In this topic
- Episerver Product Recommendations and Episerver Email Product Recommendations
- Content Recommendations
- Episerver Profile Store
Episerver Product Recommendations and Episerver Email Product Recommendations
Consent
For Episerver Product Recommendations (formerly Episerver Perform), Episerver Commerce checks the do not track (DNT) header on the request to enable tracking when a data subject visits the website. If the DNT field is set to 1, the Commerce system stops making the call to the Personalization tracking API.
If you disable tracking for a user, Episerver Email Content Recommendations returns the latest content instead of personalized content for all users.
Collecting data
From v1.4 of the integration APIs, no personally identifiable information (PII) is collected by the Personalization system. A pseudonymized user ID is received in the tracking request and is used to identify the user in the Personalization system.
For clients using previous versions of the integration APIs, optionally, both IP address and email address is tracked, if provided (email address is used to identify the user in the Personalization system).
Storing data
Microsoft SQL Server and Cassandra databases stores tracked data in Episerver's production environment for a maximum of six months.
By default, the Personalization system stores the IP address and email address of end-users who engage with a client’s e-commerce website.
However, from v1.4 of the integration APIs, no PII is required and hence Personalization databases does not store PII. Instead, the client is required to provide a pseudonymized user ID in the tracking request which is used to identify the user in the Personalization system instead of email address.
Using data
IP address and email address of end-users are used to show personalized recommendations from Episerver Product Recommendations and send personalized emails from Episerver Email Product Recommendations.
From v1.4 of the integration APIs, this does not apply because Episerver Product Recommendations and Episerver Email Product Recommendations do not use PII.
For clients using previous versions of the integration APIs, an email address is used by Episerver Email Product Recommendations to provide personalized recommendations via email.
Fetching data
From v1.4 of the integration APIs, no PII is required by the Personalization system - so any subject access requests (SARs) that are raised are not processed because Episerver cannot identify an individual.
For clients using previous versions of the integration APIs, if a client or partner receives a SAR to provide data that they hold about a subject, a support ticket needs to be raised by the client or the partner to the Managed Services team.
Deleting data
From v1.4 of the integration APIs, no PII is required by the Personalization system - so SARs that are raised are not processed because Episerver cannot identify an individual
For clients using previous versions of the integration APIs, if a client or partner receives a SAR to delete all data that they hold about a subject, then a support ticket needs to be raised by the client or the partner to the Managed Services team.
Episerver Content Recommendations
Consent
For Episerver Content Recommendations, it is your responsibility to handle consent and whether you should enable tracking when a data subject visits the website. You can turn off tracking from the configuration perspective, but doing so affects tracking for all users.
Collecting data
A pseudonymized user ID (UUID) is received as a cookie value with the IP address in the tracking request. Only the UUID is used to identify the user in the Personalization system. The IP address is used only for filtering IPs or IP ranges (such as a customer's corporate firewall IP). However, a client/partner implementation can send other user identifiers (such as anonymized or plain text email address) to the tracking system.
Storing data
MySQL Server and ElasticSearch databases store tracked user data in Episerver's production environment.
- Active user data is stored indefinitely for user profile/model building purposes.
- Inactive user data is deleted after 12 months.
Using data
The anonymized cookie/UUID value shows personalized (mostly web) recommendations from Episerver Content Recommendations and sends personalized emails from Episerver Email Content Recommendations.
Fetching data
If you receive a subject access request (SAR) to provide all data that you hold about a subject, file a support ticket with Episerver Managed Services. You can also fetch the data through the Content Recommendations API endpoint by using the visitor's UUID.
Deleting data
If you receive a SAR to delete all data that they hold about a subject, file a support ticket with Episerver Managed Services. You can also delete the data through the Content Recommendations API endpoint by using the visitor's UUID.
Episerver Profile Store
Consent
Episerver Profile Store checks the DNT header on the request to track a user. You can override the DNT functionality, so you can build your own do not track implementation.
Collecting data
Episerver Profile Store collects the data that is sent into the system. There are static fields for Name and Email that you can set by the implementation that uses Profile Store tracking. Profile Store does not set these by itself.
Storing data
Episerver treats stored data as PII data and stores it in Elastic Search.
Episerver Profile Store customers get separate indexes, and the data is stored for at least 2 years.
Using data
Data received using the Profile Store API should be treated as PII data and not stored in another (possibly unsafe) store.
Fetching data
To fetch data, contact the Managed Services team at Episerver. The data is fetched and sent back within 30 days.
Deleting data
To delete data, contact the Managed Services team at Episerver. The data is deleted within 30 days using a one-time secret.
Last updated: Jun 19, 2018