Submit Documentation FeedbackJoin Developer Community
HomeGuidesAPI Reference
Submit Documentation FeedbackJoin Developer CommunityOptimizely GitHubOptimizely NuGetLog In
Optimizely GitHubOptimizely NuGet

Optimizely Personalization

This topic describes GDPR guidelines for Personalization.

Suggest Edits

Optimizely Product Recommendations and Optimizely Email Product Recommendations

Consent

For Optimizely Product Recommendations and Optimizely Email Product Recommendations, Optimizely Customized Commerce checks the do not track (DNT) header on the request to enable tracking when a data subject visits the website. If the DNT field is set to 1, the Customized Commerce system stops making the call to the Personalization tracking API.

If you disable tracking for a user, Optimizely Email Content Recommendations returns the latest content instead of personalized content for all users. See also Asking for consent.

Collecting data

From v1.4 of the integration APIs, no personally identifiable information (PII) is collected by the Personalization system. A pseudonymized user ID is received in the tracking request and is used to identify the user in the Personalization system.

For clients using previous versions of the integration APIs, optionally, both IP address and email address is tracked, if provided (email address is used to identify the user in the Personalization system). See also Collecting data.

Storing data

Microsoft SQL Server and Cassandra databases stores tracked data in Optimizely's production environment for a maximum of six months.

By default, the Personalization system stores the IP address and email address of end-users who engage with a client’s e-commerce website.

However, from v1.4 of the integration APIs, no PII is required and hence Personalization databases does not store PII. Instead, the client is required to provide a pseudonymized user ID in the tracking request which is used to identify the user in the Personalization system instead of email address. See also Storing data.

Using data

IP address and email address of end-users are used to show personalized recommendations from Optimizely Product Recommendations and send personalized emails from Optimizely Email Product Recommendations.

From v1.4 of the integration APIs, this does not apply because Optimizely Product Recommendations and Optimizely Email Product Recommendations do not use PII.

For clients using previous versions of the integration APIs, an email address is used by Optimizely Email Product Recommendations to provide personalized recommendations via email. See also Using data.

Fetching data

From v1.4 of the integration APIs, no PII is required by the Personalization system - so any subject access requests (SARs) that are raised are not processed because Optimizely cannot identify an individual.

For clients using previous versions of the integration APIs, if a client or partner receives a SAR to provide data that they hold about a subject, a support ticket needs to be raised by the client or the partner to Optimizely Support. See also Fetching & updating data.

Deleting data

From v1.4 of the integration APIs, no PII is required by the Personalization system - so SARs that are raised are not processed because Optimizely cannot identify an individual.

For clients using previous versions of the integration APIs, if a client or partner receives a SAR to delete all data that they hold about a subject, then a support ticket needs to be raised by the client or the partner to the Optimizely
Support team. See also Deleting data.

Optimizely Content Recommendations and Optimizely Email Content Recommendations

📘

Note

Optimizely Content Recommendations and Optimizely Email Content Recommendations do not support do not track (DNT) at this time.

Consent

Optimizely Content Recommendations and Optimizely Email Content Recommendations check the DNT header on the request to track a user. You can override the DNT functionality, so you can build your own do not track implementation.

Collecting data

A pseudonymized user ID (UUID) is received as a cookie value with the IP address in the tracking request. Only the UUID is used to identify the user in the Personalization system. The IP address is used only for filtering IPs or IP ranges (such as a customer's corporate firewall IP). However, a client/partner implementation can send other user identifiers (such as anonymized or plain text email address) to the tracking system. See also Collecting data.

Storing data

MySQL Server and ElasticSearch databases store tracked user data in Optimizely's production environment.

  • Active user data is stored indefinitely for user profile/model building purposes.
  • Inactive user data is deleted after 12 months.

See also Storing data.

Using data

The anonymized cookie/UUID value shows personalized (mostly web) recommendations from Optimizely Content Recommendations, and sends personalized emails from Optimizely Email Content Recommendations. See also Using data.

Fetching data

If you receive a subject access request (SAR) to provide all data that you hold about a subject, file a support ticket with Optimizely Managed Services. You can also fetch the data through the Content Recommendations API endpoint by using the visitor's UUID. See also Fetching & updating data.

Deleting data

If you receive a SAR to delete all data that they hold about a subject, file a support ticket with Optimizely Managed Services. You can also delete the data through the Content Recommendations API endpoint by using the visitor's UUID. See also Deleting data.

Optimizely Data Platform

Consent

Optimizely Data Platform (ODP) checks the DNT header on the request to track a user. You can override the DNT functionality, so you can build your own do not track implementation.

Collecting data

ODP collects the data that is sent into the system. There are static fields for Name and Email that you can set by the implementation that uses ODP tracking. ODP does not set these by itself. See also Collecting data.

Storing data

Optimizely treats stored data as PII data and stores it in Elastic Search.

ODP customers get separate indexes, and the data is stored for at least 2 years. See also Storing data.

Using data

Data received using the ODP API should be treated as PII data and not stored in another (possibly unsafe) store. See also Using data.

Fetching data

To fetch data, contact the Optimizely Support team at Optimizely. The data is fetched and sent back within 30 days. See also Fetching & updating data.

Deleting data

To delete data, contact the Optimizely Support team at Optimizely. The data is deleted within 30 days using a one-time secret. See also Deleting data.

Updated about 2 months ago

Next