Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
TestFreaks is a Swedish reviews aggregation and display platform that crawls product reviews from across the web, scores them, and surfaces them on merchant sites via an embedded widget. The widget sets analytics cookies that measure widget impressions, expansions and click-throughs. TestFreaks is hosted in the EU, so the main compliance task is to gate the analytics cookies behind a consent banner rather than to deal with international transfers.
TestFreaks is a Swedish reviews aggregation and display platform that crawls product reviews from publishers, retailers and editorial sources, normalises them, scores them, and exposes the result on merchant product pages through an embedded widget. The platform also offers post-purchase review collection workflows and a moderation interface for the merchant catalogue. The goal is to provide rich, fraud-resistant social proof that complements the merchant own reviews.
From a technical standpoint, TestFreaks is integrated by adding a JavaScript snippet that loads the widget on product pages, optionally combined with server-side calls for SEO-friendly content. The widget queries the TestFreaks back end for aggregated reviews, displays them inline, and emits behavioural events for visibility, expansion and click-through. TestFreaks infrastructure runs in the European Union (Sweden), which significantly simplifies the data transfer story compared with non-EU vendors.
The widget collects the product identifier on the page, the page URL, the timestamp, interaction events (impression, expansion, sort, click on a star or on an external source link), the IP address (typically truncated for analytics), the user agent and a widget-scoped identifier stored in cookies. Combined, these signals allow TestFreaks to measure widget performance, detect crawler abuse and improve merchandising recommendations.
Two cookie scopes are involved. First-party analytics cookies set on the merchant domain memorise an analytics identifier so that repeated views by the same visitor are not counted as new sessions. Third-party cookies on the testfreaks.com domain support widget telemetry and cross-merchant abuse detection. Both scopes carry personal data under GDPR even when the identifier is hashed, because reidentification of the same visitor across sessions is technically possible.
Under Article 5(3) ePrivacy, the analytics cookies set by the TestFreaks widget are not strictly necessary to display the reviews; they support measurement, not delivery. Prior, freely given, specific, informed and unambiguous consent is therefore required on EU-facing pages. The display of the aggregated reviews content itself, without behavioural cookies, can run on legitimate interest because it brings clear value to the consumer and does not significantly affect their privacy.
In GDPR terms, TestFreaks is a processor for the merchant on the moderated reviews of the merchant own customers and an independent or joint controller for the aggregation, scoring and anti-abuse models that operate on its broader dataset. A signed data processing agreement is mandatory, and the privacy notice must describe the categories of data collected by the widget, the purpose of each cookie and the retention periods applied by TestFreaks.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
TestFreaks is headquartered and hosted in Sweden, within the European Union, so the standard widget deployment does not trigger an Article 46 transfer assessment. Data stays under EU jurisdiction and benefits from the protections of national supervisory authorities. The merchant should still confirm with TestFreaks that subprocessors (CDN, observability, customer support) remain within the EEA or covered by adequacy decisions, and document this in the records of processing activities.
If the merchant subscribes to specific TestFreaks add-ons that route data through non-EU partners (for example, a sentiment analysis model hosted in the United States), that secondary flow has to be assessed on its own. In a default deployment, however, EU hosting is one of the main compliance advantages of TestFreaks compared with non-European review aggregators.
Because the data is moderate in volume and stays in the EU, a full DPIA is not always mandatory; a documented lightweight assessment is usually sufficient. The consent banner should expose an Analytics category that controls the TestFreaks widget cookies and any other measurement scripts, with a clear description and a reject button as prominent as accept. Reviews content can remain visible to non-consenting visitors, with measurement disabled.
Concretely: block the analytics cookies of the TestFreaks widget until consent is granted, configure the snippet so that aggregated review content is still rendered without measurement, sign the data processing agreement, list TestFreaks in the cookie table and the privacy notice, and reference the EU hosting in your transfers section. If your stack requires alternatives, Trustpilot, Bazaarvoice (with EU residency), Yotpo (with EU options), Reviews.io, eKomi and Avis Verifies are reasonable comparable services to consider.
