Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Userpilot is a US based product adoption and user onboarding platform headquartered in Austin, Texas. SaaS companies install the Userpilot JavaScript snippet to identify logged in users, ship walkthroughs and tooltips, run NPS surveys, build resource centers and analyse feature adoption. The SDK sets first party cookies on the SaaS application and processes events on AWS US East, with EU residency in AWS Frankfurt available as a paid add on. Cookies and identifiers require consent in the EU.
Userpilot is a product adoption platform incorporated as Userpilot Inc. in Austin, Texas. SaaS companies install the Userpilot JavaScript SDK in their application to deliver onboarding walkthroughs, tooltips, modals, banners, resource centers, NPS surveys and feature adoption analytics. Product teams configure user segments based on attributes (plan, MRR, persona) and events (signed up, completed onboarding) and ship in app experiences targeted at those segments.
The Userpilot SDK writes first party cookies on the SaaS application (userpilot_visitor, userpilot_session) and a localStorage object that stores the Userpilot user ID, company ID, segments and the in app experiences already shown. The SDK transmits identify and track payloads (user attributes, events, screen) to api.userpilot.io. NPS responses, including free text, are stored on the same backend.
The Userpilot cookies and localStorage identifiers are not strictly necessary to deliver the SaaS service the customer pays for, so Art. 5(3) ePrivacy requires prior consent in the EU even for authenticated B2B users. The behavioural analytics processing can usually be grounded on B2B legitimate interest, with a documented LIA and a right to object. NPS surveys with free text fields should also be reviewed for sensitive content.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
By default Userpilot processes EU customer data on AWS US East. EU residency on AWS Frankfurt is available as an enterprise add on. Engineering teams in Egypt and the UK may access data under contract. The Userpilot DPA incorporates the EU Standard Contractual Clauses (modules 2 and 3) and the UK IDTA, and Userpilot is self certified under the EU US Data Privacy Framework.
Sign the Userpilot DPA, request EU residency if your plan allows it, gate the SDK behind a product analytics toggle in user settings or a CMP, list Userpilot in your privacy notice and Article 30 record, complete a DPIA covering NPS and in app nudges, document the US transfer with SCCs and DPF and offer customers a clear way to object to in app messages.
Websites using Userpilot must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Userpilot is used at scale because it combines behavioural analytics, in app messaging, profile based segmentation and NPS feedback. The DPIA should cover cookies, free text NPS responses, the international transfer to the US and the right to object to in app nudges.
Sample consent text
We use Userpilot (Userpilot Inc., United States) to onboard new users, deliver walkthroughs and surveys and analyse feature adoption. Userpilot sets first party analytics cookies in our app and processes events on AWS US East. International transfers are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
userpilot.iojs.userpilot.ioapi.userpilot.ioapp.userpilot.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| userpilot_visitor | first_party | 1 year | Userpilot long lived visitor identifier used to recognise the same user across visits and to attribute events to the right Userpilot contact. |
| userpilot_session | first_party | 30 minutes | Userpilot session identifier used to mark which onboarding session the current page view belongs to. |
| Userpilot.userId | first_party | Persistent (localStorage) | localStorage key holding the Userpilot user identifier for the logged in SaaS user, used to deliver targeted in app experiences. |
| Userpilot.completedFlows | first_party | Persistent (localStorage) | localStorage object tracking which onboarding flows the user has already completed or dismissed to avoid showing them again. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The Userpilot SDK writes first party cookies on the SaaS application (userpilot_visitor, userpilot_session) and a localStorage object that stores the Userpilot user ID, company ID, segment membership and the in app experiences already shown to the user.
Yes for the cookies and localStorage identifiers under Art. 5(3) ePrivacy, even for authenticated B2B users. The behavioural analytics processing can be supported by B2B legitimate interest with a documented LIA. NPS free text fields may also need an explicit warning.
Legitimate interest (Art. 6(1)(f) GDPR) for product analytics on authenticated B2B users with a documented LIA. Consent (Art. 6(1)(a) and Art. 5(3) ePrivacy) for cookies and localStorage. Contract performance (Art. 6(1)(b)) for onboarding flows directly required to use the SaaS.
Yes. By default Userpilot processes EU customer data on AWS US East. EU residency on AWS Frankfurt is available as an enterprise add on. Engineering teams in Egypt and the UK may access data under contract. Transfers are covered by the EU SCCs, the UK IDTA and the EU US Data Privacy Framework.
Yes when Userpilot is used at scale, because it combines systematic monitoring, profiling and automated in app nudges. The DPIA should cover cookies, NPS free text, the US transfer and the right to object to in app experiences.
Sign the Userpilot DPA, request EU residency if your plan allows it, gate the SDK behind a product analytics toggle, list Userpilot in your privacy notice and Article 30 record, complete a DPIA, document the US transfer with SCCs and DPF and offer a clear opt out for in app messages.
Alternatives include Appcues (US with DPF), Pendo (US with EU residency, see our dedicated page), Chameleon (US), WalkMe (US with EU residency), Whatfix (India and US), Userflow (Denmark, EU friendly), Userlist and Customer.io for messaging based onboarding.
List the userpilot_visitor and userpilot_session cookies and the localStorage object in your cookie policy under product analytics. In your privacy notice describe Userpilot as your onboarding and product analytics processor, the US storage on AWS, the SCCs and DPF, the EU residency option and the customer's right to object to profiling.