Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Trustpilot is a Danish review platform used by businesses to collect and display customer reviews. Trustpilot acts as an independent data controller for its review platform. Businesses use Trustpilot's TrustBox widgets to display ratings on their websites and automated invitation emails to collect reviews from customers. The TrustBox widget sets tracking cookies requiring consent. Review invitations to known customers can rely on legitimate interest. As a Danish company, Trustpilot is subject to GDPR directly.
Trustpilot is a Danish online review platform that enables businesses to collect customer reviews and display them on their websites and in search engine results. Founded in 2007 in Copenhagen, Trustpilot hosts reviews across millions of businesses in hundreds of countries. Businesses use Trustpilot to send automated review invitations after purchases, display their TrustScore with TrustBox widgets, and manage their review responses.
Trustpilot operates as an independent data controller for its review platform — it decides how reviewer data is processed, stored, and published. Businesses using Trustpilot are also data controllers for the customer data they share with Trustpilot (customer email, order reference). The legal basis for sharing customer data with Trustpilot for review invitations is typically legitimate interest: post-purchase follow-up is a recognised legitimate interest under GDPR when balanced against reviewer privacy.
The Trustpilot TrustBox widget JavaScript sets cookies for tracking widget views and interactions. These are non-essential cookies requiring consent under the ePrivacy Directive. Block the TrustBox widget via your CMP until functional or analytics consent is given. Alternatively, use a server-side widget implementation or display a static badge.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sign Trustpilot''s merchant agreement including DPA. Block TrustBox widget via CMP until consent. Conduct a Legitimate Interest Assessment for review invitation emails. Disclose Trustpilot in your privacy policy: what data is shared, why, and how to opt out. Ensure your review invitation emails include an easy unsubscribe mechanism. Honour data subject requests to delete reviews (submitted to Trustpilot directly).
Websites using Trustpilot must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for standard Trustpilot review collection. The review platform does not involve high-risk processing categories. Trustpilot itself is a Danish company that has conducted its own GDPR assessments.
Sample consent text
This website displays Trustpilot reviews and ratings using the TrustBox widget. Trustpilot may use cookies to track widget interactions. Data is processed by Trustpilot A/S (Denmark). You can manage Trustpilot cookie preferences in your cookie settings.
Third-party domains contacted
trustpilot.comwidget.trustpilot.comapi.trustpilot.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _tp_ | session | Session | Trustpilot TrustBox session cookie tracking widget interactions and review display analytics |
Trustpilot places tracking cookies for advertising — comply with GDPR using FlowConsent.
TrustBox widget sets tracking cookies requiring consent. Block via CMP until functional/analytics consent is given. Review invitation emails can rely on legitimate interest without separate consent.
Legitimate interest for post-purchase review requests. Document a LIA: purpose is genuine feedback, processing is proportionate (single email), customers can opt out. Avoid multiple reminders.
Yes. Trustpilot A/S is Danish and subject to GDPR directly. Review data is processed in the EU. A GDPR-compliant merchant DPA is available. EU headquarters is a significant advantage.
ajs_anonymous_id (analytics, 1 year) and session cookies. These require ePrivacy consent before the widget loads.
Customer email, first name (optional), order reference, purchase date. Minimum needed for review invitation. Do not send unnecessary data. Disclose in your privacy policy.
Via Trustpilot's own GDPR process — you cannot delete customer reviews as a business. Trustpilot handles reviewer data subject requests independently.
Yes. Sign Trustpilot's Data Processing Agreement in your business account settings. This formalises the processor/controller relationship for customer data shared for invitations.
Yes. Use Trustpilot's static badge instead of the dynamic TrustBox widget. Static displays load no JavaScript, set no cookies, eliminating consent requirements. Ratings don't update in real-time.