Websites using TestFreaks must obtain user consent under GDPR regulations.
DPIA considerations
A targeted assessment, rather than a full DPIA, is usually sufficient. Risk is medium because data stays in the EU and the widget does not target sensitive categories. Document the cookies set by the widget, the data shared with TestFreaks (page URL, product identifier, interaction events, hashed user ID), the retention period, the joint controller status for review moderation, and the impact of declining analytics on the widget behaviour.
Sample consent text
We display product reviews aggregated by TestFreaks, a Swedish provider hosted in the EU. The reviews widget sets analytics cookies that help us measure how reviews are displayed and read. These cookies are not strictly necessary, so they are only activated if you click Accept. You can Reject them or change your choice at any time from the cookie preferences page.
Third-party domains contacted
testfreaks.comjs.testfreaks.comapi.testfreaks.comcdn.testfreaks.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tf_uid | Analytics | 12 months | First-party analytics identifier used to deduplicate visitors viewing the TestFreaks reviews widget. |
| tf_sess | Analytics | Session | Session identifier scoped to widget interactions on the current visit. |
| tf_consent | Functional | 12 months | Stores the user choice regarding TestFreaks analytics cookies so the preference persists across pages. |
| tf_widget_state | Functional | 6 months | Remembers widget UI state such as expanded sections and sort order chosen by the visitor. |
TestFreaks uses cookies for user preferences — inform visitors with a consent banner.
The widget sets a first-party analytics identifier (tf_uid), a session-scoped analytics cookie (tf_sess), a functional consent state cookie (tf_consent), and a functional widget state cookie (tf_widget_state). Analytics cookies must be blocked until the visitor opts in; the consent state cookie itself can be set as soon as a choice is recorded.
Consent is required for the analytics cookies set by the widget. The reviews content itself can be shown without behavioural cookies on the basis of legitimate interest, since it brings clear value to the consumer. The compliant pattern is to render reviews even without consent and to enable measurement only after opt-in.
Display of aggregated reviews can rely on legitimate interest (Article 6(1)(f) GDPR). The analytics cookies set by the widget require consent (Article 6(1)(a) GDPR and Article 5(3) ePrivacy). Moderation of customer reviews collected on behalf of the merchant rests on performance of the contract and legitimate interest in fraud prevention.
In the standard deployment, no. TestFreaks operates from Sweden and hosts data inside the European Union. The merchant should still confirm that subprocessors (CDN, observability, support) stay in the EEA or under an adequacy decision, and reassess separately any optional add-on routed through non-EU partners.
A full DPIA is usually not required. The volume of personal data is moderate, the categories are not sensitive and processing stays within the EU. A documented lightweight assessment that maps cookies, data, purposes, retention and the joint controller boundary with TestFreaks is generally sufficient for the merchant accountability obligations.
Load the widget so that aggregated reviews render without analytics cookies by default, gate the tf_uid and tf_sess cookies behind a compliant consent banner with a clear Analytics category, sign the data processing agreement, list TestFreaks in the cookie table and the privacy notice, and mention Sweden and the EU as the hosting location.
Trustpilot, Bazaarvoice (with EU residency), Yotpo, Reviews.io, eKomi and Avis Verifies cover comparable use cases: aggregated reviews, post-purchase collection, moderation and merchandising widgets. The compliance picture varies with each vendor location and subprocessor choices, so any switch should be supported by a fresh transfer and cookie assessment.
Add a dedicated row in the cookie table for each TestFreaks cookie (tf_uid, tf_sess, tf_consent, tf_widget_state), with type, duration and purpose. In the third-party processors section, identify TestFreaks AB, mention Sweden as the hosting location and provide a link to the TestFreaks privacy policy. Update the table whenever the widget configuration changes.