Integrate uxspire into your CMP
All the information you or your agency need to set up uxspire cleanly in the consent layer of your website — with the actual SDK endpoints, storage names and a documented Consent API.
In brief
uxspire collects data on customer websites and delivers, for example, surveys or UX metrics such as NPS, CSAT or UEQ. uxspire must therefore generally be represented in the consent layer of the customer website.
There is no single central way that works automatically for all CMPs. Therefore set up uxspire in your CMP as a custom vendor or custom service, use the technical information on this page and connect the CMP selection with window.uxspire.setConsent({ tracking: true|false }).
Vendor data for your consent banner
You can adopt these fields 1:1 in your CMP when uxspire is set up there as a vendor, service or custom script.
| Field | Content |
|---|---|
| Provider name | uxspire GmbH |
| Address | Stixchesstr. 107, 51377 Leverkusen, Germany |
| Data protection contact | |
| Service name | uxspire |
| Category | Statistics / Feedback / UX Analytics / Surveys |
| Purpose | Delivery of embedded user surveys, collection of UX metrics, event capture and analysis of the user experience. |
| Recommended legal basis | Consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG, insofar as tracking or terminal-device access is used. |
| Data types | Browser/device and page context, event names and event properties, UTM/campaign parameters, survey responses, NPS/CSAT/UEQ/UEQ-S responses including optional comments, project and survey references, session ID and pseudonymous distinct ID. Server-side, ingest requests additionally process client_ip from X-Forwarded-For or X-Real-IP, origin, user_agent and accept_language as technical request metadata; browser, OS, device and referrer context is derived from this. Assignment is regularly based on pseudonymous identifiers and not on clear names. |
| Cookies / storage |
No third-party cookies. The browser SDK uses LocalStorage/SessionStorage:
uxspire.distinct_id (LocalStorage, pseudonymous user ID),
uxspire.session_id (SessionStorage, session ID),
uxspire.consent (LocalStorage, consent status, 365 days),
uxspire.embed.config.*,
uxspire.embed.etag.* and
uxspire.embed.fetchedAt.* (LocalStorage, embed config cache) as well as
uxspire.widget.seen.* for widget/survey status.
For hosted public-link surveys, an additional best-effort cookie
uxspire.survey.link_submitted.* may be set for deduplication.
|
| Script and API domains |
By default https://app.uxspire.com for
/embed/v1/uxspire.js,
/embed/v1/bootstrap,
/embed/v1/config,
/api/v1/e,
/api/v1/batch,
/api/v1/identify and
/api/v1/privacy/forget. Survey assets can be delivered via
assets.uxspire.com or environment-specific
assets.* domains.
|
| Data location | The SaaS application is operated on Microsoft Azure within the EU; the concrete Azure region is set per environment via deployment configuration. Survey assets are stored or delivered via Cloudflare R2/CDN with EU jurisdiction. ZU KLÄREN: actually rolled-out Azure production region as well as Microsoft support and diagnostic data. |
| Privacy signals and consent | GPC/DNT are respected by default on the client and server side, as long as respectPrivacySignals has not been deactivated at the org, workspace or project level. With Sec-GPC: 1 or DNT: 1 the server responds with 204 and X-Uxspire-Privacy-Suppressed; nothing is written to the database. Consent is controlled via setConsent({ tracking: true|false }) and is only stored for up to 365 days in uxspire.consent without active privacy signals. |
| Storage period / retention | Consent status: up to 365 days, provided that GPC/DNT are not active. Analytics identifiers: regularly up to 365 days. Event and evaluation data: regularly up to 12 months, insofar as no longer retention is necessary for security, proof, contractual or DPA reasons. Azure Log Analytics is configured to 30 days in the Terraform default; PostgreSQL backups to 7 days in the Terraform default. |
| TOMs / security | HTTPS/TLS transport encryption, Azure PostgreSQL with minimum TLS 1.2, secrets via Azure Key Vault, private network/private DNS configuration for central Azure services, project-specific API keys, rate limits for embed/ingest/privacy-forget, server-side GPC/DNT suppression and deletion path /api/v1/privacy/forget. |
| DPA | Request enterprise DPA |
| Recipients / sub-processors | Processors and sub-processors; binding details in the enterprise DPA. |
| Privacy Policy | uxspire.com/datenschutz |
| Technical integration | Consent API for developers |
Mandatory information for customers
If you use uxspire on your website, you must represent the specific use in the consent banner and privacy policy of your company. The final assessment depends on your setup and the activated modules.
