Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ExactVisitor is a B2B IP to company identification tool from the US. Its JavaScript snippet captures the visitor IP and performs a reverse lookup to identify the visiting company.
ExactVisitor is a B2B visitor identification platform based in the United States. It loads a JavaScript snippet on customer websites that captures the visitor IP address and performs reverse IP lookup to identify the visiting company, then enriches that information with firmographic data.
ExactVisitor sets first-party cookies for session correlation and visitor stitching across page views. The snippet also sends the visitor IP, user agent, page URL and referrer to ExactVisitor backend servers in real time.
All visitor data is transferred to ExactVisitor infrastructure in the United States. The European Data Protection Board considers IP addresses to be personal data under the GDPR, so EU to US transfers must rely on appropriate safeguards.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because the script profiles visitors and transfers personal data to a third country, prior consent is the safest legal basis under the ePrivacy Directive and the GDPR. Legitimate interest can be argued for narrow B2B scenarios but requires a documented balancing test.
Block the ExactVisitor snippet before consent, signal categorisation in your CMP as marketing or analytics, sign a DPA with ExactVisitor, and document Standard Contractual Clauses plus a transfer impact assessment. Inform visitors that their company can be identified from their IP address.
Websites using ExactVisitor must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when deploying ExactVisitor because the processing involves profiling of website visitors and systematic monitoring of B2B traffic combined with transfer to the United States. Document the lawful basis, the data minimisation and the retention periods.
Sample consent text
This website uses ExactVisitor, a US service that identifies the company you work for from your IP address to provide analytics to our sales team. Do you consent to this processing?
Third-party domains contacted
exactvisitor.comapi.exactvisitor.comcdn.exactvisitor.comtrack.exactvisitor.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _ev_uid | analytics | 1 year | Persistent pseudonymous visitor identifier used to recognise returning visitors and stitch them to a company |
| _ev_sid | analytics | Session | Session identifier used to group page views from the same visit |
| _ev_ref | analytics | 30 days | Stores the original referrer to attribute the session to a marketing source |
| _ev_company | analytics | 30 days | Caches the company resolved from the visitor IP to reduce repeated lookups |
ExactVisitor collects user analytics data — you legally need a consent banner. Try FlowConsent free.
ExactVisitor sets first-party cookies on your domain to correlate the visitor session across page views and to deduplicate visits. The cookies typically contain a pseudonymous visitor identifier and a session identifier used to stitch hits to the same person and company.
Yes. Because ExactVisitor profiles visitors and transfers IP addresses to the United States, EU data protection authorities consider that prior, freely given consent is required under the ePrivacy Directive and the GDPR before the script loads.
Consent under Article 6(1)(a) GDPR is the recommended basis. Some controllers argue legitimate interest under Article 6(1)(f) for narrow B2B contexts, but a documented balancing test and an opt-out mechanism are essential.
Yes. The captured IP address and visit metadata are sent to ExactVisitor servers in the United States. Transfers must be covered by Standard Contractual Clauses, EU US Data Privacy Framework certification, or another valid Article 46 mechanism.
A DPIA is recommended and often required. The processing combines profiling, systematic monitoring of website visitors and international data transfers, which together meet several criteria of the EDPB guidelines on DPIA triggers.
Load the snippet only after explicit consent, classify it as marketing or analytics in your CMP, sign a DPA with ExactVisitor and document SCCs plus a transfer impact assessment. Add ExactVisitor to your records of processing and your privacy notice.
EU based alternatives include Leadinfo (Netherlands), Albacross (Sweden) and SalesViewer (Germany). For pure analytics without B2B identification, Matomo or Plausible offer privacy first options that keep data inside the EU.
Disclose ExactVisitor by name, explain that visitor IP addresses are used to identify the visiting company, list the cookies and their durations, name the US data centre and add a link to ExactVisitor's privacy policy and DPA.