Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Wunderkind (formerly BounceX) is a US based performance marketing platform that identifies anonymous website visitors via a cross publisher email identity graph and triggers personalised email and SMS campaigns. It is widely used in retail, travel and publishing. For European audiences, Wunderkind involves both extensive behavioural tracking and cross border transfers to the United States, which makes it a high consent and high risk service.
Wunderkind, formerly BounceX, is a US based marketing technology vendor founded in 2012 and headquartered in New York. Its core product matches anonymous website visitors to known email addresses or phone numbers through a cross publisher identity graph, then triggers personalised email or SMS marketing based on the visitor''s behaviour. Wunderkind is widely deployed by retail, travel and publishing brands and is operated on AWS infrastructure in the United States.
Wunderkind deploys a JavaScript snippet on the customer site that captures page views, time on site, scroll depth, basket contents, abandoned items, search queries, device data and IP address. It sets first party cookies (such as bx_user_id, bxe_*) and may set third party cookies on the wknd.io or bounceexchange.com domains. The identity graph attempts to resolve the visitor to an email or phone number known across the Wunderkind network, after which triggered email or SMS can be sent.
Wunderkind processes personal data and uses a cross publisher graph, so it should be treated as an independent controller for the graph and a joint controller or processor for the merchant deployment. The cookies it sets are non essential and require consent (Art. 5(3) ePrivacy). The triggered email and SMS campaigns are direct marketing under Art. 13 ePrivacy and require prior consent in B2C, including for the soft opt in cases under PECR. EU regulators have specifically flagged identity resolution by third party email providers as needing explicit consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Explicit, granular consent is required before Wunderkind is loaded. The consent should cover (a) the placement of cookies and other identifiers, (b) the matching of the visitor against the Wunderkind cross publisher graph, (c) the sending of triggered email or SMS marketing and (d) the transfer of data to the United States. A simple cookie banner that does not clearly mention identity matching is unlikely to support Wunderkind under GDPR and ePrivacy.
All Wunderkind processing happens in the United States on AWS US infrastructure. Transfers from European visitors require Standard Contractual Clauses and a Transfer Impact Assessment, plus reliance on the EU US Data Privacy Framework if Wunderkind is certified. The identity graph itself aggregates data from many merchants, raising onward transfer and purpose limitation issues.
Treat Wunderkind as a high risk vendor: require explicit, granular consent before loading the snippet, run a DPIA, sign a Data Processing Agreement that addresses the cross publisher identity graph and US transfers, complete a Transfer Impact Assessment, disclose the identity resolution clearly in the privacy notice, separate the consent for triggered email and SMS marketing from generic analytics consent, and provide a one click opt out from triggered messaging.
Websites using Wunderkind must obtain user consent under GDPR regulations.
DPIA considerations
Wunderkind operates an identity resolution layer that can match an anonymous browsing visitor to a known email address through its cross merchant graph. Key DPIA considerations: (1) identity resolution against a third party graph clearly requires consent, both as cookie storage (Art. 5(3) ePrivacy) and as processing of personal data (Art. 6 GDPR); (2) triggered emails and SMS are direct marketing under Art. 13 ePrivacy and require prior consent for B2C; (3) the cross merchant identity graph poses purpose limitation (Art. 5(1)(b) GDPR) and joint controllership questions; (4) data is transferred to the US, requiring SCCs and a Transfer Impact Assessment; (5) profiling and triggered messaging can trigger Art. 22 GDPR safeguards; (6) the Article 29 Working Party and CNIL have specifically flagged the identification of pseudonymous visitors by third party email providers as needing explicit consent.
Sample consent text
With your consent, we use Wunderkind to identify you on our site through its cross publisher email graph and to send you triggered email or SMS campaigns based on your browsing. Wunderkind, Inc. is established in the United States, your data is transferred under Standard Contractual Clauses. You can withdraw consent at any time via our cookie settings.
Third-party domains contacted
wunderkind.cowknd.iobounceexchange.comapi.bounceexchange.comtag.bounceexchange.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| bx_user_id | Marketing | 1 year | First party Wunderkind visitor identifier set on the merchant domain. Used to attribute behaviour and trigger campaigns. |
| bxe_session_id | Marketing | Session | Wunderkind session identifier used to group page views and basket events within a single browsing session. |
| bxe_* | Marketing | 1 year | Set of campaign and engagement cookies (impression, frequency capping, trigger eligibility) controlled by the Wunderkind tag. |
| _bx_lastseen | Marketing | 6 months | Stores the timestamp of the last Wunderkind interaction for trigger eligibility and frequency capping. |
Wunderkind places tracking cookies for advertising — comply with GDPR using FlowConsent.
Wunderkind sets first party cookies on the customer domain (such as bx_user_id, bxe_*) and may set third party cookies on bounceexchange.com or wknd.io for identity matching. Local storage entries store recent activity. The exact set depends on the configuration enabled by the merchant.
Yes, explicit and granular consent is required because Wunderkind combines cookie storage with cross publisher identity matching and triggers direct marketing email or SMS. The consent must clearly mention identity resolution against a third party graph and transfers to the United States, not just a generic cookie statement.
Consent (Art. 6(1)(a) GDPR) is the only safe basis for Wunderkind's identity resolution and behavioural triggering. Direct marketing under Art. 13 ePrivacy also requires consent for B2C. Legitimate interest is unlikely to succeed for cross publisher matching given the EDPB's strict reading and the surprise factor for visitors.
Wunderkind is a US company and processes data on AWS in the United States, with no published EU data centres. Transfers from European visitors must rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR, the EU US Data Privacy Framework when applicable, and a documented Transfer Impact Assessment.
Yes, a DPIA is required. Wunderkind triggers Art. 35(3) GDPR criteria because it involves systematic monitoring of website behaviour, large scale profiling, identity matching against external data sources and automated triggering of marketing. The DPIA should describe the identity graph, the criteria for triggers, the transfers to the US and the consent UX.
Treat Wunderkind as a high risk vendor: complete a DPIA, sign a strong DPA covering the cross publisher graph, run a TIA for US transfers, load the snippet only after explicit and granular consent, separate consent for identity matching and direct marketing, document Wunderkind in your sub processor list and privacy policy and provide a clear one click opt out from triggered messaging.
EU friendly alternatives include first party email marketing platforms (Brevo, Klaviyo, Iterable, Mailchimp) used without third party identity matching, retargeting via your own CRM, and personalisation tools that do not aggregate data across merchants such as Dynamic Yield, Insider or Bloomreach. For pure abandoned cart and on site triggers, OptinMonster or Sleeknote with consent can be lower risk.
Disclose Wunderkind as a separate controller or joint controller for the identity graph, name the categories of data shared (browsing data, basket contents, IP, hashed email if provided), describe the cross publisher matching, mention transfers to the US under SCCs and the EU US Data Privacy Framework, separate consent for triggered email and SMS marketing and link Wunderkind's own privacy notice.