Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ThingPark Enterprise is a LoRaWAN network server developed by Actility, a French company headquartered in Paris that is one of the leading vendors in the low power wide area network ecosystem. The platform manages LoRaWAN gateways and end devices, handles MAC layer operations, secures payloads with AES 128 encryption and forwards application data to customer systems via MQTT, HTTPS or AMQP integrations. ThingPark Enterprise is used in smart building, smart city, utilities, supply chain and industrial monitoring deployments and is offered as a SaaS service, a private cloud appliance or fully on premise.
ThingPark Enterprise is the LoRaWAN network server (LNS) developed by Actility, a French company that pioneered carrier grade LoRaWAN since 2010. The platform performs the core LNS functions: gateway provisioning, frame deduplication, MAC commands, adaptive data rate, OTAA join procedure and forwarding of decrypted application payloads to the customer business systems. It also offers a web console (ThingPark UI), a Network and Operations Centre, an Application Server (ThingPark X) and a Device Manager. ThingPark Enterprise is deployed at thousands of industrial sites worldwide, often through Actility partners such as Inmarsat, Orange Business or Tata Communications.
On the operator side, the ThingPark portal sets technical cookies for authentication, anti CSRF protection and session continuity, plus optional analytics cookies. On the network side the platform processes device identifiers (DevEUI, JoinEUI, DevAddr), gateway identifiers and location, signal metrics (RSSI, SNR), join requests and encrypted application payloads. Payloads are decrypted with the AppSKey before forwarding to the application server defined by the customer. Metadata such as gateway GPS coordinates and RSSI can in some scenarios be used to derive end device location.
Whether GDPR applies depends on the use case. Industrial telemetry from anonymous sensors usually does not involve personal data, but smart building, smart metering or worker tracking deployments clearly do. Actility acts as a processor on behalf of the customer for telemetry and as controller for portal accounts. ePrivacy applies to the operator portal cookies, which must follow the usual consent rules for analytics, and to any localisation data that can identify a subscriber.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent is required for non essential cookies on the operator portal and for any IoT use case where the controller cannot rely on contract or legitimate interest, for example workplace monitoring or geolocation of employees. For most B2B asset monitoring the legal basis is contract or legitimate interest, supported by transparency notices and an information security baseline.
The Actility ThingPark SaaS is hosted primarily in France and other EU regions. Customers can also subscribe to a global ThingPark instance or operate behind partner networks (Inmarsat, KPN, Tata, Senet) that may route data through non EEA regions. Customers commonly forward decoded payloads to AWS, Microsoft Azure or Google Cloud application backends, including non European regions. Standard Contractual Clauses, the EU US Data Privacy Framework and a transfer impact assessment are therefore essential.
Sign the Actility data processing agreement, choose an EU region, document gateway and device categories in the record of processing activities, configure short retention windows in ThingPark and offload long term storage to your own systems, restrict portal access through SSO and RBAC, perform a DPIA for any high risk use case (worker tracking, smart metering, public lighting), and pair ThingPark with NIS2 grade incident response procedures.
Websites using ThingPark Enterprise must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when ThingPark Enterprise is used to monitor assets that can be linked to identifiable individuals (employee badges, occupancy sensors in workspaces, smart metering at household level, vehicle telematics). Risk areas include device EUI as quasi identifier, location of gateways revealing presence, retention of device payloads on the network server, sub processing by Actility and onward transfers to third country application servers configured by the customer.
Sample consent text
For our operator portal we use ThingPark Enterprise by Actility, a French network server for LoRaWAN. The portal sets technical session cookies that are strictly necessary for login. Optional analytics cookies are only loaded after you accept. Device telemetry processed by the platform is governed by our IoT data processing notice, which describes purposes, retention periods and recipients.
Third-party domains contacted
thingpark.comthingpark.ioactility.comtpe-prd.thingpark.comapi.thingpark.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| JSESSIONID | session | session | Java application session identifier used by the ThingPark operator portal to maintain a logged in user session. |
| XSRF-TOKEN | session | session | Anti CSRF token used to protect ThingPark portal forms and API calls from cross site request forgery. |
| tp_lang | preference | 1 year | Stores the preferred user interface language selected in the ThingPark operator portal. |
| _pk_id / _pk_ses (Matomo) | analytics | _pk_id: 13 months, _pk_ses: 30 minutes | Optional anonymised analytics for the operator portal when the operator enables the embedded Matomo instance. Disabled by default. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The ThingPark operator portal sets technical session cookies (JSESSIONID, XSRF-TOKEN) and language preferences. Optional analytics cookies (Matomo or similar) can be enabled by the operator. The network server itself does not interact with end user browsers, so no cookies are set on devices.
Consent is required for non essential analytics cookies on the operator portal and for IoT use cases involving identifiable individuals (workplace monitoring, smart metering, employee tracking) when no other legal basis applies. Strictly necessary session cookies and B2B asset telemetry do not require consent.
Contractual necessity for the operator portal and for delivering the LoRaWAN service. Legitimate interest for asset monitoring with no link to individuals. Consent for analytics cookies on the portal and for high risk IoT scenarios.
Actility hosts the EU ThingPark SaaS in France and other EU regions. Customers using the global instance or partner networks (Inmarsat, KPN, Tata, Senet) may have data routed via non EEA regions. Customers also frequently forward decoded payloads to AWS, Azure or Google Cloud regions outside the EU.
A DPIA is required for any deployment that can identify individuals or that operates in high risk areas such as workplace monitoring, smart metering at the household level, vehicle telematics or public lighting linked to occupancy. Industrial B2B telemetry typically does not require one.
Sign the Actility DPA, pick an EU region, restrict portal access through SSO and RBAC, configure short payload retention, disable optional analytics by default, document gateways and devices in the record of processing activities and align operations with NIS2 incident response.
Alternatives include open source LNS such as ChirpStack, commercial offerings like Loriot, The Things Industries, Senet, Kerlink Wanesy and the integrated stacks of MNO operators (Orange, KPN, Comcast). Choice depends on scale, sovereignty needs and feature requirements.
List the strictly necessary session cookies (JSESSIONID, XSRF-TOKEN) on the operator portal, the optional analytics cookies if enabled, and any third party service integrated into the portal (Intercom, Hubspot, support tools). Include a brief reference to the IoT data processing notice that covers device telemetry.