Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ZoomInfo is a leading US B2B intelligence and prospecting platform. It maintains a database of business contact data (names, professional emails, phone numbers, roles, companies) sourced from public web data, partner integrations, contributory networks and ZoomInfo own tags. It also offers a WebSights script that identifies visiting companies through IP reverse lookup. ZoomInfo activities raise significant GDPR transparency, lawful basis and Art. 14 obligations for European data subjects.
ZoomInfo is a B2B intelligence and sales prospecting platform headquartered in Vancouver, Washington. It offers one of the largest commercial databases of business contact data with names, professional emails, phone numbers, job titles, company information, technographics and intent signals. Beyond the database, ZoomInfo includes WebSights (a website visitor identification tag), Engage (sales engagement), MarketingOS, OperationsOS and integrations with Salesforce, HubSpot and Outreach.
ZoomInfo gathers personal data from public web sources (corporate websites, press releases, professional networks), via partner integrations, through its contributory Community Edition (which collects signature blocks from user mailboxes when authorised), through its FormComplete autofill tag, and via its WebSights script (which uses IP reverse DNS to identify companies visiting partner websites). The database is regularly verified and enriched, which produces a structured profile per contact and per company.
Operating a database of EU personal data sourced from the web triggers Art. 6 GDPR (lawful basis), Art. 13/14 GDPR (transparency), Art. 21 GDPR (right to object), Art. 17 GDPR (erasure), Art. 5(1)(d) GDPR (accuracy) and Art. 5(1)(c) GDPR (minimisation). For B2B prospecting, the legitimate interest basis can apply with a documented Legitimate Interest Assessment, but the controller must still notify each EU data subject within one month or at first contact (Art. 14). WebSights triggers Art. 5(3) ePrivacy because it reads identifiers from the user terminal to single out visitors.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
ZoomInfo hosts data primarily in the United States. International transfers are governed by Standard Contractual Clauses under Art. 46(2)(c) GDPR and require a Transfer Impact Assessment. ZoomInfo has implemented an EU Privacy Program with a dedicated Data Subject Request portal and an internal EU representative, partly in response to complaints filed with German and Italian authorities. EU customers should sign the ZoomInfo DPA and the SCCs and rely on the privacy controls offered (suppression lists, country level data deletion).
Compliance checklist: document the lawful basis country by country (be aware of UWG in Germany and CNIL guidance in France); send the Art. 14 GDPR notice to every EU contact at first communication; honour the right to object and erasure with internal suppression lists; gate the WebSights script behind your CMP; sign the ZoomInfo DPA and SCCs; run a DPIA covering data sourcing, accuracy and retention; align retention with prospecting purpose (CNIL guidance: about 3 years after last activity); update your privacy policy with a description of ZoomInfo as a processor and as a controller of its database.
Websites using ZoomInfo must obtain user consent under GDPR regulations.
DPIA considerations
ZoomInfo combines a large scale database of B2B contact data with web tracking through the WebSights script. Key DPIA points: (1) the database includes data scraped from the web, contributed by users (Communities, FormComplete) and enriched via providers, which raises sourcing legitimacy questions and Art. 14 GDPR transparency obligations; (2) every European data subject in the database has the right to receive a notice within one month or at first contact, and to object; (3) WebSights uses IP and persistent identifiers to single out visitors, triggering Art. 5(3) ePrivacy and requiring consent before the script loads; (4) data is hosted in the United States with SCC and Transfer Impact Assessment; (5) repeated complaints to European authorities (CNIL, Bavarian BayLDA, Italian Garante) have produced strict guidance, ZoomInfo has implemented an EU privacy program, but operators must still demonstrate their own compliance. A DPIA under Art. 35 GDPR is recommended in most B2B prospecting use cases.
Sample consent text
We use ZoomInfo to enrich and update our B2B prospect database with publicly available professional information and to identify companies that visit our website through the WebSights script. Your professional data may be processed by ZoomInfo Technologies LLC in the United States. You can object to this processing or request access, rectification or erasure at any time by contacting us or by emailing the ZoomInfo Privacy Office.
Third-party domains contacted
ws.zoominfo.comcdn.zoominfo.comvisitortrack.zoominfo.comapp.zoominfo.comapi.zoominfo.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _zi_* | HTTP first party cookie | 1 year | Cookies set by the ZoomInfo WebSights tag to deduplicate IP reverse lookups and store the identified company across pages. |
| _zi_session | HTTP first party cookie | Session | Session level cookie used by WebSights to maintain visitor context within a single browsing session. |
| __zi-formcomplete | HTTP first party cookie | 1 year | Cookie set by FormComplete to remember the visitor and pre fill business contact fields based on the ZoomInfo identification. |
| visitor_id_* | HTTP first party cookie | 6 months | Persistent visitor identifier used to attribute web sessions to a known ZoomInfo company or contact record. |
ZoomInfo collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The ZoomInfo WebSights tag sets first party and third party cookies to deduplicate visitor IP lookups and store the identified company. The FormComplete autofill tag also reads device signals. Both fall under Art. 5(3) ePrivacy and require consent before they load.
For WebSights and FormComplete on European visitor traffic, yes: the script must be gated behind the consent management platform. For database queries through the ZoomInfo platform, consent is generally not required at query time but the Art. 14 GDPR notice to the EU contact remains mandatory.
Legitimate interest (Art. 6(1)(f) GDPR) is the typical basis for B2B prospecting, subject to a documented Legitimate Interest Assessment. Consent (Art. 6(1)(a) GDPR) is required for B2C outreach, for cookies and for any sensitive processing.
Yes. ZoomInfo hosts data in the United States. Transfers are governed by Standard Contractual Clauses (Art. 46(2)(c) GDPR) with a mandatory Transfer Impact Assessment. ZoomInfo offers EU contractual safeguards through its DPA.
Yes in most cases. The combination of large scale processing of EU contact data, web sourcing and behavioural enrichment typically triggers Art. 35 GDPR DPIA obligations.
Sign the DPA and SCCs, gate WebSights behind your CMP, send Art. 14 notices on first contact, honour objection and erasure via internal suppression lists, document the lawful basis country by country, align retention with prospecting purpose, and update the privacy notice.
Alternatives include Apollo.io, Lusha, Cognism, Kaspr (France), Sales Navigator (LinkedIn), Clearbit, Hunter, RocketReach. EU based vendors (Cognism, Kaspr) provide stricter EU data sourcing and DSGVO friendly defaults.
Add a dedicated entry for ZoomInfo (controller of its database, processor for your CRM enrichment), list the categories of data, mention WebSights and FormComplete, US data transfers, retention, and the user rights to object and erasure.