Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Braze is a customer engagement platform that combines email, push, SMS, web push and in app messaging with behavioral analytics. The Web SDK creates persistent identifiers and tracks behavior across sessions, so prior opt in consent is required under ePrivacy and GDPR.
Braze is a customer engagement platform founded in 2011 by Braze Inc. in New York. It combines orchestrated multi channel messaging (email, push, SMS, web push, in app messaging, Content Cards) with behavioral analytics, segmentation, A/B testing and journey building (Canvas). Braze is deployed via Web SDK, mobile SDK (iOS, Android, React Native, Flutter) and server side REST API. The Web SDK is loaded from a Braze CDN (js.appboycdn.com or sdk.iad-XX.braze.com) on the customer website.
The Braze Web SDK creates a persistent identifier stored in local storage (ab.storage.userId), a device id (ab.storage.deviceId), session metadata (ab.storage.sessionId) and cached campaign and Content Card data (ab.storage.contentCards, ab.storage.feed). When a customer calls braze.changeUser(externalId), the SDK links the device profile to the customer identifier known by your application. The SDK then sends events to a Braze ingest endpoint (sdk.iad-XX.braze.com or sdk.fra-XX.braze.eu) including page views, custom events and user attributes.
The Braze identifiers persist across sessions and link behavior across visits, building rich behavioral profiles. Article 5(3) of the ePrivacy Directive requires prior opt in consent because the SDK stores information on the visitor terminal. Article 6(1)(a) GDPR (consent) is the standard legal basis. Transactional messages tied to a contract can rely on Article 6(1)(b). The customer is the controller, Braze Inc. is the processor under Article 28 GDPR with a DPA available in the Master Services Agreement.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Request an EU pod (EU 01 or EU 02 in Frankfurt) at onboarding so user profiles, behavioral events and message content stay in the EEA. The Braze SDK URL changes to sdk.fra-XX.braze.eu for EU pods. Braze Inc. corporate operations and product analytics include US providers, covered by Standard Contractual Clauses and the EU US Data Privacy Framework. The CDN that serves the SDK JavaScript file is global, which is acceptable since the JavaScript file is content, not personal data.
Gate the Braze Web SDK behind your consent management platform so braze.openSession() only fires after consent. Integrate Braze with Google Consent Mode v2 or IAB TCF. Request an EU pod. Sign the Braze DPA. Document the processor in your RoPA with pod region, retention and the list of channels enabled. Implement DSAR endpoints, Braze offers REST APIs to export and delete user data. Use server side data minimization, avoid sending sensitive attributes unless strictly needed. Carry out a DPIA before going live.
Websites using Braze must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for typical Braze deployments because the platform performs systematic profiling, cross channel tracking and behavioral segmentation of identified users. Document the legal basis for each segment and campaign, the EU pod selection, the retention period for user attributes and events, the data minimization rules and the integration with a consent management platform.
Sample consent text
We use Braze to personalize messages we send you across email, push notifications and in app campaigns. Braze stores a persistent identifier and tracks your interactions to build a profile of your preferences. These cookies and identifiers are activated only after you accept them in the consent banner.
Third-party domains contacted
braze.combraze.euappboycdn.comjs.appboycdn.comsdk.iad-01.braze.comsdk.fra-01.braze.eurest.iad-01.braze.comrest.fra-01.braze.euCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ab.storage.userId | first-party (local storage) | Persistent (until cleared) | Persistent user identifier set by the Braze Web SDK to recognise the same person across sessions and link behavior to the external user id provided by the customer. Requires consent. |
| ab.storage.deviceId | first-party (local storage) | Persistent (until cleared) | Persistent device identifier used by Braze for anonymous tracking before identification and to merge sessions. Requires consent. |
| ab.storage.sessionId | first-party (local storage) | Session (30 minutes of inactivity by default) | Session identifier used to group events from the same visit. Requires consent. |
| ab.storage.contentCards | first-party (local storage) | Up to 30 days | Caches the Content Cards feed delivered to the device so the Braze widget can render without a network call. Requires consent. |
| ab.storage.feed | first-party (local storage) | Up to 30 days | Caches the News Feed cards delivered to the device. Requires consent. |
Braze places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Braze Web SDK stores persistent identifiers in local storage (ab.storage.userId, ab.storage.deviceId, ab.storage.sessionId) and may also use cookies depending on the implementation. These identifiers persist across sessions and require consent.
Yes. Prior opt in consent is required because the Web SDK stores persistent identifiers on the visitor terminal and builds behavioral profiles for cross channel messaging.
Article 6(1)(a) GDPR (consent) for behavioral tracking and marketing campaigns. Article 6(1)(b) (performance of a contract) for transactional messages triggered by a clear service relationship. The customer is the controller, Braze Inc. is the processor with a DPA in the Master Services Agreement.
Not when an EU pod (EU 01 or EU 02 in Frankfurt) is selected for the workspace. The SDK endpoints are then sdk.fra-XX.braze.eu. Some Braze corporate operations and product analytics use US providers under SCCs and the EU US Data Privacy Framework.
Yes. Article 35 GDPR makes a DPIA mandatory because Braze enables systematic profiling, cross channel tracking and segmentation of identified users. Document the EU pod, retention, data minimization rules, consent mechanism and DSAR procedure.
Gate the Web SDK behind a consent management platform, integrate with Google Consent Mode v2 or IAB TCF, request an EU pod, sign the Braze DPA, document the processor in your RoPA, implement DSAR via the Braze REST API, minimize sensitive attributes, run a DPIA before launch.
Other customer engagement platforms include Iterable (US), Klaviyo (US), Salesforce Marketing Cloud, Adobe Journey Optimizer, Bloomreach (Czech Republic), Emarsys (SAP, EU), Insider (Turkey), Selligent and CleverTap.
List the Braze Web SDK identifiers (ab.storage.userId, ab.storage.deviceId, ab.storage.sessionId, ab.storage.contentCards) in your cookie disclosure with retention and purpose. Indicate the EU pod, the categories of personal data processed (events, attributes) and the channels enabled. Update whenever the SDK or pod configuration changes.