Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Lucky Orange is a US conversion optimisation tool with session recordings, dynamic heatmaps, conversion funnels, polls and a chat widget.
Lucky Orange is a conversion rate optimisation platform operated by Lucky Orange LLC in Overland Park, Kansas. It combines full session recordings, dynamic heatmaps that update on every interaction, scrollmaps, conversion funnels, form analytics, on site polls, surveys and a built in live chat widget. Lucky Orange is positioned as a Hotjar and Crazy Egg alternative for SMB and e-commerce websites.
Lucky Orange drops third party cookies on luckyorange.com (__lo_uid_*, __lotr, __lossid, __lo_persist, __lo_logged_in). The script captures mouse moves, clicks, scroll depth, form interactions (input field values are masked unless explicitly enabled), URL, referrer, user agent, viewport size, IP address and any custom variable passed to the API (email, customer ID, plan). Session recordings reconstruct the full visit as a video and can include keyboard input if masking is not configured.
Lucky Orange is not strictly necessary. Article 5(3) ePrivacy requires prior consent. Article 6 GDPR requires consent because session recordings produce a video of the user behaviour that goes far beyond simple analytics. European regulators (CNIL, Garante, ICO) have explicitly stated that session recording tools fall under the consent regime and that legitimate interest cannot justify their deployment.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Lucky Orange snippet behind your CMP until consent is granted for Analytics or Performance. Enable form field masking (default in Lucky Orange settings) and add CSS class lo-block on any element containing personal data. Exclude sensitive URLs (account, billing, password reset) from recording. Pair Lucky Orange with a clear privacy notice and provide an opt out link.
Lucky Orange LLC processes data on AWS in the United States. EU personal data is transferred outside the EEA. Transfers rely on the Lucky Orange DPA, EU SCCs and the EU US Data Privacy Framework when Lucky Orange is certified. Document the mechanism in your records of processing activities and inform users in your privacy notice.
Sign the Lucky Orange DPA with EU SCCs. Block the snippet behind your CMP. Enable input masking and lo-block CSS classes. Exclude sensitive URLs. Limit recording retention to 30 to 90 days. Categorise __lo_* cookies as Analytics. Identify Lucky Orange LLC as processor with US transfer disclosure. Provide a clear opt out link.
Websites using Lucky Orange must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Lucky Orange records authenticated areas, when recordings can capture personal data, when retention exceeds 90 days, when the site is in a sensitive vertical (health, finance, minors), or when the chat widget collects identifiers.
Sample consent text
We use Lucky Orange to record anonymous sessions and produce heatmaps of how visitors interact with our website. Lucky Orange drops cookies on your device and sends data to its US infrastructure. Without your consent, no recording is started.
Third-party domains contacted
luckyorange.comluckyorange.netsettings.luckyorange.netcs.luckyorange.netupload.luckyorange.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __lo_uid_* | Analytics | 1 year | Persistent Lucky Orange unique visitor identifier (account specific) used to recognise returning visitors across sessions. |
| __lotr | Analytics | 30 days | Stores the Lucky Orange recording state for the current visitor and avoids double recording. |
| __lossid | Analytics | Session | Lucky Orange session identifier used to bind events to the same visit. |
| __lo_persist | Analytics | 1 year | Persistent Lucky Orange state cookie used to remember the visitor settings (chat opened, polls dismissed). |
| __lo_logged_in | Analytics | Session | Indicates whether the Lucky Orange account user is logged into the dashboard. Set on luckyorange.com. |
Lucky Orange collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Lucky Orange drops third party cookies on luckyorange.com: __lo_uid_* (unique visitor), __lotr (recording state), __lossid (session ID), __lo_persist (persistent state), __lo_logged_in (account state). The exact list depends on which Lucky Orange features are enabled.
Yes. Session recordings and heatmaps are not strictly necessary. Article 5(3) ePrivacy and article 6 GDPR require prior, opt in consent before the script executes.
Consent (article 6(1)(a) GDPR). Legitimate interest is rejected by EU regulators for session recording tools.
Lucky Orange LLC processes data on AWS US. Transfers rely on the Lucky Orange DPA, EU SCCs and the EU US Data Privacy Framework when Lucky Orange is certified.
A DPIA is recommended whenever recordings cover authenticated areas, can capture personal data, retention exceeds 90 days, or the site is in a sensitive vertical.
Block the snippet behind your CMP. Enable input masking by default. Add lo-block classes on sensitive fields. Exclude sensitive URLs. Limit retention. Sign the Lucky Orange DPA with EU SCCs.
Hotjar (US with EU hosting option), Contentsquare (Paris, EU), Mouseflow (Denmark), Smartlook (Czech), Plerdy (Ukraine), Microsoft Clarity (US, free) or self hosted rrweb.
List __lo_uid_*, __lotr, __lossid, __lo_persist, __lo_logged_in with domain, duration and purpose. Identify Lucky Orange LLC as processor with the US transfer disclosure. Link to the Lucky Orange privacy policy and opt out page.