Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
First party identity resolution and server side tracking platform that helps advertisers maintain attribution and audience matching after the deprecation of third party cookies and the ITP / ETP restrictions on Safari and Firefox.
AdFixus is a first party identity resolution and server side tracking platform. It deploys a short JavaScript snippet plus a server side endpoint that runs on the website''s own domain, identifies returning visitors, links events into a unified profile and forwards conversion data to advertising platforms (Meta CAPI, Google Enhanced Conversions, TikTok Events API, LinkedIn CAPI, Snap CAPI).
AdFixus sets first party cookies on the merchant domain, hashes signals such as email, phone, IP and user agent for identity matching, processes event timestamps, URLs, referrers and conversion values. Hashed identifiers are sent server side to advertising APIs along with the consent state.
Although AdFixus uses first party cookies, Article 5(3) ePrivacy still applies if those cookies are used for advertising or non strictly necessary purposes. The CNIL has clarified in its 2023 guidance that being first party does not exempt a tracker from consent when it serves marketing or behavioural analytics. Hashed personal data remains personal data under EDPB and CJEU rulings.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the AdFixus SDK and the server side proxy until prior consent. The consent state must be propagated to AdFixus and to every downstream Conversions API; otherwise advertising platforms must be configured to ignore the event. Use Google Consent Mode v2 and the IAB TCF v2.2 signals to forward consent.
AdFixus is an Australian / global vendor with regional endpoints. Even when you host the proxy in the EU, downstream Conversions APIs are typically in the United States. Document these transfers, ensure SCCs or the EU US Data Privacy Framework apply, and re evaluate when partners change.
Run a DPIA, sign the AdFixus DPA, deploy the server side proxy on an EU subdomain, integrate Google Consent Mode v2 and IAB TCF v2.2, define the precise list of events forwarded, restrict admin access, set short retention for raw events, document each downstream Conversions API, and review the setup whenever you add a new advertising partner.
Websites using AdFixus must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because identity stitching across sessions, devices and channels constitutes systematic and large scale profiling under Article 35(3)(a) GDPR. Cover the legal basis for matching identifiers, the data shared via Conversions API, retention periods and the partner chain.
Sample consent text
With your consent we use AdFixus to recognise you when you come back, link your interactions across our pages and securely send conversion events to advertising platforms (Meta, Google, TikTok, LinkedIn, Snap). You can withdraw consent at any time.
Third-party domains contacted
adfixus.comcdn.adfixus.comeu.adfixus.iocollect.adfixus.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| adfx_id | http | 13 months | First party pseudonymous identifier used to recognise the visitor across sessions and devices. |
| adfx_session | http | 30 minutes | Session identifier used to group events of the same visit. |
| adfx_consent | http | 6 months | Stores the consent state received from the CMP so AdFixus only triggers when allowed. |
| adfx_attrib | http | 30 days | Stores the first and last touch attribution data used for conversion API forwarding. |
| adfx_hash | http | 13 months | Stores a hashed personal identifier (email or phone) used for advanced matching with advertising APIs. |
AdFixus is an essential service, but transparency matters. Manage all your consent with FlowConsent.
AdFixus sets first party cookies on the merchant domain: adfx_id (pseudonymous visitor ID, 13 months), adfx_session (session ID, 30 min), adfx_consent (mirrored consent state), adfx_attrib (attribution data) and adfx_hash (hashed personal identifier for advanced matching).
Yes. AdFixus performs identity resolution and feeds advertising APIs, which is non essential under Article 5(3) ePrivacy. The CNIL explicitly confirmed in 2023 that first party trackers used for advertising or behavioural analytics require consent.
Article 6(1)(a) GDPR (consent) for behavioural identity resolution and Conversions API forwarding. Legitimate interest under Article 6(1)(f) is not sufficient given EDPB and CNIL positions on advertising and large scale profiling.
Yes. AdFixus has regional endpoints but its downstream Conversions APIs (Meta, Google, TikTok, LinkedIn, Snap) are mostly in the United States. Transfers must be covered by SCCs and the EU US Data Privacy Framework, documented in your DPA.
Yes. Identity stitching across sessions, devices and channels is systematic large scale profiling and qualifies for DPIA under Article 35(3)(a) GDPR. The DPIA must cover the matching logic, hashing, Conversions API payloads, retention and partner chain.
Block the SDK and server side proxy before consent, host the proxy on an EU subdomain, integrate Consent Mode v2 and TCF v2.2, limit the event list, restrict admin access, define short retention, sign the DPA and review the configuration after every new downstream API.
Other first party / server side tracking solutions include Stape, Addingwell, Jentis, Tealium iQ, Snowplow, RudderStack, Segment / Twilio Segment, Tag Manager 360 server containers and Aimerce. EU based vendors reduce transfer risk.
List AdFixus as a processor, describe the first party cookies it sets, the purposes (identity resolution, conversion measurement, advertising attribution), the retention periods, the downstream Conversions APIs and refresh the entry whenever a new advertising integration is enabled.