Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Smartlook is a Czech session replay and behavioural analytics platform headquartered in Brno. Data is hosted in the European Union, which makes it a popular alternative to Hotjar for European publishers.
Smartlook is a session replay, heatmaps and funnels platform operated by Smartsupp.com sro in Brno, Czech Republic. It records visitor sessions on websites and mobile apps and provides analytics on click, scroll and form interactions. Data is hosted on AWS infrastructure within the European Union.
Smartlook sets first party cookies SL_C_*, SL_S_* and SL_GWPT_Show_Hide_tmp that identify the visitor and the session. The session replay engine records DOM mutations, clicks, scrolls and form interactions, with masking available for sensitive elements.
Session replay is treated as non essential by CNIL and German DPAs: consent is required under Article 5(3) ePrivacy and Article 6(1)(a) GDPR. The CNIL has fined publishers for activating session replay before consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Smartlook script until consent is granted. Smartlook provides a smartlook.consentAPI to grant or revoke consent for forms, IP and API usage.
Recordings stay in AWS EU. Cisco AppDynamics, the parent group of Smartsupp acquirers in some markets, may provide global support under SCCs.
Block Smartlook before consent, mask password fields and any field with sensitive data, restrict recordings to specific pages, run a DPIA, sign the DPA and document the EU hosting.
Websites using Smartlook must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because session replays can capture inputs, mouse movements and form interactions. Mask sensitive fields, restrict replay scope and rely on EU hosting to limit risk.
Sample consent text
Our website uses Smartlook, a session replay and behavioural analytics platform operated by Smartsupp.com sro (Czech Republic). The recordings are stored within the European Union and are activated only with your prior consent.
Third-party domains contacted
smartlook.comsmartlook.comsmartlook.comrec.smartlook.comrec.smartlook.comrec.smartlook.comeu-rec.smartlook.comweb-sdk.smartlook.comeu.smartlook.cloudweb-sdk.smartlook.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| SL_C_{key}_KEY | first_party | 10 years | Unique visitor identifier used to link sessions across visits. |
| SL_C_23361dd035530_KEY | first_party | 1 year | Pseudonymous visitor identifier used to stitch session recordings and heatmap events. |
| SL_C_<key>_VID | first-party | 10 years | Stores the pseudonymous Smartlook visitor identifier across sessions. |
| SL_C_23361dd035530_VID | first_party | 1 year | Visitor identifier mapped to the recording chunks uploaded to the Smartlook EU cluster. |
| SL_C_<key>_SID | first-party | session | Identifies the current Smartlook session and links its replay events. |
| SL_C_{key}_SID | first_party | 30 minutes | Current session identifier. |
| SL_C_23361dd035530_SID | first_party | session | Session identifier; used to group events into a single replay. |
| SL_GWPT_Show_Hide_tmp | first_party | Session | Stores Smartlook dashboard preferences. |
| SL_C_<key>_KEY | first-party | 10 years | Stores configuration of the Smartlook recording (rate, masking, allowed origins). |
| SL_GWPT_Show_Hide_tmp | third-party | session | Smartlook dashboard cookie set on smartlook.com to remember UI preferences for project users. |
Smartlook collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Smartlook sets first party cookies SL_C_<key>_VID (visitor id), SL_C_<key>_SID (session id) and SL_C_<key>_KEY (configuration), plus a third party cookie on smartlook.com for the dashboard. All cookies are described in the Smartlook cookie documentation and need to be listed in the operator cookie policy.
First party cookies SL_C_{key}_KEY, SL_C_{key}_SID and SL_GWPT_Show_Hide_tmp store the visitor identifier, session and dashboard preferences.
Smartlook sets up to three first party cookies on the publisher domain: SL_C_..._KEY (visitor key, 1 year), SL_C_..._VID (visitor identifier, 1 year) and SL_C_..._SID (session identifier, session). They are pseudonymous and used to stitch the recording chunks together.
Yes. Session replay is not strictly necessary and consent is required under Article 5(3) ePrivacy.
Yes. Session replay, heatmaps and clickmaps are systematic monitoring under GDPR and require prior, granular and freely revocable consent under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR. The CNIL, the Garante and the BfDI have all confirmed this position.
Yes. Smartlook implements session replay, which is treated as systematic behavioural monitoring by the EDPB and EU regulators. The SDK reads and writes information on the visitor terminal and must therefore be blocked until the visitor accepts analytics cookies in the CMP.
Consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy.
The legal basis is article 6(1)(a) GDPR (consent). Legitimate interest is not adequate because session replay captures DOM mutations and may inadvertently process personal data, and EU regulators have repeatedly stated that consent is required for this category of analytics.
Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy). Legitimate interest is not appropriate for session replay because the systematic capture of behaviour creates a high risk to data subject rights, and the EDPB Guidelines 8/2020 recommend consent for any tracking that goes beyond strict aggregate measurement.
Smartlook stores session replays on AWS Frankfurt, inside the EEA. As part of the Cisco group, Smartlook may grant access to its parent company from the US or India under Cisco master data protection terms. Check the current sub processor list and sign the appropriate Standard Contractual Clauses.
Not for EU customers. Smartlook hosts EU customer data in Brno (Czech Republic) and AWS Ireland and the DPA states no transfer outside the EEA. Cisco is the US parent company but EU operations are run independently. North American customers have a separate US data centre.
No in standard configuration. Smartlook is hosted in AWS EU.
Yes. Session replay is listed among the criteria for mandatory DPIA in the EDPB Guidelines on DPIAs (systematic monitoring, large scale processing). Cover the masking strategy, the retention period, the sampling, the recipients and the visitor exercise of rights.
Yes, a DPIA is strongly recommended. Session replay is classified by the EDPB as systematic behavioural monitoring, which is one of the criteria for high risk processing. Conduct and document the DPIA before activating Smartlook on production traffic.
Recommended given the granularity of session replays. Mask sensitive elements to limit risk.
Sign the DPA from the Smartlook dashboard, choose EU residency at sign up, set masking on every personal data field, enable IP anonymisation, gate the SDK behind your CMP analytics or session replay category and use smartlook.consent or smartlook.disable to react to the visitor decision.
Sign the Smartlook DPA, enable IP anonymisation, gate the SDK behind your CMP, mark every form and personal data element with smartlook hide, exclude payment and health pages, configure a short retention and document everything in the record of processing.
Block the script before consent, use smartlook.consentAPI to grant or revoke, mask form fields by default and limit recordings to specific pages.
Other session replay tools include Hotjar (acquired by Contentsquare), Microsoft Clarity (free, US hosted), FullStory (US hosted), LogRocket, Mouseflow (Denmark, EU hosted) and the open source OpenReplay which can be self hosted on EU infrastructure.
EU based or self hosted alternatives include Matomo Heatmaps and Session Recording, Mouseflow EU, Contentsquare with EU residency, PostHog Self Hosted and Plausible (with no replay). Each option offers different trade offs in terms of features, retention and data location.
Hotjar, Microsoft Clarity, PostHog session replay, Mouseflow, FullStory. EU based options simplify compliance.
List the SL_C_<key>_VID, SL_C_<key>_SID and SL_C_<key>_KEY cookies with their purpose and retention, mention the third party cookie on smartlook.com, indicate that Smartlook records session replays, link to the Smartlook privacy notice and to your CMP preference centre.
List all three SL_C_... cookies with their lifetime and purpose. Re scan the storefront after every Smartlook SDK upgrade because the cookie naming convention may evolve. Update the policy when you change the masking strategy, retention period or sampling rate.
Document SL_C_* and SL_S_* cookies, their purpose, duration and the EU hosting.