Guides
HomeEngagementOther resources
  1. Administration, Security, Privacy

Privacy

Bloomreach builds with a privacy and security-by-design approach and supports major frameworks such as GDPR and CCPA/CPRA across our products. An independent Data Protection Officer (DPO) oversees privacy compliance and governance.

This guide explains how to use Bloomreach features to manage consent, minimize data, handle PII, and fulfill data-subject rights under GDPR and similar regulations.

Controller vs. processor

For Bloomreach, you (the customer) are typically the controller, and Bloomreach is the processor for end-user data processed via our services. Bloomreach is a controller only for its own business data (for example, website visitors, marketing contacts, employees). This relationship is governed by Bloomreach's Data Processing Agreement (DPA), which covers sub-processor management, mechanisms for international data transfer (including Standard Contractual Clauses), data security obligations, and breach notification commitments. For details, visit the Bloomreach Privacy Center.

Applicable frameworks

Bloomreach supports compliance efforts under the following data protection frameworks:

  • EU GDPR: The General Data Protection Regulation governs the processing of personal data of individuals in the EU. Bloomreach's DPA, Standard Contractual Clauses, and platform privacy features are designed to support GDPR compliance.
  • UK GDPR and UK Data Protection Act 2018: Bloomreach's DPA and Standard Contractual Clauses address UK-specific transfer and processing requirements.
  • Swiss Federal Act on Data Protection (FADP): Platform features and contractual safeguards support Swiss data protection obligations.
  • EU ePrivacy Directive (Directive 2002/58/EC): Consent management and tracking consent tools help you meet cookie and electronic communication consent requirements.
  • CCPA/CPRA: Bloomreach supports opt-out mechanisms, data access, and deletion requests for California consumers.
  • Quebec Law 25: Law 25 introduces enhanced transparency, consent, minimization, retention, security, and breach notification requirements for Quebec. Bloomreach's platform features support Law 25 obligations across these areas, including consent management, data minimization, retention and deletion tools, audit logging, and cross-border transfer protections via the DPA.

For framework-specific details, visit the Bloomreach Privacy Center.

How Bloomreach supports compliance

Bloomreach provides the following features to help you meet your obligations under applicable data protection frameworks:

  • Consent management: Bloomreach supports customer-controlled consent and privacy configurations. Customers determine purposes, manage rights, and can integrate consent tooling before initializing tracking.
  • Tracking consent: You can implement consent gating so the SDK initializes only after valid consent, aligning data collection to your policy and regional requirements.
  • Data minimization: Products provide privacy-by-design capabilities such as data minimization and legal-basis management to limit processing to necessary data.
  • Managing PII: Admins can flag fields as personally identifiable information (PII) and restrict visibility with role-based access (for example, Personal Data Viewer) to limit who can view sensitive data.
  • GDPR use cases: Bloomreach features support common GDPR use cases, including consent capture, access restriction, event retention, and deletion/anonymization via APIs and UI tools.
  • Individual rights: Tools and APIs help you honor individual rights requests (access, rectification, erasure, portability, objection, restriction) directly from the platform.

Privacy and policy resources

For more information about Bloomreach’s privacy program policies and contact information, visit the Bloomreach Privacy Center.

For independent reports (SOC 2, ISO certificates) and pentest summaries, visit our Bloomreach Security Portal.

Legal disclaimer

This document is for informational purposes only and doesn't constitute legal advice. Privacy regulations vary by jurisdiction and are subject to change. Organizations should assess their own compliance obligations based on their specific circumstances.

Updated 2 days ago

© Bloomreach, Inc. All rights reserved.