Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Machine learning personalisation and recommendation platform acquired by Twilio that uses a JavaScript SDK to set a first party visitor cookie and collect behavioural events.
Vidora is a machine learning driven personalisation and recommendation platform that was acquired by Twilio. It ships a JavaScript SDK that publishers and ecommerce sites embed to collect behavioural events such as page views, clicks, scroll depth and purchases. These events feed predictive models that decide which content, product or promotion should be shown to each individual visitor.
The SDK writes a first party cookie named _vidora_visitor that contains a persistent identifier. Vidora also receives the visitor IP address, user agent, referrer, URL, custom event attributes and any user identifier you decide to pass. Combined these data points let Vidora build a behavioural profile that qualifies as personal data under the GDPR.
Because Vidora reads and writes identifiers on the visitor terminal for personalisation and marketing purposes, Article 5(3) of the ePrivacy Directive requires prior consent. The downstream processing of behavioural data and machine learning profiling falls under Article 6(1)(a) of the GDPR. Automated decisions that significantly affect the visitor may also trigger Article 22 rights.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Vidora is hosted on AWS in the United States and Twilio is a US controller, so behavioural events are systematically transferred to the United States. EU customers must rely on the EU US Data Privacy Framework or Standard Contractual Clauses, complete a Transfer Impact Assessment and ensure that data minimisation is properly configured in the SDK.
Block the Vidora SDK until the visitor opts in through your consent management platform, expose a granular toggle for marketing or personalisation, document Vidora as a recipient in your privacy notice and configure the SDK to send only the events that are strictly required for the use case. Provide an effective opt out and document the Data Privacy Framework status of Twilio.
Websites using Vidora must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because Vidora performs systematic behavioural profiling with machine learning, transfers data to the United States and may drive automated decisions affecting the visitor. Document the lawful basis, the EU US Data Privacy Framework status of Twilio and the safeguards put in place.
Sample consent text
We use Vidora, a Twilio owned personalisation engine, to recommend content tailored to you. It stores a cookie on your device and sends behavioural data to servers in the United States. Click Accept to enable Vidora or Reject to keep a non personalised experience.
Third-party domains contacted
vidora.comcdn.vidora.comapi.vidora.comevents.vidora.comtwilio.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _vidora_visitor | marketing | 1 year | Persistent first party visitor identifier that links every behavioural event captured by the Vidora SDK to a single profile used by the machine learning models. |
| _vidora_session | marketing | 30 minutes | Short lived session identifier used to group events belonging to the same browsing session for the recommendation engine. |
| _vidora_test | functional | 90 days | Stores the AB testing variant a visitor has been allocated to so the same experience is shown across visits. |
| _vidora_consent | preferences | 6 months | Memorises whether the visitor has accepted or rejected Vidora to avoid loading the SDK after a negative answer. |
Vidora collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Vidora sets a first party cookie named _vidora_visitor that stores a persistent visitor identifier used to link behavioural events into a single profile. Depending on integration choices, the SDK can also write helper cookies for AB testing variants and to remember whether the visitor has already opted in.
Yes. The SDK writes identifiers on the visitor terminal and collects behavioural data for personalisation and marketing, which falls under Article 5(3) of the ePrivacy Directive. Prior, informed and freely given consent is required before the SDK runs.
The legal basis is consent under Article 6(1)(a) of the GDPR. Vidora performs behavioural profiling and personalisation that goes beyond what a visitor would reasonably expect under legitimate interest, so an opt in is the appropriate ground.
Yes. Vidora is hosted on AWS in the United States and Twilio is a US controller, so visitor identifiers and behavioural events are systematically transferred to the US. You must rely on the EU US Data Privacy Framework or Standard Contractual Clauses and run a Transfer Impact Assessment.
Yes. The combination of large scale behavioural profiling, machine learning, automated decisions and international transfers meets the criteria of Article 35 of the GDPR. A DPIA must be performed before deployment.
Load the SDK only after consent is obtained, send only the events strictly required by your use case, sign Twilios data processing agreement, document the EU US Data Privacy Framework status and provide a one click opt out that disables both the cookie and event collection.
You can use EU based personalisation platforms such as Mautic, Frosmo EU or Crownpeak EU, or build a server side recommender on top of EU hosted data warehouses. They can keep personal data inside the EEA and limit international transfers.
Add a dedicated Vidora entry under the personalisation or marketing category, list the _vidora_visitor cookie, describe the events collected, identify Twilio as the controller in the United States, indicate the retention period and link to the Twilio privacy notice.