HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityDoc feedbackLog In

Optimizely Recommendations

Describes GDPR guidelines for personalized recommendations.

Optimizely Product Recommendations and Optimizely Email Product Recommendations

Consent

For Optimizely Product Recommendations and Optimizely Email Product Recommendations, Optimizely Customized Commerce checks the do not track (DNT) header on the request to enable tracking when a data subject visits the website. If the DNT field is set to 1, the Customized Commerce system stops making the call to the Personalization tracking API.

If you disable tracking for a user, Optimizely Email Content Recommendations returns the latest content instead of personalized content for all users. See also Ask for consent.

Collect data

From v1.4 of the integration APIs, no personally identifiable information (PII) is collected by the Personalization system. A pseudonymized user ID is received in the tracking request and is used to identify the user in the Personalization system.

For clients using previous versions of the integration APIs, optionally, both IP address and email address is tracked, if provided (email address is used to identify the user in the Personalization system). See also Collect data.

Store data

Microsoft SQL Server and Cassandra databases stores tracked data in Optimizely's production environment for a maximum of six months.

By default, the Personalization system stores the IP address and email address of end-users who engage with a client’s e-commerce website.

However, from v1.4 of the integration APIs, no PII is required and hence Personalization databases does not store PII. Instead, the client is required to provide a pseudonymized user ID in the tracking request which is used to identify the user in the Personalization system instead of email address. See also Store data.

Use data

IP address and email address of end-users are used to show personalized recommendations from Optimizely Product Recommendations and send personalized emails from Optimizely Email Product Recommendations.

From v1.4 of the integration APIs, this does not apply because Optimizely Product Recommendations and Optimizely Email Product Recommendations do not use PII.

For clients using previous versions of the integration APIs, an email address is used by Optimizely Email Product Recommendations to provide personalized recommendations via email. See also Data guidelines.

Fetch data

From v1.4 of the integration APIs, no PII is required by the Personalization system - so any subject access requests (SARs) that are raised are not processed because Optimizely cannot identify an individual.

For clients using previous versions of the integration APIs, if a client or partner receives a SAR to provide data that they hold about a subject, a support ticket needs to be raised by the client or the partner to Optimizely Support. See also Fetch and update data.

Delete data

From v1.4 of the integration APIs, no PII is required by the Personalization system - so SARs that are raised are not processed because Optimizely cannot identify an individual.

For clients using previous versions of the integration APIs, if a client or partner receives a SAR to delete all data that they hold about a subject, then a support ticket needs to be raised by the client or the partner to Optimizely Support. See also Delete data.

Optimizely Content Recommendations and Optimizely Email Content Recommendations

📘

Note

Optimizely Content Recommendations and Optimizely Email Content Recommendations do not support do not track (DNT) at this time.

Consent

Optimizely Content Recommendations and Optimizely Email Content Recommendations check the DNT header on the request to track a user. You can override the DNT functionality, so you can build your own do not track implementation.

Collect data

A pseudonymized user ID (UUID) is received as a cookie value with the IP address in the tracking request. Only the UUID is used to identify the user in the Personalization system. The IP address is used only for filtering IPs or IP ranges (such as a customer's corporate firewall IP). However, a client/partner implementation can send other user identifiers (such as anonymized or plain text email address) to the tracking system. See also Collect data.

Store data

MySQL Server and ElasticSearch databases store tracked user data in Optimizely's production environment.

  • Active user data is stored indefinitely for user profile/model building purposes.
  • Inactive user data is deleted after 12 months.

See also Store data.

Use data

The anonymized cookie/UUID value shows personalized (mostly web) recommendations from Optimizely Content Recommendations, and sends personalized emails from Optimizely Email Content Recommendations. See also Data guidelines.

Fetch data

If you receive a subject access request (SAR) to provide all data that you hold about a subject, file a support ticket with Optimizely Managed Services. You can also fetch the data through the Content Recommendations API endpoint by using the visitor's UUID. See also Fetch and update data.

Delete data

If you receive a SAR to delete all data that they hold about a subject, file a support ticket with Optimizely Managed Services. You can also delete the data through the Content Recommendations API endpoint by using the visitor's UUID. See also Delete data.

Optimizely Data Platform

Consent

Optimizely Data Platform (ODP) checks the DNT header on the request to track a user. You can override the DNT functionality, so you can build your own do not track implementation.

Collect data

ODP collects the data that is sent into the system. There are static fields for Name and Email that you can set by the implementation that uses ODP tracking. ODP does not set these by itself. See also Collecting data.

Store data

Optimizely treats stored data as PII data and stores it in Elastic Search.

ODP customers get separate indexes, and the data is stored for at least 2 years. See also Storing data.

Use data

Data received using the ODP API should be treated as PII data and not stored in another (possibly unsafe) store. See also Data guidelines.

Fetch data

To fetch data, contact the Optimizely Support team at Optimizely. The data is fetched and sent back within 30 days. See also Fetch and update data.

Delete data

To delete data, contact the Optimizely Support team at Optimizely. The data is deleted within 30 days using a one-time secret. See also Delete data.