Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Pendo is a product analytics, in app guidance, NPS and Session Replay platform developed by Pendo.io Inc in Raleigh, North Carolina. The JavaScript SDK loaded from cdn.pendo.io captures user interactions, feature adoption, in app guide displays and survey responses inside a website or SaaS application, and sends events to AWS US regions by default. EU operators must collect consent where Pendo is used on public marketing pages, configure aggressive PII masking and run a DPIA when the Session Replay add on is enabled.
Pendo is a product experience platform developed by Pendo.io Inc in Raleigh. The JavaScript SDK loaded from cdn.pendo.io instruments a website or a SaaS application to capture user interactions (clicks, page views, feature adoption), NPS responses, in app guide displays and product analytics events. Pendo also offers feedback and roadmap modules, a guide builder for tooltips, modals and onboarding flows, and an optional Session Replay add on. The platform is used by product, customer success and growth teams to measure adoption and engagement.
Pendo processes the visitor identifier, account identifier, IP address, User Agent, page URL, language, custom user and account attributes the operator pushes via pendo.initialize, and a stream of interaction events (clicks, hovers, form interactions, NPS responses, guide views). The SDK sets first party cookies (_pendo_visitorId, _pendo_accountId, _pendo_meta) on the operator domain. When the Session Replay add on is enabled, full DOM mutations and masked form inputs are captured in the same way as a dedicated session replay tool.
On public marketing pages, Pendo is not strictly necessary to the requested service and the SDK plus its cookies require prior opt in consent under Article 5(3) of the ePrivacy Directive. Inside an authenticated SaaS application, the operator can rely on Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (legitimate interest) for product improvement, subject to a balancing test and clear information. Session Replay always requires explicit consent because of the high risk of incidentally capturing special category data.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Pendo.io Inc operates from the United States and processes events on AWS US regions by default. EEA visitor data is transferred to the US under the EU US Data Privacy Framework (Pendo is self certified) and Standard Contractual Clauses, with a documented transfer impact assessment. Enterprise customers can subscribe to the EU data residency add on that stores events in AWS Frankfurt, although the control plane and Session Replay analytics remain US operated.
Defer the SDK load on public pages until consent, mass mask all input fields in the Pendo configuration, configure URL exclusions for sensitive pages, reduce retention of events to the shortest period needed, sign the Pendo Data Processing Addendum, opt in to the EU data residency add on where available and run a DPIA when Session Replay is enabled. Safer alternatives include Heap, Amplitude with EU residency, Mixpanel with EU residency, Matomo Analytics self hosted and PostHog self hosted, which keep data inside the operator infrastructure.
Websites using Pendo must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Pendo is deployed on EU facing SaaS applications and required when the Session Replay add on is enabled. The DPIA must cover the consent flow on public pages, the lawful basis inside authenticated areas, the PII masking configuration, the international transfer to the United States, the EU data residency add on if subscribed and the retention of events and recordings.
Sample consent text
We use Pendo to understand how our product is used and improve the experience. Pendo processes interaction events, anonymised user identifiers and, with your additional opt in, Session Replay recordings through Pendo.io Inc in the United States. The SDK only loads after you accept analytics and performance cookies.
Third-party domains contacted
pendo.iocdn.pendo.ioapp.pendo.iodata.pendo.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pendo_visitorId | http | 12 months | Anonymous Pendo visitor identifier used to recognise the device or user across sessions. |
| _pendo_accountId | http | 12 months | Account identifier set by the operator through pendo.initialize to group visitors by tenant or workspace. |
| _pendo_meta | http | Session | Pendo metadata cookie storing the SDK state for the current page session. |
Pendo uses cookies for user preferences — inform visitors with a consent banner.
Pendo sets first party cookies on the operator domain: _pendo_visitorId (anonymous visitor identifier, 12 months), _pendo_accountId (account identifier when set by the operator, 12 months) and _pendo_meta (Pendo metadata, session). When Session Replay is enabled, additional helper identifiers tie the recording to the visitor. All cookies are non essential and require prior consent on public pages.
On public marketing pages, yes. The SDK and its cookies must be loaded only after prior opt in consent under Article 5(3) of the ePrivacy Directive. Inside an authenticated SaaS application, consent is not always required if the operator relies on Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (legitimate interest), but transparency, opt out and the ability to disable Pendo per user remain mandatory.
Consent under Article 6(1)(a) GDPR on public pages. Contract or legitimate interest under Article 6(1)(b) or (f) GDPR inside authenticated SaaS applications, subject to a balancing test, transparency and the right to opt out. Session Replay always requires consent due to the risk of incidentally capturing special category data.
Yes by default. Pendo.io Inc is a US company and processes events on AWS US regions. EEA visitor data is transferred to the US under the EU US Data Privacy Framework (Pendo is self certified) and Standard Contractual Clauses. The EU data residency add on for Enterprise customers stores events in AWS Frankfurt but the control plane remains US operated.
Recommended for any deployment on EU SaaS applications and required when the Session Replay add on is enabled. The DPIA must cover consent on public pages, lawful basis in authenticated areas, PII masking, US transfer, retention of events and recordings, and the safer alternatives evaluated.
Defer the SDK load on public pages until consent, mask all input fields in the Pendo configuration, exclude sensitive URLs, reduce retention to the shortest period needed, sign the Pendo DPA, opt in to the EU data residency add on where available and run a DPIA when Session Replay is enabled. Use anonymous visitor IDs and avoid pushing direct identifiers through pendo.initialize.
Heap, Amplitude with EU residency, Mixpanel with EU residency, FullStory with strict masking, Hotjar with EU servers, Matomo Analytics self hosted, PostHog self hosted, June.so. For regulated sectors or strict no transfer policies, self hosted alternatives (Matomo, PostHog) are usually preferred.
Document Pendo.io Inc as a processor located in the United States, list the Pendo cookies (_pendo_visitorId, _pendo_accountId, _pendo_meta) with retention and purpose, describe the in app analytics, guides and Session Replay if enabled, disclose the EU US Data Privacy Framework and Standard Contractual Clauses, and link to the Pendo privacy notice.