In the consent banner / CMP
- Service and provider: uxspire, uxspire GmbH.
- Purpose: feedback, UX analytics, surveys, UX metrics and event analysis.
- Category: regularly statistics/analytics or feedback, not essential.
- Storage technologies: LocalStorage/SessionStorage keys and durations from the vendor table.
- Legal basis: consent for terminal-device access pursuant to § 25(1) TDDDG and for personal analytics pursuant to Art. 6(1)(a) GDPR, insofar as no other defensible individual case applies.
- Withdrawal: connect the CMP selection with
setConsent({ tracking: false }).
In the privacy policy
- Describe purposes, legal bases and data categories specifically according to the activated uxspire modules.
- Name uxspire GmbH as processor or recipient and, for enterprise contracts, link the DPA as well as sub-processors.
- Present third-country references and safeguards for the sub-processors used, insofar as applicable.
- State the storage period or criteria for the storage period.
- Represent the withdrawal of consent, the rights of data subjects and the right to complain to a supervisory authority.
- Organisationally take into account the GPC/DNT behaviour and deletion path for
distinct_id-related deletion requests.
One service or several services?
For the current MVP, a single CMP service is usually sufficient. With separately activatable modules or stricter customer requirements, a split can make sense.
uxspire Surveys & VOC
Standard surveys, NPS, CSAT, UEQ and UEQ-S. Purpose: feedback collection, voice of customer, UX metrics and evaluation of responses. Data: responses, ratings, optional comments, survey/project reference, session/distinct ID and technical context.
uxspire Product Analytics
Event capture, technical usage analysis and funnel-like evaluations based on sent events. Purpose: product, UX and conversion analysis. Data: event names, event properties, page context, referrer, UTM/campaign parameters, device/browser context and pseudonymous IDs.
Heatmaps / Session Recording
In planning and marketing documents there are designations for heatmaps and session recordings, however an active browser SDK capture for these modules is not evidenced in the reviewed technical documents on this page. If such modules are activated productively, they should be assessed as a separate CMP service due to a higher consent expectation.
Setup in Consent Management Platforms
In the reviewed app and website documents, no official uxspire entry in CMP vendor databases is documented. Therefore use the vendor data above and set up uxspire as a custom vendor, custom service or custom script.
Usercentrics / Cookiebot
Custom ServiceSet up as a Data Processing Service or custom service and enter the script/API URLs as well as storage names from this page.
OneTrust
Custom VendorConfigure as a custom vendor with JavaScript URL, endpoints and LocalStorage/SessionStorage names.
consentmanager
Custom ProviderSet up as a custom provider and connect the CMP rule with the uxspire Consent API.
Didomi
Custom VendorSet up as a custom vendor; a requested or confirmed inclusion is not evidenced in the reviewed documents.
Borlabs Cookie
Script-ServiceIntegrate as a custom JavaScript service; load the script only after consent or execute setConsent({ tracking: true }) after consent.
CCM19
Custom ProviderSet up as a custom provider with the statistics/feedback category and enter the endpoints from the vendor table.
CookieFirst
Custom ServiceCustom setup with the provider, purpose, storage and endpoint information mentioned above.
CookieYes
Custom Cookie / ScriptSet up as a custom cookie or script, select the statistics/analytics or feedback category and couple the release with the uxspire Consent API.
Osano
Custom VendorConfigure as a custom vendor; couple script blocking or the consent callback with the uxspire API.
Sourcepoint
Custom VendorSetup as a custom vendor with the vendor data mentioned above is possible.
Your CMP missing? Talk to us — we will help you translate the information into the respective CMP model.
