Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Whatfix is a digital adoption platform (DAP) headquartered in Bangalore, India, with EU and US subsidiaries, that overlays interactive walkthroughs, tooltips, beacons, task lists and in app surveys on enterprise and SaaS web applications. The Whatfix Editor and Player scripts load from whatfix.com and set first party cookies and localStorage on the host application. Data is processed on AWS Mumbai by default, with EU data residency on AWS Frankfurt as a paid enterprise option.
Whatfix is a digital adoption platform (DAP) headquartered in Bangalore, India, with regional subsidiaries in the United States, Germany, the United Kingdom and Australia. Enterprise customers and SaaS vendors install Whatfix on their web application or HRIS, CRM, ERP or HCM system to deliver interactive walkthroughs, tooltips, smart tips, beacons, task lists and in app surveys. Whatfix competes with WalkMe (US/EU), Pendo (US/EU), Userpilot (US), Appcues (US) and Userflow (Denmark).
The Whatfix Editor and Player scripts loaded from cdn.whatfix.com write first party cookies on the host application (wfx_user, wfx_session, wfx_progress) and localStorage entries storing the user identifier, the company identifier, the completed walkthroughs and event queues. The SDK transmits identify and track payloads to api.whatfix.com. Free text survey answers, beacon clicks and walkthrough completion data are stored in the Whatfix backend.
The Whatfix cookies and localStorage identifiers are not strictly necessary to deliver the application the customer paid for, so Art. 5(3) ePrivacy requires prior consent in the EU. The behavioural analytics can usually be grounded on B2B legitimate interest with a documented LIA. Free text in app surveys must be designed to avoid collecting special category data.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
By default, Whatfix processes EU customer data on AWS Mumbai. EU data residency on AWS Frankfurt is available as an enterprise add on. India is not covered by an EU adequacy decision. The Whatfix DPA incorporates the EU Standard Contractual Clauses (modules 2 and 3) and the UK IDTA, and references compliance with India''s Digital Personal Data Protection Act, 2023. A Transfer Impact Assessment should evaluate Indian access laws and the residual risk.
Sign the Whatfix DPA, request EU data residency for EU customers, gate the SDK behind a product analytics toggle, list Whatfix in your privacy notice and Article 30 record, complete a DPIA covering surveys and in app nudges, document the India transfer with SCCs and TIA and ensure customers can object to in app guidance and survey prompts.
Websites using Whatfix must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Whatfix is deployed at enterprise scale because it combines behavioural analytics, walkthrough completion tracking, in app surveys and automated nudges across a large user base. The DPIA should cover cookies and localStorage, free text survey responses, the international transfer to India and the right to object to in app guidance.
Sample consent text
We use Whatfix (Whatfix Inc., India, with EU subsidiaries) to deliver in app walkthroughs, beacons and surveys and to measure feature adoption. Whatfix sets first party analytics cookies in our application and processes events on AWS Mumbai, with EU data residency on AWS Frankfurt for enterprise customers. International transfers are covered by Standard Contractual Clauses.
Third-party domains contacted
whatfix.comcdn.whatfix.comapi.whatfix.comapp.whatfix.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wfx_user | first_party | 1 year | Whatfix long lived user identifier used to recognise the same SaaS user across visits and to attribute walkthrough completions to the right contact. |
| wfx_session | first_party | 30 minutes | Whatfix session identifier used to mark which adoption session the current page view belongs to. |
| wfx_progress | first_party | 6 months | Walkthrough progress cookie used by Whatfix to remember which steps and flows the user has already completed and not show them again. |
| Whatfix.userId | first_party | Persistent (localStorage) | localStorage key holding the Whatfix user identifier for the logged in SaaS user used to target in app experiences. |
| Whatfix.eventQueue | first_party | Persistent (localStorage) | Offline event queue stored in localStorage; flushed to api.whatfix.com when the user is online again. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The Whatfix Editor and Player scripts write first party cookies on the host application: wfx_user (long lived user identifier), wfx_session (session identifier), wfx_progress (walkthrough completion tracker) plus localStorage entries with the user ID, company ID, completed flows and event queues.
Yes for the cookies and localStorage identifiers under Art. 5(3) ePrivacy, even for authenticated B2B users. The behavioural analytics processing can be supported by B2B legitimate interest with a documented LIA. Free text in app surveys should also have a clear consent notice.
Legitimate interest (Art. 6(1)(f) GDPR) for digital adoption analytics on authenticated B2B users with a documented LIA. Consent (Art. 6(1)(a) and Art. 5(3) ePrivacy) for cookies and localStorage. Contract performance (Art. 6(1)(b)) for guided flows that are directly needed for the application.
Yes. By default Whatfix processes EU customer data on AWS Mumbai. EU data residency on AWS Frankfurt is available as an enterprise add on. India is not covered by an EU adequacy decision. Transfers are covered by the EU SCCs, the UK IDTA and references to India's DPDP Act 2023.
Yes at enterprise scale. Whatfix involves systematic monitoring, profiling, automated in app nudges and an international transfer to India, which together meet at least two of the Art. 35 GDPR criteria. The DPIA should cover cookies, surveys, nudges and transfers.
Sign the Whatfix DPA, request EU residency on AWS Frankfurt for EU customers, gate the SDK behind a product analytics toggle, list Whatfix in your privacy notice and Article 30 record, document the India transfer with SCCs and TIA, complete a DPIA covering surveys and in app guidance and ensure customers can opt out of in app guidance.
EU friendly alternatives include Userflow (Denmark), Userlane (Germany), Userpilot (US with EU friendly setup), Appcues (US with DPF), Pendo (US with EU residency), Chameleon (US) and WalkMe (US with EU residency). For very specific enterprise SaaS, Salesforce In App Guidance and Microsoft Viva Insights cover some of the same use cases.
List the wfx_user, wfx_session and wfx_progress cookies and the Whatfix localStorage in your cookie policy under product analytics. In your privacy notice describe Whatfix as your digital adoption processor, the India and EU processing, the SCCs, the EU residency option and the customer's right to object to in app nudges and to free text surveys.