Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Woopra is a US based customer journey analytics platform that combines web analytics, product analytics, and customer profiles into a single tool. It tracks individual user behaviour across web, mobile and SaaS products to build identified customer profiles in real time. Because data is transferred to Woopra Inc. in the United States and the platform tracks identified individuals, deploying Woopra on EU traffic requires explicit consent under the GDPR and the ePrivacy Directive, plus a transfer assessment under Schrems II.
Woopra is a customer journey analytics platform operated by Woopra Inc., headquartered in San Francisco. It combines web analytics, mobile analytics, and product analytics, attaching every event collected to an identified customer profile rather than to an anonymous session. Marketing, sales and product teams use Woopra to understand individual user paths from first visit through purchase and retention.
Tracking is implemented through a JavaScript snippet (woopra.com tracker), mobile SDKs, and direct REST API calls from backend services. Each user is identified by an email address or other stable ID and tagged with custom properties, then enriched with all subsequent behavioural events.
On the client side, Woopra processes the IP address (used for geolocation and abuse prevention), browser User Agent, screen size, referrer, current URL, page title, and full event payloads (clicks, form submits, custom track calls). Server side it receives all data that you push via the REST API: email addresses, names, account IDs, plan information, and any custom traits.
These identifiers are correlated using the wooTracker cookie (visitor ID, 1 year lifetime) and the optional Woopra Connect feature that stitches anonymous browsing sessions with identified accounts after sign in.
Woopra is a US controller for its own operations and a US processor for customer data. The transfer of EU personal data to the US is governed by Standard Contractual Clauses. Following the Schrems II ruling (CJEU C 311/18), SCCs alone are insufficient: a documented Transfer Impact Assessment is mandatory, considering FISA Section 702 and Executive Order 12333 access by US authorities.
On the cookie side, wooTracker is not strictly necessary and falls squarely under Art. 5(3) ePrivacy: consent is required before it is written. Because Woopra processes identified personal data, consent is also the safest Art. 6 basis under GDPR. Legitimate interest is risky because the EDPB and several DPAs have ruled against legitimate interest as a basis for cross border behavioural tracking.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Defer the Woopra script until the visitor has accepted the Analytics or Marketing category in your consent management platform. Make sure the consent banner explicitly names Woopra and mentions the United States transfer, with a link to Woopra privacy policy.
For server side tracking, do not send identified events for EU users who refused consent: use the Woopra API only for users who explicitly accepted Marketing or Product analytics. Implement consent signal propagation between your CMP, your application backend and the Woopra REST API.
Sign the Woopra Data Processing Addendum and the EU SCCs (Modules 2 and 3, controller to processor). Document the transfer in your Records of Processing Activities and complete a Transfer Impact Assessment. Apply supplementary measures: pseudonymise email addresses before sending where possible, restrict the categories of properties pushed, and enable IP truncation if Woopra offers it.
List all downstream sub processors Woopra relies on (notably AWS for hosting in the US) in your privacy notice. Update your retention policy: by default Woopra retains profiles indefinitely, set an explicit deletion schedule.
Implement granular consent for Woopra (Analytics or Marketing category). Defer woopra.js until consent. Configure the Woopra account to anonymise IP addresses. Document the lawful basis (consent) and the cross border transfer in your privacy policy. Train your product and marketing teams to avoid pushing special category data (health, religious beliefs, sexual orientation, biometric identifiers) into Woopra traits.
For high traffic or sensitive sectors, consider EU alternatives: Matomo, Piwik PRO, Plausible, Fathom, or Mixpanel with EU residency. Document your decision rationale in the DPIA, particularly if Woopra is used to profile users in a way that may produce automated decisions under Art. 22 GDPR.
Websites using Woopra must obtain user consent under GDPR regulations.
