Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
CleverTap is a customer engagement and retention platform that combines web and mobile analytics, segmentation, push notifications, in app messaging, email and SMS. The publisher embeds a JavaScript SDK on the website (or a native SDK in iOS and Android apps) which sends every event and a persistent CleverTap identifier to CleverTap servers. By default the data lives in the United States or India; an EU region (Frankfurt) is available on request. Because CleverTap performs large scale behavioural profiling, GDPR consent and a Transfer Impact Assessment are unavoidable.
CleverTap is a customer engagement platform that competes with Braze and Iterable on the mobile first market. It captures web and mobile events, builds rich user profiles, segments them, and orchestrates push notifications, in app messages, emails, SMS and WhatsApp campaigns. The product is sold to consumer brands (retail, fintech, media, gaming) that need to keep app users active across millions of sessions per day.
On the web, CleverTap sets WZRK_G (1 year), WZRK_S (session), WZRK_F (1 year, first touch) and WZRK_CAMP (30 days, campaign source). On mobile, the SDK stores a persistent device identifier plus the push token. It captures every page view, screen view, custom event, and user attributes pushed by the publisher (email, phone, age, country, custom traits). Profiles are kept for the lifetime of the user account on CleverTap until explicit deletion.
Persistent identifiers, behavioural profiling and triggered marketing require freely given, informed and specific consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy. The SDK must be loaded and the device token registered only after that consent. Push and SMS campaigns trigger Article 13 ePrivacy direct marketing rules. Where the publisher operates in regulated sectors (finance, health) explicit consent under Article 9 may also apply.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
CleverTap offers three production regions : us1 (United States), in1 (India) and eu1 (European Union, Frankfurt). European publishers should pick eu1 to keep the data plane inside the EEA. Even with eu1, global engineering and support access from CleverTap teams in the United States and India remain possible under the DPA, so SCCs and a Transfer Impact Assessment are still part of the file.
Pick the eu1 region. Block the SDK behind the CMP consent gate on the web and the iOS App Tracking Transparency prompt on mobile. Hash personal identifiers (email, phone) at the SDK level. Sign the CleverTap DPA, attach SCCs and complete a Transfer Impact Assessment for any non eu1 deployment or for global support access. Run a DPIA covering segmentation logic, push frequency rules and retention. Configure short retention for inactive profiles.
Websites using CleverTap must obtain user consent under GDPR regulations.
DPIA considerations
CleverTap processes persistent device identifiers, event timelines, screen views, user attributes (email, phone, demographic data) and push tokens to build long term behavioural profiles used for segmentation and triggered campaigns. Key DPIA considerations : (1) systematic profiling on a large scale triggers Article 35(3)(b) GDPR; (2) push notifications and SMS bring Article 13 ePrivacy marketing rules into play; (3) by default data is stored in the United States or India, both third countries requiring SCCs and Transfer Impact Assessment, switching to the EU region (eu1) is the simplest mitigation; (4) email and phone are direct identifiers that CleverTap stores in plain text by default, hashing should be configured at the SDK level; (5) integration with CRM, analytics and advertising platforms creates a unified profile across many vendors that the publisher must expose under the right of access. A DPIA is essentially mandatory for any non trivial deployment.
Sample consent text
Our site and mobile apps use CleverTap (CleverTap Inc., San Francisco, United States) to remember what content you view and to send you relevant push notifications and in app messages. CleverTap stores cookies and a persistent identifier in your browser and on your device, and processes your events on its servers (United States, India or European Union, depending on configuration). Transfers to the US and India rely on Standard Contractual Clauses. You can refuse this tracking in the cookie banner and in the mobile app settings; basic site functionality is unaffected.
Third-party domains contacted
clevertap.comwzrkt.comeu1.clevertap-prod.comin1.clevertap-prod.comus1.clevertap-prod.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| WZRK_G | Marketing | 1 year | Persistent unique visitor identifier (CleverTap Guid) used to recognise the same person across sessions and to attribute events to the right profile. |
| WZRK_S | Marketing | Session | Session level identifier used to group events into a single session for retention and journey analytics. |
| WZRK_F | Marketing | 1 year | Stores the first visit timestamp and source so first touch attribution is preserved. |
| WZRK_CAMP | Marketing | 30 days | Stores the campaign source that brought the visitor (for last touch attribution and triggered campaign suppression). |
CleverTap places tracking cookies for advertising — comply with GDPR using FlowConsent.
WZRK_G (1 year, persistent visitor ID), WZRK_S (session), WZRK_F (1 year, first touch) and WZRK_CAMP (30 days, campaign source). All on the publisher domain or on a CleverTap subdomain depending on integration.
Yes. Persistent identifiers, behavioural profiling and triggered push messaging require prior explicit consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR. The SDK must be blocked behind the CMP and the iOS App Tracking Transparency prompt.
Consent for all CleverTap processing. Legitimate interest is not defensible for the combination of cross session profiling and triggered marketing. Article 13 ePrivacy applies to push, SMS and WhatsApp campaigns.
Yes by default. Pick the eu1 region to keep the data plane in the EU. Even then, global engineering and support access from the US and India remain possible; SCCs and a Transfer Impact Assessment apply.
Essentially yes for any meaningful deployment. CleverTap is large scale systematic profiling under Article 35(3)(b) GDPR and combines persistent identifiers with marketing channels regulated by ePrivacy.
Pick eu1. Block SDK behind CMP. Hash personal identifiers at the SDK level. Sign the CleverTap DPA. Complete TIA. Document the segmentation logic. Configure short retention for inactive profiles. Give users an easy opt out across web and mobile.
Yes : Bloomreach Engagement (Netherlands, Czech), Emarsys (Hungary, now SAP), Salesforce Marketing Cloud (US with EU regions), Mixpanel EU, Mapp Digital (Germany). Bloomreach and Emarsys are the most EU rooted alternatives for retention plus engagement.
List WZRK_G, WZRK_S, WZRK_F and WZRK_CAMP with their domain, duration and marketing purpose. Add CleverTap Inc. to the recipient list. Mention the United States, India and the European Union as possible destination countries depending on the chosen region.