Pixel Data Protection
Data collected
Bloomreach Discovery collects important user behavior data from your site/app through Pixels, combines it with your product Catalog data, and uses it to learn from and enhance the user experience further through Bloomreach algorithms.
The diagram below gives an overview of this data flow within your Bloomreach integration:
Our Technical Consultants discuss best practices, but we let you decide how you want to set up your integration and if you require consumer tracking consent before initializing Pixel tracking.
The Pixel tracking request sends user behavior tracking data to Bloomreach. The table below lists sensitive fields of the tracking API, what they collect and whether it can potentially be used as Personally Identifiable Information (PII).
Field | Data collected | Sensitivity |
---|---|---|
Cookie2 UID (also known as br_uid) | This field captures the visitor’s unique identifier, visiting timestamp, number of interactions, and some other metadata. We mainly use these to track their behavior data (page views, clicks, time spent, etc.) across sessions, and link the visitor’s user journey as a sequence of events. | The cookie stores a user’s unique identifier. The unique identifier combined with the user’s unique interaction data can be linked to other data points like IP address, browsing history, or other third-party cookies to indirectly identify the individual. |
User ID (optional) | This field captures a visitor’s unique user identifier as stored in the client’s CRM. The visitor’s user ID is optionally passed in Pixel requests and Discovery API requests. We use it to identify user interactions made by the same user to enhance personalization. | Its value cannot be used directly to identify the data subject. The ID can identify the data subject through the client’s CRM/ERP system, or connection with behavioral tracking. |
Order IDs | This field captures unique order IDs as part of the Conversion event whenever an order is made. | Its value cannot be used directly to identify the data subject. The ID can identify the data subject through the client’s CRM/ERP system. |
Browser history (Visited URLs) | The URL field captures the pages visited by the user. We process these URLs to understand their user journey. | 1. Some of these URLs might contain identifying information in the form of identity tokens or purchase details. 2. These URLs are also sensitive because they capture the user’s browsing history and behavioral tracking. |
Request headers | The system automatically captures the HTTP request headers (User-Agent and Remote IP address). We use them for data integrity and security purposes, to determine the visitor’s geo-location for audience targeting, and to determine the device type (desktop/mobile). | IP address can be used to link to a data subject. |
The complete list of all accepted fields in the Pixels can be found on Pixel reference.
Data location
The Analytics and (Pixel) Tracking data collected by Bloomreach is stored on resilient AWS (Postgres, Redshift, S3) and Google Cloud Platform (GCS, BigQuery) databases.
The default storage locations for an account’s data are:
- EU West (Belgium, Ireland) - If your business is based in Europe
- US East (Virginia) - For all other businesses
During account creation and provisioning, you have the option to choose any of these storage regions for an account.
The account data storage region cannot be changed after the account has been created. To use a different region, you must create a new account.
Note that for Insights reports, processed data is aggregated and transferred on the internal network to the user-facing dashboard via the US servers.
Data backups
We back up all Pixel data as we receive it on Amazon S3 until the termination of your contract. The backup location is the same as your account’s Pixel data storage location.
Additional regular backup systems:
- Amazon Redshift - automated backups every 15 minutes as a snapshot with a retention of 3 days.
- BigQuery - Daily backups with retention of 7 days (BigQuery Data Retention Documentation).
- AWS Glacier - Pixel data older than 90 days is moved to AWS Glacier cold storage. All of it is retained until 30 days after the termination of your contract.
Note: Customers can request a return of their Pixel data stored in Bloomreach by contacting Support.
We do not maintain data redundancy by storing it in multiple zones, and we do not have a disaster recovery system in place for Pixel Data.
Data protection
We understand the sensitivity of the Pixel data and ensure maximum privacy is maintained and protected.
Pixel tracking follows the same application layer encryption protocol as used in your e-commerce website. We recommend that you enforce the HTTPS protocol on your site so that Pixel data is encrypted in transit.
Inside the Bloomreach application, the data usually passes through several layers/components, most of which have their own encryption policies. The encryption utilizes encryption keys, which are managed by Amazon (see Data Encryption in Amazon AWS) and Google (see Encryption at Rest and Encryption in Transit in Google Cloud Platform).
Further, we ensure that no confidential or personal user data is exposed anywhere in the Bloomreach dashboard’s interface to the customers. The Events Management application, as the only application that shows raw user tracking data, mitigates the risk of leaking personal information by masking it on the service level.
Data deletion
After 30 days from the end of the contract (termination date), we will, unless legally prohibited, delete all your Pixel data in Bloomreach’s systems, under our control or otherwise in our possession.
Note that this shall not apply to the following stored in internal systems:
(a) data in logs;
(b) aggregated data, and
(c) data stored for statistical purposes
All the data related to your site visitors is identified using their User IDs, which were passed in the Pixel requests. Our engineering teams then clean up the data after the above-mentioned time period.
You still have the option to cancel your termination in the 30-day window after contract termination till your data is deleted.
Updated 2 months ago