Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sitefinity Insight is a customer data and digital experience analytics platform built into Progress Sitefinity CMS. It tracks visitor behaviour, builds individual contact profiles, segments audiences, and enables content personalisation based on interaction history. Because it profiles individual visitors and links anonymous behaviour to named contacts, its deployment on European websites requires prior consent under GDPR and the ePrivacy Directive. Data is processed in the US via Standard Contractual Clauses.
Sitefinity Insight is a built-in customer data and digital experience analytics module within the Progress Sitefinity CMS platform. It provides behavioural analytics, visitor journey tracking, contact profile management, audience segmentation, and content personalisation capabilities. When integrated with a Sitefinity-powered website, it tracks every page visit, content interaction, form submission, and conversion event, building individual contact profiles that persist across sessions. It acts as a customer data platform, enabling marketers to segment visitors and deliver targeted content without additional third-party tools.
Sitefinity Insight collects IP addresses, browser and device information, pages visited, time on page, scroll depth, content downloads, video interactions, form completions, and conversion events. It builds persistent contact profiles that link anonymous browsing sessions to identified contacts when a form is submitted or a login occurs. These profiles include interaction history, interest scores, segment membership, and lead scoring data. When integrated with a CRM, contact profiles can be enriched with sales and customer relationship data.
Sitefinity Insight''s contact profiling and personalisation capabilities make it a high-risk tool under GDPR. The ePrivacy Directive requires consent before any tracking cookies are set. GDPR requires a lawful basis for building individual contact profiles. The automated linking of anonymous browsing data to named contacts (identity resolution) when a form is submitted is particularly sensitive and must be disclosed in your privacy policy. Content personalisation based on individual profiles requires that consent was obtained for the profiling activity.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent must be obtained before Sitefinity Insight tracking scripts initialise. When using Sitefinity''s built-in consent management, ensure it is configured to comply with GDPR requirements. The consent must cover both anonymous visitor analytics and the contact profile building that occurs when a form is submitted. Users must be informed that their browsing history will be linked to their contact profile and used for personalisation. Consent must be revocable, with immediate suppression of all tracking and profile updates.
Progress Software Corporation is a US company and processes Sitefinity Insight data on US infrastructure. Standard Contractual Clauses apply as the transfer mechanism. Organisations using Sitefinity Insight should sign Progress Software''s Data Processing Agreement, document the US transfer in their Records of Processing Activities, and ensure Sitefinity Insight is disclosed as a processor in their privacy policy.
To use Sitefinity Insight compliantly: configure Sitefinity''s consent management to block tracking until consent is obtained; categorise Sitefinity Insight cookies under analytics and personalisation; update your privacy policy to describe contact profile building and personalisation; sign a DPA with Progress Software; conduct a DPIA given the automated profiling; document the US transfer in your RoPA; configure contact data retention limits in the Insight admin panel; and ensure the right to erasure is implemented so that contact profiles and tracking history can be deleted on request.
Websites using Sitefinity Insight must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Sitefinity Insight is used for automated visitor profiling at scale, personalisation based on individual interaction history, or when contact profiles are enriched with data from CRM or marketing systems. The combination of persistent cross-session visitor identification, contact profile building, and US data transfer warrants formal impact assessment.
Sample consent text
We use Sitefinity Insight to analyse how visitors use our website and to personalise content based on your interaction history. Sitefinity Insight tracks pages visited, content engaged with, and form submissions to build a profile of your interests. This data is processed in the United States. Please accept to enable analytics and personalised content.
Third-party domains contacted
progress.comsitefinity.cominsight.sitefinity.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sf_insight_vid | persistent | 1 year | Visitor identifier used to build persistent contact profiles and link anonymous browsing sessions to identified contacts |
| sf_session | session | Session | Session-level tracking cookie used to collect behavioural signals for real-time analytics and segment membership |
Sitefinity Insight collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Sitefinity Insight sets persistent first-party tracking cookies to maintain a visitor identifier across sessions, enabling the construction of individual contact profiles. It also sets session cookies for active visitor tracking. These cookies link anonymous browsing data to named contacts when a form is submitted, making them high-risk tracking cookies requiring prior consent.
Yes. Sitefinity Insight sets tracking cookies and builds contact profiles, both of which require prior consent under the ePrivacy Directive and GDPR. Sitefinity CMS includes built-in consent management features that should be configured to block Insight tracking until consent is recorded. The consent must specifically cover both analytics tracking and contact profile building.
Consent under Article 6(1)(a) GDPR is required for behavioural tracking cookies and contact profile building. For basic, non-profiling page view analytics, legitimate interest under Article 6(1)(f) may apply with a documented balancing test. Once anonymous visitor data is linked to a named contact, consent is the appropriate basis for all subsequent profiling and personalisation activities.
Yes. Progress Software Corporation is a US company and processes Sitefinity Insight data on US infrastructure. Standard Contractual Clauses apply as the transfer mechanism under GDPR Article 46. Organisations should sign Progress Software's DPA and document the US transfer in their Records of Processing Activities.
A DPIA is recommended when Sitefinity Insight is used for automated contact profiling at scale, lead scoring, or personalisation based on individual interaction history. The persistent cross-session contact profiling, automated segment membership, and US data transfer create a processing activity that warrants formal assessment under GDPR Article 35.
Use Sitefinity's built-in consent management to block all Insight tracking until consent is granted. Configure the consent categories to include analytics and personalisation separately. Set contact data retention limits in the Insight admin panel. Implement right-to-erasure functionality so contact profiles and tracking history can be deleted on request. Update your privacy policy and sign a DPA with Progress Software.
Matomo Analytics can be self-hosted on EU infrastructure and provides visitor analytics without third-country transfers. For full CDP functionality with EU residency, Bloomreach and Optimizely Data Platform both offer EU hosting options. For Sitefinity users specifically, disabling Insight and using a self-hosted Matomo instance provides analytics with full data sovereignty.
Sitefinity Insight stores contact profiles that must be deleted upon a valid erasure request under GDPR Article 17. Navigate to the Insight admin panel, locate the contact profile by email address, and delete the contact record including all associated interaction history and segment data. Confirm in your data subject request response that the profile and associated tracking data have been deleted. Document the erasure in your data subject request log.