Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Hyros is an AI driven ad tracking and multi touch attribution platform used by direct response advertisers, course sellers, agencies and e commerce brands to follow leads from first ad click through to sale, calls and email opens. It relies on JavaScript pixels, first party cookies, server side conversion APIs and browser fingerprinting. For EU advertisers, Hyros is a high risk tool: it tracks identifiable behaviour, sends data to the United States and requires explicit prior consent under GDPR and ePrivacy.
Hyros is an AI driven ad tracking and multi touch attribution platform aimed at direct response advertisers, info product sellers, agencies and e commerce brands. It deploys a JavaScript tracking pixel, first party cookies on the advertiser''s domain, server side conversion APIs to Meta, Google and TikTok, browser fingerprinting and call and email tracking. The goal is to reconstruct the full path from first ad click to sale, including offline conversions and reactivation campaigns.
Hyros collects IP address, user agent, device fingerprint signals, timestamps, URL and UTM parameters, click identifiers (fbclid, gclid, ttclid), email addresses, hashed emails, call metadata when call tracking is enabled, order values and product identifiers. Hyros stitches these signals to build a long lived customer profile across visits, ads, calls and purchases.
The Hyros tracker reads and writes information on the user''s device and shares it with a third party for advertising purposes. Article 5(3) of the ePrivacy Directive requires prior consent for that storage and access. Fingerprinting is explicitly covered by EDPB guidance and CNIL recommendations as requiring consent on the same basis. The combination of identifiers also makes Hyros a controller or joint controller arrangement for which contractual documentation is required.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Hyros must be loaded only after the user has given freely given, specific, informed and unambiguous consent. The consent banner must let the user refuse as easily as accept, must not use pre ticked boxes, and must not bundle Hyros with other purposes. The Hyros pixel and all server side conversion calls must be blocked until consent is recorded.
Hyros runs on US infrastructure. Tracking data of EU users is transferred to the United States, where it is subject to potential access by US authorities under FISA 702. Transfers must rely on Standard Contractual Clauses, on the EU US Data Privacy Framework where Hyros is certified, and on supplementary measures: encryption in transit and at rest, strict access controls and minimisation of identifiers stored on the Hyros side.
Sign a GDPR DPA with Hyros including SCCs. Conduct a DPIA covering the fingerprinting and the cross channel correlation. Block Hyros via a Consent Management Platform until consent is given. Document Hyros in the records of processing activities and in the public cookie policy with vendor name, purposes, data categories, retention and third country transfer. Set a clear retention period and avoid storing hashed emails longer than needed.
Websites using Hyros must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended because Hyros combines large scale tracking, multi channel correlation, fingerprinting and a US data transfer. Assess necessity, proportionality, the granularity of data collected, retention, the lawfulness of fingerprinting under EDPB guidance, and the effectiveness of supplementary measures such as encryption and SCCs.
Sample consent text
We use Hyros to measure how our advertising campaigns perform, including across emails, calls and pages. Hyros stores cookies and may use device fingerprinting, and your data is transferred to the United States under Standard Contractual Clauses. We will only activate Hyros if you click Accept.
Third-party domains contacted
hyros.comt.hyros.comapi.hyros.comtracking.hyros.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| hyros_id | persistent | 2 years | First party Hyros visitor identifier used to stitch the user journey across pages, sessions, ads and conversions. Requires user consent. |
| hy_utm | persistent | 90 days | Stores the first touch UTM parameters and click identifiers (fbclid, gclid, ttclid) seen on entry, used for attribution. Requires consent. |
| hy_sid | session | session | Short lived session identifier used by Hyros to group page views into a single session for behaviour analysis. Requires consent. |
Hyros collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Hyros sets first party cookies on the advertiser's domain to store its own visitor identifier and to remember UTM and click parameters. It also writes localStorage entries, may use canvas and audio fingerprinting signals, and pushes server side conversions to Meta, Google and TikTok with hashed emails and IP addresses. Cookie names typically start with hy or h_ depending on the deployment.
Yes. Hyros writes information on the device and sends identifiers to a third party for advertising attribution. Article 5(3) ePrivacy requires prior consent. Fingerprinting requires consent on the same basis under EDPB guidance. The Hyros pixel and server side calls must be blocked until the user explicitly opts in.
The lawful basis is the user's freely given, specific, informed and unambiguous consent under article 6(1)(a) GDPR combined with article 5(3) ePrivacy. Legitimate interest is not a valid basis for advertising tracking because it cannot override the prior consent requirement set by ePrivacy.
Yes. Hyros runs on US infrastructure and EU visitor data is transferred to the United States. Transfers must rely on Standard Contractual Clauses, the EU US Data Privacy Framework where Hyros is certified, and supplementary safeguards such as encryption and strict access controls.
A DPIA is strongly recommended because Hyros combines large scale tracking, multi channel correlation, fingerprinting and a transfer to a third country. The DPIA must document the necessity of fingerprinting, retention, access, and the effectiveness of SCCs and other supplementary measures.
Sign a DPA with SCCs, block Hyros until consent is recorded, document Hyros in the records of processing and the cookie policy, run a DPIA, configure server side and client side conversions to fire only after consent, and minimise the personal identifiers (email hashes, phone hashes) shared with Hyros.
EU friendly alternatives include Triple Whale with EU controls, Northbeam, Polar Analytics, Wicked Reports, server side GTM hosted in the EU, Piwik PRO, Matomo with custom attribution, and Plausible enriched with custom event tracking. Several support self hosting in the EEA, reducing transfer risk.
List Hyros in the cookie policy with vendor name, purposes (advertising attribution, conversion tracking), categories of data, cookie names, lifetime, third country transfer to the US and the legal basis (consent). Provide a direct link to opt out and to the Hyros privacy policy. Update whenever Hyros adds new sub processors or new tracking methods.