Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Appcues is a no code product adoption and user onboarding platform that displays in app modals, tooltips, checklists and slideouts to help users discover features, while tracking interactions for product analytics.
Appcues is a product adoption platform widely used by SaaS companies to design in app guides, onboarding tours, surveys, and feature announcements without engineering effort. It is delivered as a JavaScript SDK that runs inside the host application, fires events to the Appcues backend, and renders custom UI based on segmentation rules.
The Appcues SDK is loaded with a small script tag from fast.appcues.com. It identifies the logged in user via the identify call you implement (Appcues.identify(userId, properties)), tracks events, evaluates targeting rules client side, and displays flows like modals, tooltips, hotspots, checklists, surveys, and slideouts. Results are sent back to the Appcues backend for analytics and goal tracking.
Appcues sets first party identifiers in localStorage (appcues:user_id, appcues:session_id, appcues:state) and an _aciid cookie used for anonymous identification before the user logs in. Server side, Appcues receives the user ID and properties you pass in identify, every event you track, the user agent, the IP, the page URL, and the timestamp.
User IDs and event metadata are personal data. Appcues acts as a processor under your DPA. The SDK writes non strictly necessary storage and identifiers, so Article 5(3) ePrivacy requires prior consent for the tracking and analytics part. A narrow legitimate interest argument can be made for purely strictly necessary onboarding flows that block a feature until completed, but the safe default is consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Appcues is hosted on AWS in the United States. Transfers can rely on the EU-US Data Privacy Framework if Appcues remains certified, otherwise on Standard Contractual Clauses combined with a Transfer Impact Assessment. Enterprise customers can request EU residency, which routes traffic and storage through AWS EU regions.
Sign the DPA, decide on EU residency if your audience justifies it, and disable Appcues until consent is captured. Minimise the user properties you pass: do not send special category data, restrict identifiers, and prefer hashed user IDs. Document the integration in your record of processing activities and explain Appcues in your privacy notice as a product adoption tool.
Websites using Appcues must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Appcues tracks logged in users at scale, especially when user properties include sensitive attributes (plan, role, behaviour patterns). Document the SDK identifiers, retention, the EU-US Data Privacy Framework or SCC mechanism, and any EU residency arrangement obtained from Appcues.
Sample consent text
We use Appcues to guide you through new features and to measure how our product is used. Appcues sets identifiers in your browser and processes interactions on its servers in the United States. We only activate it after you accept the product experience category in our cookie banner.
Third-party domains contacted
fast.appcues.comapi.appcues.netevents.appcues.comstatics.appcues.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _aciid | http_cookie | 1 year | Anonymous Appcues identifier used to track a visitor before they are logged in or identified. |
| appcues:user_id | localStorage | Persistent until cleared | Stores the user ID provided to Appcues.identify so the SDK can match the visitor to their profile. |
| appcues:session_id | localStorage | Session | Stores the current Appcues session identifier used to group events. |
| appcues:state | localStorage | Persistent until cleared | Stores in progress flow state (which step the user is on, dismissed flows, etc.). |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Appcues mostly stores identifiers in localStorage (appcues:user_id, appcues:session_id, appcues:state) and may set an _aciid cookie for anonymous tracking before login. Storage entries can persist for years unless cleared.
Yes for the analytics and personalisation parts. The SDK writes non strictly necessary identifiers, so prior consent is required under Article 5(3) ePrivacy. A narrow legitimate interest argument may cover purely strictly necessary onboarding flows.
Consent under Article 6(1)(a) GDPR for analytics and personalisation. Legitimate interest (Article 6(1)(f)) can be considered only for in app flows that are strictly necessary to deliver the product, with a documented balancing test.
Yes. Appcues is hosted in the United States on AWS by default. Transfers can rely on the EU-US Data Privacy Framework or on SCCs with a TIA. Enterprise plans can include EU residency on request.
A DPIA is recommended at scale or when user properties include sensitive attributes. Document the SDK identifiers, retention, US transfer mechanism, and the proportionality of using Appcues compared with self hosted alternatives.
Sign the DPA, configure EU residency if available, gate the SDK behind consent, minimise user properties, never send special category data, and disclose Appcues in your privacy notice with retention and recipients.
Alternatives include Userflow, Userpilot, Chameleon, Pendo, Intro.js, Shepherd.js for open source tour flows, and Reactflow. Some of them offer EU hosting by default.
Add an Appcues entry listing the localStorage keys and the _aciid cookie, with their purpose and lifetime. Mention the US transfer mechanism and the role of Appcues as a processor. Link to the Appcues privacy policy.