Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Air360 is an ecommerce focused product analytics and behavioural tracking platform offering heatmaps, session replay, funnel analysis and feature flags. The vendor is based in Spain and the primary infrastructure is hosted in the European Union.
Air360 is a product analytics platform tailored to ecommerce merchants. It combines page heatmaps, click maps, scroll maps, session replay, multi step funnel analysis and feature flags to help conversion and product teams diagnose friction along the customer journey. The vendor is based in Spain and the primary processing infrastructure is hosted in the European Union, which makes Air360 attractive for retailers seeking an alternative to US based session replay tools.
Air360 sets a first party persistent visitor identifier, a session identifier and a feature flag cookie storing which experiments are active for the visitor. It captures page views, clicks, mouse movements, scrolls, form interactions, the URL, the user agent, the IP address, the device characteristics and a stream of DOM changes used to reconstruct the session replay. When session replay is enabled, the captured stream may include text typed in inputs unless those inputs are explicitly masked.
Behavioural analytics, session replay and feature flag cookies are not strictly necessary to deliver the storefront, so Article 5(3) ePrivacy requires prior informed consent before they are written. The session replay raises a specific risk under the GDPR because it can incidentally capture personal data, special category data (for example health products in a basket) or payment details if input masking is incomplete. National regulators such as the AEPD, the CNIL and the Garante have published guidance treating session replay tools as requiring opt in consent and strict input masking.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Air360 snippet must be blocked by the consent management platform until the visitor accepts an analytics or product analytics category. Refusal must be as easy as acceptance, the banner must name Air360 and the session replay capability, the privacy notice must explain what is recorded and how to delete a replay. All sensitive inputs, payment fields and personal identifiers must be masked using Air360 configuration, and a do not record list must be maintained for sensitive pages.
Air360 hosts its main processing infrastructure in the European Union (Spain), so behavioural events and session replays normally stay inside the GDPR perimeter. Some sub processors used for CDN, error monitoring or transactional email may operate outside the EEA. Those sub transfers are framed by EU standard contractual clauses and a transfer impact assessment, and the sub processors register is made available to customers under the Air360 data processing agreement.
Sign the Air360 data processing agreement, gate the snippet behind a consent management platform, configure aggressive masking for all input fields and any selector that may contain personal or payment data, exclude sensitive pages (checkout, account, customer profile) from session replay when not strictly needed, set a short retention for replay sessions, restrict access to the Air360 dashboard via SSO and role based controls, document the processing in the Article 30 records and update the privacy and cookie policy with a clear mention of Air360, the cookies set, the session replay and the retention.
Websites using Air360 must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Air360 is deployed on an ecommerce site, because session replay captures fine grained behavioural data that may include keystrokes, mouse movements, form interactions and, if not masked properly, fragments of personal or payment information. Document the masking strategy, the retention of replay sessions, the access controls, the sub processors used and the legitimate interest balancing test for aggregated funnel analytics.
Sample consent text
We use Air360 to understand how visitors interact with our store, with heatmaps, session replays and funnel analysis. This sets first party cookies and sends behavioural events to Air360 servers in the European Union. We need your consent to enable behavioural analytics. You can accept, refuse or withdraw your consent at any time.
Third-party domains contacted
air360.ioapp.air360.iocdn.air360.ioevents.air360.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| a360_uid | http_persistent | 1 year | Persistent first party visitor identifier used by Air360 for behavioural analytics and session replay attribution. |
| a360_sid | http_session | Session | Session identifier used to group behavioural events captured during a single visit. |
| a360_ff | http_persistent | 90 days | Stores the feature flag and A B test variants assigned to the visitor by Air360. |
| a360_rec | http_persistent | 30 days | Indicates whether the session replay recording is active for the current visitor sample. |
| a360_cs | http_persistent | 6 months | Stores the consent choices forwarded to Air360 by the cookie banner. |
Air360 collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Air360 sets a first party persistent visitor identifier, a session identifier and a feature flag cookie storing the experiments active for the visitor. Additional cookies may be set for consent state and for the session replay stream when enabled.
Yes. Behavioural analytics, session replay and feature flag cookies are not strictly necessary, so Article 5(3) ePrivacy requires explicit opt in. The Air360 snippet must remain blocked until the visitor has accepted an analytics or product analytics category, with refusal as easy as acceptance.
Consent under Article 6(1)(a) GDPR for behavioural analytics and session replay. Legitimate interest under Article 6(1)(f) GDPR may apply to aggregated and pseudonymised funnel reports once the data have been masked and the balancing test is documented.
No, the main Air360 infrastructure is in the European Union (Spain). Some sub processors (CDN, error monitoring, transactional email) may operate outside the EEA. In that case, the transfer relies on EU standard contractual clauses and a documented transfer impact assessment listed in the Air360 sub processors register.
Yes, a DPIA is appropriate for any deployment that uses session replay or covers a significant volume of EU visitors. The processing involves systematic monitoring of online behaviour and a risk of capturing personal or special category data through replays, which meets several criteria of Article 35 GDPR.
Sign the Air360 DPA, gate the snippet behind a consent management platform, enable input masking by default, exclude checkout, account and other sensitive pages from session replay when not strictly needed, set a short retention for replays, restrict access via SSO and roles, document a TIA for any sub transfer and review the configuration regularly.
Comparable behavioural analytics and session replay tools include Hotjar, Contentsquare, FullStory, Mouseflow, Smartlook, Microsoft Clarity, Matomo Heatmaps and Piwik PRO. Some are EU based or offer EU hosting, others are US based. The choice depends on hosting, masking capabilities and contractual terms.
Add a dedicated entry that names Air360, lists each cookie with purpose and duration, identifies Air360 as the processor and the EU hosting region, mentions the session replay capability and its masking, links to the Air360 privacy notice and explains how visitors can refuse or withdraw consent and request deletion of their replays.