Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Leadfeeder (now part of Dealfront) is a B2B website visitor identification tool that uses reverse IP lookup to identify companies visiting your site and enriches them with firmographic data.
Leadfeeder, now part of Dealfront after its 2022 merger with Echobot, is a B2B website visitor identification platform headquartered in Helsinki with offices in Berlin and Karlsruhe. The service places a JavaScript tracker on your site that captures each visitor IP address along with page navigation, session metadata and referrer, then matches the IP against business IP databases to reveal company name, industry, size and contacts. Leads are enriched with firmographic data and pushed into CRMs such as HubSpot, Salesforce and Pipedrive.
Leadfeeder captures the visitor IP address, which is the load bearing identifier for the reverse lookup, plus pages viewed, dwell time, referrer, UTM parameters, browser, operating system and session timestamps. A first party cookie named _lfa is written for up to two years to recognise returning visitors and stitch sessions. A short lived _lfa_test_cookie_* probe detects whether cookies are allowed. The dealfront_consent cookie stores the visitor choice when the Dealfront consent layer is enabled.
Leadfeeder positions itself as identifying legal persons rather than individuals, but the IP address is treated as personal data under GDPR (CJEU Breyer ruling) and the _lfa cookie clearly falls within Article 5(3) of the ePrivacy Directive because it is stored on the user terminal. Sole traders, freelancers and small offices where the IP is linkable to a natural person are unambiguously personal data subjects. The persistent identifier and B2B intent profiling place the processing in the medium to high risk band.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Best practice is to require informed, prior consent under Article 6(1)(a) GDPR before the Leadfeeder script loads, mirroring other analytics tags. Some operators argue Article 6(1)(f) legitimate interest for pure B2B identification, but this only covers the GDPR layer: Article 5(3) ePrivacy still demands consent for any cookie storage that is not strictly necessary, and _lfa is not strictly necessary. Block the tag behind your CMP and fire it only for the analytics or marketing consent category.
Primary processing is in the EU on AWS Frankfurt and AWS Ireland. Some support and integration subprocessors operate in the United States under Standard Contractual Clauses, so list these transfers in your ROPA. Practical steps: gate Leadfeeder behind a category in your CMP, declare _lfa in your cookie notice with its two year duration, sign the Dealfront DPA, document the LIA if you rely on Art. 6(1)(f) for the GDPR layer, configure IP exclusions for your office ranges and run a DPIA before deployment.
Websites using Leadfeeder must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended. Reverse IP lookup combined with a persistent first party cookie creates a profile of business visitors that may include sole traders and small companies where the IP can be linked to an individual. Document the legal basis, retention period, third country transfers, and the rights of identified data subjects.
Sample consent text
We use Leadfeeder by Dealfront to identify the companies visiting our website. This tool reads your IP address and stores a small identifier (_lfa) on your device for up to two years. Do you consent to this B2B analytics processing?
Third-party domains contacted
leadfeeder.comlftracker.comsc.lfeeder.comt.lfeeder.comdealfront.comanalytics.dealfront.comapp.leadfeeder.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _lfa | first_party | 2 years | Persistent Leadfeeder visitor identifier used to recognise returning visitors and stitch sessions together for the reverse IP lookup pipeline. |
| _lfa_test_cookie_* | first_party | Session | Short lived probe written to verify whether the browser accepts cookies before the main _lfa cookie is set. |
| dealfront_consent | first_party | 1 year | Stores the visitor consent choice when the Dealfront consent layer is enabled on the site. |
| _lf_session | first_party | Session | Internal session marker used by the Leadfeeder tracker to correlate page views within a single browsing session. |
| _lf_visitor | first_party | 2 years | Backup visitor identifier some Leadfeeder deployments set alongside _lfa for cross subdomain recognition. |
Leadfeeder collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Leadfeeder writes a first party cookie called _lfa with a lifetime of up to two years to recognise returning visitors. It also writes short lived _lfa_test_cookie_* probes to check whether cookies are allowed, and a dealfront_consent cookie if you use the Dealfront consent layer. The IP address is the core identifier used for the reverse lookup.
Yes. Even though Leadfeeder targets companies rather than individuals, the _lfa cookie is stored on the user terminal and is not strictly necessary, so Article 5(3) of the ePrivacy Directive applies. Best practice is to block the script behind a CMP and only fire it after the analytics or marketing consent category is accepted.
The safest legal basis for the cookie and the reverse IP lookup is Article 6(1)(a) GDPR consent. Some operators argue Article 6(1)(f) legitimate interest for the pure B2B company identification, but this only covers the GDPR layer; the ePrivacy cookie rule still demands prior consent for the _lfa cookie.
Primary processing happens in the EU on AWS Frankfurt and AWS Ireland, with corporate presence in Helsinki, Berlin and Karlsruhe. Some subprocessors used for support and CRM integrations operate in the United States under Standard Contractual Clauses, so US transfers are limited but possible.
A DPIA is strongly recommended. The combination of reverse IP lookup, persistent identifier and B2B intent profiling can identify sole traders and small offices, raising the residual risk. Document the legal basis, retention periods, third country transfers and the data subject rights workflow before deployment.
Block the script behind your CMP, fire it only after analytics or marketing consent, sign the Dealfront DPA, declare _lfa in your cookie notice with its two year duration, configure IP exclusions for your own offices, document your legitimate interest assessment if you rely on Art. 6(1)(f), and run a DPIA before go live.
Yes. EU based options include Albacross (Sweden), Snitcher (Netherlands) and Dealfront itself (same parent). UK and US options include Lead Forensics, Visitor Queue, Clearbit Reveal and the HubSpot Prospects feature. Each has different consent, data residency and CRM integration trade offs.
Add an entry listing the _lfa cookie (purpose: visitor identification, duration: 2 years, type: first party), mention the _lfa_test_cookie_* probe and the dealfront_consent cookie. Identify Dealfront Oy as the processor, link to its DPA, describe the EU primary storage and any US subprocessor transfers under SCCs.