HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

Optimizely Recommendations

Describes GDPR guidelines for personalized recommendations.

Optimizely Product Recommendations and Optimizely Email Product Recommendations

Consent

For Optimizely Product Recommendations and Optimizely Email Product Recommendations, Optimizely Customized Commerce checks the do not track (DNT) header on the request to enable tracking when a data subject visits the website. If the DNT field is set to 1, the Customized Commerce system stops calling the Personalization tracking API.

Optimizely Email Content Recommendations returns the latest content instead of personalized content for all users if you turn off tracking for a user. See also Ask for consent.

Collect data

From v1.4 of the integration APIs, the Personalization system collects no personally identifiable information (PII). A pseudonymized user ID is received in the tracking request and is used to identify the user in the Personalization system.

For clients using previous versions of the integration APIs, IP address and email address are optionally tracked, if provided (email address is used to identify the user in the Personalization system). See also Collect data.

Store data

Microsoft SQL Server and Cassandra databases store tracked data in Optimizely's production environment for up to six months.

By default, the Personalization system stores the IP address and email address of end-users who engage with a client's ecommerce website.

However, from v1.4 of the integration APIs, no PII is required; hence, Personalization databases do not store PII. Instead, the client must provide a pseudonymized user ID in the tracking request, which is used to identify the user in the Personalization system instead of the email address. See also Store data.

Use data

IP address and email address of end-users are used to show personalized recommendations from Optimizely Product Recommendations and send personalized emails from Optimizely Email Product Recommendations.

From v1.4 of the integration APIs, this does not apply because Optimizely Product Recommendations and Optimizely Email Product Recommendations do not use PII.

For clients using previous versions of the integration APIs, an email address is used by Optimizely Email Product Recommendations to provide personalized recommendations through email. See also Data guidelines.

Fetch data

From v1.4 of the integration APIs, no PII is required by the Personalization system - so any subject access requests (SARs) that are raised are not processed because Optimizely cannot identify an individual.

For clients using previous versions of the integration APIs, if a client or partner receives a SAR to provide data that they hold about a subject, a Support ticket needs to be raised by the client or the partner to Optimizely Support. See also Fetch and update data.

Delete data

From v1.4 of the integration APIs, no PII is required by the Personalization system - so SARs that are raised are not processed because Optimizely cannot identify an individual.

For clients using previous versions of the integration APIs, if a client or partner receives a SAR to delete data that they hold about a subject, then the client or the partner needs to raise a Support ticket to Optimizely Support. See also Delete data.

Optimizely Content Recommendations and Optimizely Email Content Recommendations

📘

Note

Optimizely Content Recommendations and Optimizely Email Content Recommendations do not support do not track (DNT) at this time.

Consent

Optimizely Content Recommendations and Optimizely Email Content Recommendations check the DNT header on the request to track a user. You can override the DNT functionality to build your do not track implementation.

Collect data

A pseudonymized user ID (UUID) is received as a cookie value with the IP address in the tracking request. Only the UUID is used to identify the user in the Personalization system. The IP address is used only for filtering IPs or IP ranges (such as a customer's corporate firewall IP). However, a client or partner implementation can send other user identifiers (such as anonymized or plain text email addresses) to the tracking system. See also Collect data.

Store data

MySQL Server and ElasticSearch databases store tracked user data in Optimizely's production environment.

  • Active user data is stored indefinitely for user profile or model-building purposes.
  • Inactive user data is deleted after 12 months.

See also Store data.

Use data

The anonymized cookie or UUID value shows personalized (mostly web) recommendations from Optimizely Content Recommendations and sends personalized emails from Optimizely Email Content Recommendations. See also Data guidelines.

Fetch data

If you receive a subject access request (SAR) to provide data that you hold about a subject, file a Support ticket with Optimizely Managed Services. Using the visitor's UUID, you can also fetch the data through the Content Recommendations API endpoint. See also Fetch and update data.

Delete data

If you receive a SAR to delete data that they hold about a subject, file a Support ticket with Optimizely Managed Services. You can delete the data using the visitor's UUID and the Content Recommendations API endpoint. See also Delete data.

Optimizely Data Platform

Consent

Optimizely Data Platform (ODP) checks the DNT header when requested to track a user. You can override the DNT functionality to build your do not track implementation.

Collect data

ODP collects the data that is sent into the system. There are static fields for Name and Email that you can set by the implementation that uses ODP tracking. ODP does not set these by itself. See also Collecting data.

Store data

Optimizely treats stored data as PII data and stores it in Elastic Search.

ODP customers get separate indexes; the data is stored for at least two years. See also Storing data.

Use data

Data received using the ODP API should be treated as PII data and not stored in another (possibly unsafe) store. See also Data guidelines.

Fetch data

To fetch data, contact the Optimizely Support team at Optimizely. The data is fetched and sent back within 30 days. See also Fetch and update data.

Delete data

To delete data, contact the Optimizely Support team at Optimizely. The data is deleted within 30 days using a one-time secret. See also Delete data.