Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
GrowingIO is a Chinese product analytics platform operated by Growing Information Technology Co., Ltd. in Beijing. It provides automatic event capture, funnel analysis, retention reports, A/B testing and session replay across web, mobile and WeChat mini programs, with deep integration into the Alibaba Cloud and Tencent ad ecosystems. Because production data is processed in mainland China, GrowingIO is treated as a high risk vendor for European deployments under the GDPR and the ePrivacy Directive.
GrowingIO is the Chinese product analytics suite of Growing Information Technology Co., Ltd., based in Beijing. It is widely used by Chinese SaaS, ecommerce and mobile teams for funnel analysis, retention, cohorts, A/B testing and session replay across web, native mobile apps and WeChat mini programs. Integrations with Alibaba Cloud and Tencent advertising are first class.
The GrowingIO SDK auto captures page views, clicks, scroll, form interactions and exit events. It assigns a persistent visitor ID stored in first party cookies and links sessions across days. Optional session replay records DOM snapshots and visitor inputs. Custom user properties (registered ID, hashed email) can be set by the application. Data is then ingested into the GrowingIO warehouse and used for product analytics, marketing automation and audience activation.
The cookies fall under Article 5(3) ePrivacy. The persistent visitor ID, session replay and behavioural profiling are personal data processing under Article 4(1) GDPR. Consent is required under Article 6(1)(a) GDPR. Because session replay can capture sensitive content typed on screen, additional safeguards are needed (input masking, redaction).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
GrowingIO must be tag blocked until explicit, granular opt in consent has been given. The consent message must mention the operator, the destination country (mainland China) and the absence of an EU adequacy decision. Article 49(1)(a) explicit consent for the transfer is required in addition to the standard consent for cookies.
Production data is stored in mainland China on Alibaba Cloud. Mainland China has no GDPR adequacy decision and is exposed to the Cybersecurity Law, the Data Security Law and the PIPL. Transfers therefore require Standard Contractual Clauses and supplementary measures, and Article 49(1)(a) GDPR explicit consent for occasional transfers.
Tag block the GrowingIO SDK until consent, prepare an Article 49(1)(a) consent flow that names mainland China, sign the GrowingIO DPA on SCC, document a transfer impact assessment, configure session replay with strict input masking, list GrowingIO in the privacy and cookie policies and consider EU based product analytics (Mixpanel EU, PostHog Cloud EU, Heap with Schrems II measures, Matomo Cloud) as the strategic option for European users.
Websites using GrowingIO must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for any meaningful EU deployment of GrowingIO due to detailed behavioural profiling, session replay, persistent identifiers, transfer to mainland China and exposure to the Chinese Cybersecurity Law and PIPL. The DPIA should evaluate whether SCC plus supplementary measures effectively guarantee EU level protection.
Sample consent text
We use GrowingIO product analytics, operated from mainland China, to understand how the product is used. GrowingIO sets cookies, captures events automatically and transfers data to servers in China, which is not covered by an EU adequacy decision. Click Accept only if you understand and agree to this transfer.
Third-party domains contacted
growingio.comgio.cnassets.giocdn.comnapi.growingio.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| gioenc | persistent | 2 years | Encrypted GrowingIO visitor identifier used to link auto captured events to a unique browser across sessions. |
| gr_session | session | Session | Session level identifier maintained by the GrowingIO SDK for the duration of a single visit. |
| gr_user_id | persistent | 2 years | Persistent user identifier that links anonymous activity to authenticated profiles when the application calls the identify API. |
GrowingIO collects user analytics data — you legally need a consent banner. Try FlowConsent free.
GrowingIO sets first party cookies (gioenc, gr_session, gr_user_id) on the customer domain to identify a unique browser, persist sessions and link auto captured events. Localstorage is also used to buffer events offline.
Yes. The cookies fall under Article 5(3) ePrivacy and the persistent profiling under Article 6(1)(a) GDPR. The transfer to mainland China additionally requires explicit consent under Article 49(1)(a) GDPR.
Consent for the cookies and the cross session profiling, plus explicit consent for the transfer to mainland China. Legitimate interest is not admissible because of the depth of behavioural analytics, the optional session replay and the destination country risk profile.
Yes. Production data is stored in mainland China on Alibaba Cloud. Mainland China is exposed to the Cybersecurity Law, Data Security Law and PIPL, and there is no GDPR adequacy decision. SCC plus supplementary measures plus explicit consent are typically needed.
Yes for any meaningful EU deployment. Detailed behavioural profiling, session replay, persistent identifiers, mainland China transfer and PIPL exposure jointly trigger the DPIA criteria of WP248 and the EDPB threshold guidance.
Tag block the SDK until consent, prepare an Article 49(1)(a) consent flow that names mainland China, sign the GrowingIO DPA on SCC, document a transfer impact assessment, mask sensitive inputs in session replay, list GrowingIO in the privacy and cookie policies and consider migrating EU users to an EU based product analytics tool.
EU friendlier product analytics options include Mixpanel EU, PostHog Cloud EU, Heap (with Schrems II safeguards), Amplitude EU, Pendo EU, Matomo Cloud and June. For self hosted setups, PostHog self hosted on EU infrastructure or Plausible plus a custom event store are common choices.
List GrowingIO with the operator (Growing Information Technology Co., Ltd., Beijing), the purpose (product analytics, session replay), the cookies (gioenc, gr_session, gr_user_id) with retention, the legal basis (consent and Article 49(1)(a) explicit consent), the transfer destination (mainland China) and the safeguards (SCC, supplementary measures, transfer impact assessment).