analytics	Session	First party session cookie set by the Tracify snippet on the merchant domain to correlate page views within the current browsing session for attribution purposes.
_tracify_uid	analytics	180 days	First party persistent cookie that stores a pseudonymous visitor identifier on the merchant domain. Used to link visits and orders across the multi day attribution window and feed deterministic and probabilistic models.

Tracify places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does Tracify set?

Tracify sets first party cookies on the merchant domain, typically tracify_uid for visitor identification across the attribution window and a session cookie for the current browsing session. Despite being first party, they are used for marketing attribution and therefore are classified as non strictly necessary.

Do I need consent to use Tracify?

Yes. The Tracify cookie and any probabilistic fingerprinting signal serve marketing attribution and therefore require Article 5(3) ePrivacy consent and Article 6(1)(a) GDPR consent before they are activated. Implement a CMP that loads the Tracify script only after opt in.

What legal basis applies?

Consent (Article 6(1)(a) GDPR) is the appropriate basis for the Tracify cookie and probabilistic matching. Strictly necessary single transaction measurement is sometimes argued under Article 6(1)(f) legitimate interest, but regulators have rejected this for general marketing attribution.

Is data transferred to the United States?

Tracify itself processes data in the European Union, primarily in Germany. Onward transfers occur only when you forward conversions to platforms such as Meta CAPI, TikTok Events API, Google Ads or Klaviyo, which then act as independent controllers with their own US transfer mechanisms.

Is a DPIA needed?

A DPIA is recommended because the attribution platform combines large scale online behavioural data, multi channel profiling and potential fingerprinting. Document the EU hosting, the deterministic and probabilistic logic, retention and the downstream destinations.

How do I implement Tracify compliantly?

Gate the Tracify snippet behind your CMP, pass consent state to Tracify, sign a DPA with tracify.ai, hash all personal data sent to ad platforms, keep retention to the attribution window only, list each downstream destination in your record of processing and disable probabilistic matching when consent is missing.

What are the alternatives?

Alternatives include first party measurement using Shopify built in analytics, server side tracking with consent gated Meta and Google conversion APIs, EU hosted analytics such as Matomo or Piwik PRO, and pure deterministic attribution with hashed identifiers under explicit consent.

How do I update my cookie policy?

Add a section listing the Tracify first party cookies with their name, purpose, duration and the EU hosting. Disclose the downstream advertising destinations and their transfer mechanisms. Update the policy whenever you change attribution windows, destinations or the consent flow.

Get compliant — Try FlowConsent free

Free plan · 10-min setup