DPIA considerations
Woopra is designed to build identified profiles, linking persistent visitor IDs (wooTracker cookie) with email addresses, account IDs, and product events. Key DPIA considerations: (1) systematic behavioural tracking across web and product sessions, with cross device stitching, falls under EDPB Guidelines on automated decision making and profiling; (2) data transfer to the US triggers Schrems II requirements: SCCs alone are insufficient, a Transfer Impact Assessment and supplementary measures (encryption, pseudonymisation) are needed; (3) the platform stores personal identifiers (email, phone) and full event payloads for years by default, retention must be reviewed against Art. 5(1)(e) GDPR data minimisation; (4) Woopra integrates with marketing automation tools (HubSpot, Marketo, Salesforce) which can re share the same identifiers further; (5) the platform may collect data subject to special category protection (Art. 9 GDPR) if used on healthcare or finance applications, requiring an additional Art. 9(2) basis; (6) the wooTracker cookie has a 1 year lifetime and is shared across all pages, enabling long term re identification.
Sample consent text
We use Woopra (Woopra Inc., United States) for customer journey analytics. With your consent, Woopra sets cookies and collects behavioural data (pages, events, button clicks, account information) to build a customer profile that is transferred to and processed on Woopra servers in the United States under Standard Contractual Clauses. You can refuse this tracking at any time without losing access to our services.
Third-party domains contacted
woopra.comwww.woopra.comstatic.woopra.comapi.woopra.comapp.woopra.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wooTracker | Analytics | 1 year | Persistent visitor identifier. Used to recognise returning visitors and stitch sessions to a single customer profile in Woopra. |
| wooSession | Analytics | Session | Identifies the current browsing session and ties it to the persistent visitor ID. |
| wooLabel | Analytics | 1 year | Stores the user provided identifier (typically an email address) after sign in, so Woopra can link anonymous and authenticated sessions. |
| wooId | Analytics | 1 year | Backup identifier used when wooTracker is blocked or cleared. |
Woopra collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The main first party cookie is wooTracker (visitor ID, 1 year lifetime), used to recognise returning visitors and stitch sessions to a single profile. Other helper cookies may include wooSession, wooLabel and wooId, plus localStorage entries holding the visitor identifier and queued events. None of these are strictly necessary for the website itself.
Yes, in any deployment targeting EU traffic. The wooTracker cookie and the JavaScript tracker are not strictly necessary under Art. 5(3) ePrivacy and the EDPB Guidelines 5/2020. Prior, informed, granular consent is required before any cookie is set or any identified event is sent to Woopra. Server side calls must also be gated by consent for identified EU users.
Consent (Art. 6(1)(a) GDPR) is the only safe basis for Woopra given the breadth of behavioural data, the building of identified profiles, and the systematic US data transfer. Legitimate interest has been rejected by multiple EU DPAs in similar cases (e.g. Google Analytics decisions by the Austrian and French DPAs in 2022) for cross border behavioural tracking.
Yes. All data is processed on Woopra infrastructure in the United States (AWS). Transfers rely on the EU Standard Contractual Clauses (Modules 2 and 3) plus a Data Processing Addendum. A Transfer Impact Assessment under Schrems II is mandatory and supplementary measures (encryption, pseudonymisation, restricted property pushes) are strongly recommended.
Very often yes. Woopra performs systematic monitoring of individuals on a large scale, combined with cross border transfers to a third country with no adequacy decision (until the EU US DPF is updated for analytics providers), so the EDPB criteria for mandatory DPIA are typically met. The DPIA must document the lawful basis, the TIA, retention, profile content, and rights of data subjects.
Sign the DPA. Add Woopra to your sub processor list. Defer the script until consent. Configure IP anonymisation and disable unnecessary data fields. Document the cross border transfer and the lawful basis. Provide a clear opt out mechanism and honour Do Not Track and Global Privacy Control signals. For server side tracking, propagate the consent state to your application backend before calling the Woopra API.
For EU friendly customer analytics: Matomo (self hosted or EU cloud), Piwik PRO (Germany), Mixpanel EU residency, Heap with EU storage, Posthog (self hosted, EU cloud), Segment with EU cluster. For pure web analytics: Plausible, Fathom, Simple Analytics. Mixpanel with EU residency is the closest like for like alternative for product analytics.
List the wooTracker cookie with name, provider (Woopra Inc., United States), purpose (visitor identification and customer journey analytics), lifetime (1 year), and category (Analytics or Marketing). Mention the United States transfer, the use of Standard Contractual Clauses, and provide a link to the Woopra privacy policy. Add a clear opt out toggle that immediately stops further tracking and queues a profile deletion request if the user requests it.