Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Customer.io is a US based marketing automation platform built around event driven email, in app messaging, push notifications and SMS. It is popular with SaaS companies for lifecycle marketing thanks to its visual workflow editor, native webhooks and developer friendly API. The JavaScript tracker sets the first party cookie _cio (12 months) to recognise visitors.
Customer.io is a marketing automation platform operated by Peaberry Software Inc., headquartered in Portland, Oregon, founded in 2012. It is built around event driven messaging: emails, in app messages, push notifications and SMS triggered by user actions in your product. Customer.io is particularly popular among SaaS companies for lifecycle marketing thanks to its visual workflow editor, native webhooks and developer friendly Track and Journeys APIs. The company offers an EU region (AWS Dublin) since 2021 for European customers seeking data residency.
The Customer.io JavaScript tracker sets the first party cookie _cio (12 months) containing the visitor identifier, and _cio_id when an authenticated user is identified. The tracker forwards events to the Customer.io Track API: pageviews, custom events, identify calls, group memberships. Push notifications use the browser or mobile push tokens, and email deliveries are tracked via tracking pixels and open or click links. No cross site tracking takes place.
The Customer.io tracker and the _cio cookie store behavioural data for marketing purposes and are not strictly necessary under Article 5(3) ePrivacy. Prior consent under Article 6(1)(a) GDPR is required for the cookie and for the email or push opt in. Transactional notifications tied to an existing service relationship (password reset, order confirmation) can rely on Article 6(1)(b) contract performance. Marketing emails and push notifications must follow the PECR and TDDDG opt in rules.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
By default Customer.io runs on AWS US East. The EU region (AWS Dublin) keeps the production data inside the EEA but the US support and engineering teams may still access it under EU SCCs (2021/914) and the EU US Data Privacy Framework. The Customer.io DPA must be signed and the chosen region documented in the record of processing activities.
Load the Customer.io tracker through a CMP that blocks the script until marketing consent is given. Prefer the EU region for European customers and document the choice. Use the server side Track API for transactional events that do not require cookies. Configure double opt in for newsletter subscriptions, an unsubscribe link in every campaign, IP anonymisation in the JavaScript and a retention policy aligned with your legitimate interest assessment.
Websites using Customer.io must obtain user consent under GDPR regulations.
DPIA considerations
Customer.io is a medium risk processor: event level behavioural profiling and US transfer. A DPIA is recommended when the platform is used for sensitive segments or for sending automated messages with significant effect. Document the consent flow, the choice between US and EU regions, the Customer.io DPA and the retention period in the record of processing activities.
Sample consent text
We use Customer.io to send behavioural emails, in app messages and push notifications based on your activity. The _cio cookie (12 months) recognises you between visits and the Customer.io API receives your interactions only after you accept the marketing category. Data is processed by Peaberry Software Inc. (United States) under EU Standard Contractual Clauses.
Third-party domains contacted
track.customer.ioassets.customer.ioin-app.customer.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _cio | first_party | 12 months | Customer.io visitor identifier used to recognise the browser between visits and link anonymous activity to an identified user when identify is called. |
| _cio_id | first_party | 12 months | Stores the persistent user identifier once the visitor has been authenticated and identified through the Track API. |
Customer.io places tracking cookies for advertising — comply with GDPR using FlowConsent.
The JavaScript tracker sets first party cookies _cio (12 months) for the anonymous visitor identifier and _cio_id (12 months) for the authenticated user identifier. No advertising or cross site cookies are set.
Yes. The Customer.io tracker and the _cio cookie are not strictly necessary under Article 5(3) ePrivacy: they exist to track behaviour for marketing. Prior consent under Article 6(1)(a) GDPR is required. Transactional notifications tied to an existing service can rely on contract performance.
Consent for marketing emails, push and behavioural tracking (6(1)(a) GDPR). Contract performance for transactional notifications (6(1)(b)). Legitimate interest is generally not available for marketing under Article 5(3) ePrivacy.
Yes by default. An EU region (AWS Dublin) is available since 2021. Standard Contractual Clauses (2021/914) and the EU US Data Privacy Framework cover the residual transfer when US support and engineering teams access data.
A DPIA is recommended for sensitive segments or automated messages with significant effect. Document the consent flow, region choice, Customer.io DPA, the retention policy and the lifecycle workflows in the record of processing activities.
Block the tracker in a CMP, prefer the EU region for European customers, use the server side Track API for events that do not require cookies, configure double opt in for newsletters, include an unsubscribe link in every campaign and align the retention period with your legitimate interest assessment.
EU based alternatives: Brevo (France), Plezi (France), Webmecanik (France, open source), Mautic (open source), Sarbacane (France), Iterable (US), Klaviyo (US, EU region available).
List Customer.io as a marketing automation processor (Peaberry Software Inc.), declare the _cio cookie duration, document the chosen region and the DPA and update the cookie list when Customer.io ships changes.