Supported vendors
The strings below are what you put in vendors: [...] inside consent.config.ts. They are not opaque tokens — Tickbox uses them to classify each category against the active jurisdiction (UK_DUAA, EU_GDPR, …). Pass anything not on this list and Tickbox will accept it but treat it as the jurisdiction’s default mode (usually consent under EU GDPR, and notice or always for first-party-feeling things under UK DUAA).
If you need a vendor that isn’t here, please open a PR adding it to vendors.ts so the registry grows. The runtime cost of an extra entry is one string-equality check.
Privacy-friendly analytics
Privacy-friendly statistical analytics — first-party or near-first-party, aggregated, no individual-level data, no advertising features.
Under UK DUAA (PECR exemption from 5 Feb 2026) these qualify for the “statistical purposes” exemption — notice + opt-out is enough, no banner required. Under EU GDPR / ePrivacy these still require consent.
| Identifier |
|---|
plausible |
fathom |
simpleanalytics |
pirsch |
goatcounter |
umami |
tinybird-analytics |
cloudflare-web-analytics |
Advertising and ad-tech
Advertising / paid-acquisition pixels and SDKs. Always require consent.
| Identifier |
|---|
google-ads |
google-analytics |
ga4 |
google-tag-manager |
gtm |
meta-pixel |
facebook-pixel |
tiktok-pixel |
linkedin-insight |
twitter-pixel |
x-pixel |
pinterest-tag |
reddit-pixel |
snapchat-pixel |
bing-uet |
microsoft-uet |
criteo |
taboola |
outbrain |
yandex-metrica |
baidu-analytics |
Session replay and fingerprinting
Session-replay and individual-user fingerprinting. Always require consent.
| Identifier |
|---|
hotjar |
fullstory |
microsoft-clarity |
mouseflow |
logrocket |
smartlook |
lucky-orange |
CDP and product analytics
Customer-data platforms and product analytics that send individual events. Always require consent.
| Identifier |
|---|
segment |
rudderstack |
mixpanel |
amplitude |
posthog |
heap |
pendo |
june |
Marketing automation and CRM
Marketing-automation, CRM and email-marketing platforms with browser tracking. Always require consent.
| Identifier |
|---|
hubspot |
pardot |
marketo |
mailchimp |
klaviyo |
iterable |
activecampaign |
braze |
customer-io |
sendinblue |
brevo |
Chat widgets
Live-chat widgets. Each loads third-party scripts that fingerprint users.
| Identifier |
|---|
intercom |
drift |
crisp |
tawk |
livechat |
olark |
tidio |
zendesk-chat |
AI training crawlers
AI-training crawlers and LLM-related user-agents.
Listed as consent-required so an explicit opt-in toggle decides whether
site content can be crawled / used for model training. Pairs with the
upcoming ai_training category and a future /ai.txt / /llms.txt
generator. EU AI Act Article 53 enforcement starts August 2026.
| Identifier |
|---|
gptbot |
claudebot |
anthropic-ai |
google-extended |
perplexitybot |
ccbot |
bytespider |
applebot-extended |
meta-externalagent |
oai-searchbot |
Importing the lists directly
Each constant is exported from @tickboxhq/core, so you can spread one straight into your config:
import { defineConsent, jurisdictions, ADVERTISING_VENDORS, PRIVACY_FRIENDLY_ANALYTICS } from '@tickboxhq/core'
export default defineConsent({ jurisdiction: jurisdictions.UK_DUAA, policy: { version: '2026-05-09', url: '/privacy' }, categories: { necessary: { required: true }, analytics: { vendors: [...PRIVACY_FRIENDLY_ANALYTICS] }, marketing: { vendors: [...ADVERTISING_VENDORS], default: false }, },})ALL_TRACKING_VENDORS is also exported — it is the union of every list above and is what the EU_GDPR preset uses internally to classify everything as consent.