Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Supademo is a US, based SaaS that turns product walkthroughs into interactive click, through demos that visitors can play inside a webpage. Marketing and sales teams embed the demos through a JavaScript widget or an iframe; Supademo then tracks viewer engagement (clicks, completion rate, time per step, optional email capture) and reports back to the publisher. Because the embed loads third, party scripts and persistent identifiers, it requires consent under the GDPR and the ePrivacy Directive.
Supademo is a SaaS that records a product walkthrough once and then lets visitors replay it as an interactive click, through demo. Marketing and sales teams embed the demo in landing pages, knowledge bases or sales emails through a JavaScript widget or an iframe. Supademo measures step, by, step engagement and pipes the data back to the publisher dashboard, with optional CRM and Slack integrations.
On each demo Supademo sets a persistent visitor cookie (_supademo_visitor, 1 year), a session cookie, a progress cookie and a Cloudflare bot management cookie. It records IP, User, Agent, referrer, demo identifier, steps clicked, time per step, completion rate, and (optionally) the email entered in a lead, capture step. The vendor stores those events on AWS us, east, 1 and exposes them to the publisher through the Supademo dashboard and webhooks.
The persistent visitor cookie and the engagement telemetry constitute audience analytics under the EDPB Guidelines 03/2022. Prior consent is required, except in the narrow case where the analytics is strictly necessary to deliver the demo (which Supademo''s rich engagement metrics do not satisfy). The lead, capture form additionally triggers Article 13 ePrivacy if the publisher uses the captured email for follow, up marketing.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Supademo Inc. is US, based and runs on AWS us, east, 1. The publisher relies on Standard Contractual Clauses attached to the Supademo DPA. Supademo, Inc. may have certified under the EU, US Data Privacy Framework, verify the current status before relying on it. Cloudflare CDN edges can route traffic through points of presence outside the EEA.
Block the Supademo embed behind the CMP consent gate. Show a static preview image with a click, to, load fallback for users who refuse. Mention Supademo Inc. in the privacy notice with the United States as a destination. Configure the shortest possible retention in the Supademo dashboard. Sign the Supademo DPA and attach SCCs. If you enable lead capture, treat the captured email as a marketing contact and respect Article 13 ePrivacy.
Websites using Supademo must obtain user consent under GDPR regulations.
DPIA considerations
Supademo collects engagement telemetry on the embedded demos: visitor IP, User, Agent, step, by, step interaction, completion percentage, time, on, step, and (optionally) the email entered in a lead, capture step. Key DPIA considerations: (1) the lead, capture form turns Supademo from an analytics tool into a marketing CRM connector, with its own retention and consent issues; (2) persistent visitor cookies allow Supademo to recognise the same person across multiple demos and customers, raising a re, identification risk; (3) the platform is hosted in the United States and access by Supademo support staff is global; (4) replays of the demo store mouse paths that can incidentally capture content from the page hosting the iframe (postMessage leakage); (5) embedding on intranet pages with internal account data requires a separate balancing test. A DPIA is recommended when Supademo is used at scale on logged, in pages or when lead capture is enabled.
Sample consent text
We embed interactive product demos powered by Supademo (Supademo Inc., United States). When you play a demo, Supademo loads its script in your browser, sets cookies to remember your progress, and records anonymous engagement events (steps viewed, time per step). If you choose to enter your email in a demo, that email is sent to Supademo and to us under our customer relationship terms. Data is transferred to the United States under Standard Contractual Clauses. You can refuse the demo in the cookie banner and we will display a static screenshot instead.
Third-party domains contacted
supademo.comapp.supademo.comcdn.supademo.comapi.supademo.comevents.supademo.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _supademo_visitor | Analytics | 1 year | Persistent visitor identifier used to recognise the same viewer across multiple demos and across visits to the publisher's website. |
| _supademo_session | Analytics | Session | Session, level identifier that groups the events of a single demo viewing session (steps viewed, time spent, completion). |
| _supademo_progress | Functional | 30 days | Stores the visitor's progress in a multi, step demo so they can resume where they left off if they reload the page. |
| __cf_bm | Strictly necessary | 30 minutes | Cloudflare bot management token used to distinguish legitimate viewers from automated traffic on the Supademo CDN. |
Supademo places tracking cookies for advertising — comply with GDPR using FlowConsent.
Supademo sets _supademo_visitor (1 year, persistent visitor ID), _supademo_session (session), _supademo_progress (30 days, progress within a multi, step demo) and __cf_bm (30 minutes, Cloudflare bot management) on its own domains.
Yes. The persistent visitor cookie and the engagement telemetry require prior consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR. Use a click, to, load placeholder so the embed is only fetched after the visitor has agreed.
Consent for analytics cookies and engagement telemetry. Contract performance can support a logged, in B2B SaaS where the demo is part of an onboarding flow the user explicitly asked for, but not generic marketing embeds.
Yes. Supademo Inc. hosts on AWS us, east, 1. SCCs apply through the Supademo DPA. Confirm the EU, US Data Privacy Framework certification status before relying on it. Cloudflare CDN edges add additional non, EEA points of presence.
Recommended whenever Supademo is embedded on authenticated pages (where the demo can correlate with account data) or when the lead, capture form is enabled. Standard marketing landing pages can usually rely on a balancing test instead.
Lazy, load the embed behind the CMP consent gate. Offer a static screenshot fallback. List Supademo Inc. in the privacy notice. Configure short retention in the dashboard. Sign the Supademo DPA. If lead capture is on, treat captured emails as marketing contacts under Article 13 ePrivacy.
Yes : Storylane (US but enterprise EU residency), Arcade (US), Folio (Germany), Walnut (US), or self, hosted screencast tools like Loom self, hosted alternatives. For a purely European, hosted interactive demo, fork an open, source tool such as ProductLane or Reflect and host it in EU.
List the four Supademo cookies with their domain (supademo.com or subdomains), duration and purpose. Add Supademo Inc. and Cloudflare to the recipient list. Mention the United States as a destination country.