Consent, privacy signals &
standards
uxspire does not bring its own consent interface. Consent is obtained in your
CMP and subsequently passed to uxspire via the SDK method
setConsent({ tracking: true|false }).
Global Privacy Control and Do Not Track are respected by default, provided that
the project/workspace/org policy does not expressly deactivate this. With active
signals, the client blocks tracking and embed, and the ingest endpoints suppress
incoming data with 204.
An active IAB-TCF/GVL integration or direct Google Consent Mode v2 evaluation is not implemented in the reviewed SDK and app documents. If your CMP uses such standards, it should derive an explicit uxspire consent decision from them.
Standards & Frameworks
-
CMP-controlled consent
Consent is obtained via the customer CMP and passed to uxspire via
setConsent. -
GPC / Do Not Track
Client and server can respect
Sec-GPC: 1andDNT: 1. -
GDPR & TDDDG
Consent-based integration and data processing on behalf pursuant to Art. 28 GDPR.
-
IAB TCF / Google Consent Mode
No direct SDK evaluation evidenced; mapping takes place in the CMP or tag manager logic.
Consent API for developers
uxspire is technically built so that your team can control consent cleanly — regardless of which CMP you use.
Embed the script
The script is typically loaded as an asynchronous embed and initialises itself via
data-api-key.
If your environment sets REQUIRE_CONSENT=true,
tracking and embed remain blocked until consent has been granted. Alternatively, the CMP
can load the script only after consent.
<script
src="https://app.uxspire.com/embed/v1/uxspire.js"
data-api-key="uxs_00000000-0000-4000-8000-000000000000"
async></script>Set / withdraw consent
As soon as the user consents in the consent banner or changes their selection, the CMP can
call setConsent().
The method expects an object with the field
tracking.
// Consent granted
window.uxspire?.setConsent({ tracking: true });
// Consent withdrawn
window.uxspire?.setConsent({ tracking: false });Stable SDK names
Script path, API endpoints and storage keys are documented and can be used in CMP rules or tag managers.
Consent Gate
With an active consent gate, embed and tracking are blocked until setConsent({ tracking: true }).
Opt-out & privacy signals
Upon withdrawal, the SDK stops further collection; GPC/DNT can additionally suppress on the client and server side.
Frequently asked questions
Do we need consent for uxspire?
In most configurations yes. As soon as uxspire accesses the terminal device (LocalStorage/SessionStorage) or collects personal data, consent is required pursuant to § 25(1) TDDDG or Art. 6(1)(a) GDPR. Pure server-to-server setups without terminal-device access are to be assessed individually with your data protection officer.
Can uxspire be loaded before consent?
Yes, if the consent gate is active in the uxspire environment
(REQUIRE_CONSENT=true) or if your CMP only releases the script after
consent. With an active consent gate, tracking and embed remain off until
setConsent({ tracking: true }) is called. Without this gate,
loading after consent is the safe option.
What happens when consent is withdrawn?
With setConsent({ tracking: false }) uxspire stops further
collection and blocks embed/tracking activities. The withdrawal is stored as the consent status,
provided that GPC/DNT are not active. Already collected pseudonymous data is treated
server-side in accordance with the privacy policy and, for enterprise contracts, the DPA; for targeted
deletion requests, /api/v1/privacy/forget is available.
Is data transferred to third countries?
The SaaS application is operated on Microsoft Azure within the EU; the production region is set via deployment configuration. Survey assets are stored or delivered via Cloudflare R2/CDN with EU jurisdiction. Decisive for sub-processors and any third-country references are the Privacy Policy and, for enterprise contracts, the DPA. ZU KLÄREN: actually rolled-out Azure production region as well as Microsoft support and diagnostic data.
My CMP does not list uxspire yet. What to do?
Set up uxspire with the vendor data mentioned above as a custom vendor in your CMP. If you would like uxspire to be officially included, contact us — we will then specifically drive the inclusion forward with your CMP provider.
Help with the integration?
Our team supports you and your agency with the correct setup of uxspire in your CMP — including enterprise DPA, data protection review and mapping to your CMP setup.