Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Autopilot was the original name of the visual marketing automation platform now branded Ortto. Headquartered in Sydney, Australia, Ortto combines a customer data platform, email, SMS, push, in app messaging, journey orchestration and analytics. The Autopilot / Ortto Capture script (CDN at ortto.app) sets a first party identifier on the operator domain, links the visitor to a Ortto contact record and tracks page views, form submissions and custom events. European customers can choose the Frankfurt region to keep personal data in the EU.
Autopilot HQ Inc., founded in Sydney in 2012, rebranded to Ortto Pty Ltd in 2022. The platform pioneered the visual canvas for marketing automation, with drag and drop journeys, audience segments and a single customer database. The modern Ortto stack adds a customer data platform, email, SMS, push, in app messaging, live chat, web feedback widgets and analytics dashboards. Many merchants still call the product Autopilot in their legal documents because of the long history of integrations under that name.
Ortto Capture sets a first party cookie on the operator domain. The historical Autopilot snippet used ajs_user_id and ajs_anonymous_id (12 months) as visitor identifiers. The modern Ortto Capture uses _aaid (anonymous ID) and _arid (resolved contact ID). Email tracking is performed through an open pixel and a click redirector under the ortto.email or autopilothq.com domain. The platform stores name, email, phone, postal address, custom attributes, segment membership, events, and the behavioural timeline.
Ortto Capture is a profiling tool, so Article 5(3) ePrivacy requires prior consent for the cookies and Article 6 GDPR requires consent for the behavioural personalisation. Marketing email follows national ePrivacy implementations and PECR style soft opt-in where applicable. Ortto Pty Ltd acts as processor for the customer data uploaded to the platform and as controller for its own product analytics.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Ortto is headquartered in Sydney, Australia, a country that does not benefit from a full GDPR adequacy decision. EU customers can choose the Frankfurt AWS region to keep customer data inside the European Union. Sub-processor access from Australia for product engineering and support is covered by the European Commission Standard Contractual Clauses included in the Ortto DPA. A transfer impact assessment is recommended.
Consent (Article 6(1)(a) GDPR) is required for marketing email, SMS, push, in app messaging and the Ortto Capture profile. Contractual necessity (Article 6(1)(b)) covers transactional emails (order confirmation, password reset). Legitimate interest can support narrow operational uses such as fraud detection and platform security.
Sign the Ortto Data Processing Addendum, pin the workspace to the Frankfurt region, integrate Ortto Capture with the Consent Management Platform, enable double opt-in for sign up forms, document the journeys and predictive scores in your records of processing, configure data retention, ensure unsubscribe links are visible in every marketing message, and update the privacy notice with the legacy Autopilot name and the current Ortto identity.
Websites using Autopilot (now Ortto) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Autopilot / Ortto handles large customer databases, when Ortto Capture runs on many pages, or when journeys combine email engagement, SMS, push and behavioural data. The DPIA should cover the region choice, the Australia controller relationship, sub-processors (AWS), retention, the Standard Contractual Clauses signed with Ortto and the response to data subject requests.
Sample consent text
Our website uses Autopilot (now Ortto) to send marketing emails and trigger personalised journeys. Ortto Capture sets a first party cookie on this domain and sends event data to Ortto servers in the European Union (Frankfurt region). Ortto Pty Ltd is based in Australia, so some support access may originate from outside the EU under Standard Contractual Clauses. By clicking Accept, you allow this personalisation.
Third-party domains contacted
ortto.apportto.emailautopilothq.comap-onboarding.comcapture-eu.ortto.appCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ajs_user_id | HTTP cookie | 1 year | Legacy Autopilot user identifier still set when the historical snippet is in use. |
| ajs_anonymous_id | HTTP cookie | 1 year | Legacy Autopilot anonymous visitor identifier. |
| _aaid | HTTP cookie | 1 year | Modern Ortto Capture anonymous identifier used to build the contact profile. |
| _arid | HTTP cookie | 1 year | Modern Ortto Capture resolved contact identifier set after a known contact is matched. |
Autopilot (now Ortto) places tracking cookies for advertising — comply with GDPR using FlowConsent.
The historical Autopilot snippet sets ajs_user_id and ajs_anonymous_id (1 year). Modern Ortto Capture sets _aaid (anonymous ID, 1 year) and _arid (resolved contact ID, 1 year). Email tracking is done through pixels and the ortto.email or autopilothq.com click redirectors.
Yes for marketing email, SMS, push, in app messaging and the Ortto Capture profile. Transactional emails rely on contractual necessity. Marketing requires opt-in collected through a CMP or sign up form.
Consent (Article 6(1)(a) GDPR) for marketing and Capture profiling. Contractual necessity (Article 6(1)(b)) for transactional emails. Legitimate interest (Article 6(1)(f)) only for narrow operational uses.
Ortto is headquartered in Sydney, Australia. EU customers can pin the workspace to the Frankfurt AWS region, keeping customer data inside the EU. Engineering and support access from Australia is covered by Standard Contractual Clauses included in the Ortto DPA.
Recommended when Autopilot / Ortto manages large customer databases, when Ortto Capture is deployed on many pages or when journeys cross channels. Document region, retention, sub-processors and Australia transfer mechanism.
Sign the Ortto DPA, pin to Frankfurt, integrate Capture with the CMP, enable double opt-in, document journeys and predictive scores, configure retention, keep unsubscribe links visible and update the privacy notice with both Autopilot and Ortto names.
Other marketing automation platforms include ActiveCampaign, HubSpot, Klaviyo, Customer.io, Brevo (Sendinblue), Mailchimp and Dotdigital. EU alternatives include Brevo (France) and CleverReach (Germany).
List Ortto Pty Ltd (former Autopilot HQ Inc.) as processor, describe the ajs and _aaid / _arid cookies, mention the Frankfurt region and the Standard Contractual Clauses for any Australia access, and link to the Ortto DPA and privacy policy.