Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ConvertBox is a conversion optimisation platform that displays targeted opt in forms, surveys and call to action pop ups, using first party cookies for visitor segmentation, A/B testing and frequency capping.
ConvertBox is a SaaS conversion optimisation tool that displays targeted opt in forms, quizzes, surveys and call to action pop ups on websites. Marketing teams use it to grow email lists, qualify leads and run A/B tests. The product is operated by ConvertBox LLC, a US company based in Texas, and hosted on US cloud infrastructure.
The ConvertBox script writes first party cookies (typically a visitor id, a session id and segmentation flags) so it can recognise returning visitors, run A/B variants and cap the frequency of pop ups. It also collects IP address, referrer, pages viewed, the segments a visitor matches and any form submissions. When a visitor submits a form, identifiers such as email address are passed to email service providers like MailChimp or ActiveCampaign.
Because the cookies are not strictly necessary to deliver a service requested by the user, Article 5(3) of the ePrivacy Directive requires prior, informed consent before they are placed. The behavioural segmentation also constitutes profiling under GDPR Article 4(4), so the appropriate legal basis under Article 6 is consent (6(1)(a)). Information must meet the transparency requirements of Articles 12 to 14 and consent must satisfy Article 7.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
ConvertBox processes data in the United States, so any deployment on an EU or UK site triggers Chapter V of the GDPR (Articles 44 to 49). Controllers must rely on a valid transfer mechanism, either the EU-US Data Privacy Framework if ConvertBox is certified, or Standard Contractual Clauses combined with a transfer impact assessment and supplementary safeguards.
Gate the ConvertBox script behind your consent management platform so it only fires after the visitor accepts marketing or personalisation cookies. Sign a data processing agreement with ConvertBox LLC, document the transfer mechanism in your record of processing, list the cookies in your cookie policy and provide a working withdrawal mechanism so visitors can change their mind at any time.
Websites using ConvertBox must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when ConvertBox is combined with email capture, behavioural segmentation across pages, or integration with marketing automation. Document the categories of data, the segmentation logic, retention periods, the US transfer mechanism (SCCs or EU-US DPF) and the consent flow that gates the script.
Sample consent text
We use ConvertBox to show personalised forms and offers, measure how visitors interact with them and prevent repeat displays. This uses first party cookies and sends data to ConvertBox in the United States. You can accept, refuse or change your choice at any time.
Third-party domains contacted
app.convertbox.comcdn.convertbox.comapi.convertbox.comconvertbox.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cb_visitor_id | first_party | 1 year | Persistent visitor identifier used to recognise returning visitors, attribute them to segments and prevent the same pop up from being shown repeatedly. |
| cb_session | first_party | 30 minutes | Short lived session identifier used to track the current visit and apply per session frequency rules. |
| cb_segment | first_party | 1 year | Stores the segments a visitor matches (for example new vs returning, country, page rules) so the correct form or pop up variant is shown. |
| cb_ab | first_party | 6 months | Stores the A/B variant assigned to the visitor so the same variant is shown consistently across visits during a running experiment. |
ConvertBox uses cookies for user preferences — inform visitors with a consent banner.
ConvertBox sets first party cookies in your domain, typically a long lived visitor identifier, a short session identifier and one or more flags that store the segment a visitor matched or the A/B variant they were shown. The exact names depend on your account and configuration, but they are written by the embed script, not by a third party.
Yes. The cookies are used for behavioural segmentation, A/B testing and frequency capping, which are not strictly necessary to deliver content the visitor requested. Article 5(3) of the ePrivacy Directive and Article 6(1)(a) of the GDPR require prior, freely given, specific and informed consent before the script can run.
Consent under Article 6(1)(a) is the right basis. Legitimate interests (Article 6(1)(f)) is generally not suitable because ConvertBox builds visitor segments and influences what is shown, which qualifies as profiling under Article 4(4) and is unlikely to pass a balancing test in a marketing context.
ConvertBox LLC is based in Texas and hosts data in the United States. Any deployment on EU, EEA or UK websites involves a Chapter V transfer. You must rely on the EU-US Data Privacy Framework if ConvertBox is certified, or on Standard Contractual Clauses with a documented transfer impact assessment and supplementary measures.
A formal DPIA is not automatically required, but it is strongly recommended when ConvertBox is used together with email capture, multi page tracking, integration with marketing automation or large scale segmentation. Document the data flows, US transfer mechanism, retention periods and the consent gate that controls the script.
Place the ConvertBox embed code behind a consent management platform so it only loads after the visitor accepts personalisation or marketing cookies. Configure the script as a blocked vendor by default, declare the first party cookies in your cookie notice and respect choices through the platform's API for change and withdrawal.
Comparable tools include OptinMonster, Sumo, Thrive Leads, Poptin and Klaviyo onsite forms. From a privacy standpoint they raise the same issues because they all rely on cookies, segmentation and, in most cases, US hosting. The compliant choice depends less on the vendor and more on how you gate the script and inform users.
List ConvertBox as a personalisation and conversion optimisation vendor, name the first party cookies it sets, describe their purpose and duration, identify ConvertBox LLC as the processor, mention the United States as the destination country and link to ConvertBox's privacy policy. Explain how users can withdraw consent.