Recommendation EngineDynamic Landing PagesBanners & Pop-UpsSocial ProofBehavioral TargetingEmail PersonalizationOpen-Time EmailPush NotificationsA/B TestingABM Marketing
Platform
About UsFAQContactPartnersBlogPersonalization ExamplesWiki / DocsPlaybooksIntegrationsTalk to us
PricingSign inBook a demo

GDPR

GDPR compliant for our personalization tools

How Personyze supports GDPR-compliant personalization for our customers and their visitors.

GDPR Compliance at Personyze

Last updated: May 2026

Personyze is committed to helping our customers operate in full compliance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. This page explains how Personyze is built to support GDPR-compliant personalization, the role we play in your data flows, and what we provide to help you meet your obligations as a controller.

For our complete privacy practices, see our Privacy Policy. The contractual terms governing GDPR processing are set out in the Data Processing Addendum (DPA) attached to our Terms & Conditions.

1. Our role under the GDPR

When you deploy Personyze on your website, app, or marketing channels, you are the data controller of the personal data collected from your visitors and customers. Personyze acts as a data processor, handling that data only on your documented instructions and only for the purposes you configure within the platform.

This relationship is governed by our DPA, which incorporates the European Commission’s Standard Contractual Clauses where personal data leaves the EEA, and the UK International Data Transfer Addendum for transfers subject to the UK GDPR. For Swiss data, we apply the additional modifications described by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

2. What Personyze collects on your behalf

Personyze provides a unified personalization layer across multiple channels — recommendations, A/B testing, dynamic landing pages, popups, social proof, push notifications, email personalization, and more. To deliver these experiences, the platform may collect, depending on what you choose to enable:

  • Pages viewed, time on page, clicks, scroll depth, referrer, and custom events you define
  • Device characteristics — browser, operating system, screen size, language
  • Country- or region-level geolocation derived from IP (IP addresses are not retained beyond the geolocation lookup unless you specifically opt in)
  • Cookie or device identifiers used to recognize returning visitors
  • CRM fields, e-commerce events, and any first-party data you pass into Personyze through our integrations or JavaScript API

By default, Personyze builds pseudonymized visitor profiles based on behavior and interests, not on directly identifying information. You decide whether identifying fields (such as email or customer ID) are ever passed to Personyze.

3. Lawful basis

As the controller, you are responsible for establishing a lawful basis for collecting and processing visitor data. For most personalization use cases in the EU and UK, this means obtaining valid consent through a properly configured cookie banner or consent management platform (CMP) before Personyze tracking begins. Personyze integrates with standard CMPs and exposes a JavaScript API for consent-gating — see our consent integration guide for implementation details.

4. Visitor rights you can fulfill with Personyze

Personyze provides the tooling required to honor your visitors’ GDPR rights:

  • Right to be informed — disclose Personyze in your privacy notice; sample language is available on request.
  • Right of access — visitor profile data can be retrieved through the Personyze platform or via API.
  • Right to rectification — incorrect data passed into Personyze can be updated through the same channels used to send it.
  • Right to erasure (“right to be forgotten”) — visitor profiles can be deleted by request through the platform or via API.
  • Right to restrict processing — tracking can be paused for a specific visitor while their profile is retained.
  • Right to data portability — visitor data can be exported in a structured, machine-readable format.
  • Right to object — visitors can opt out of Personyze tracking via your CMP, by enabling Global Privacy Control (GPC) or Do Not Track (DNT), or through an opt-out link you expose using our JavaScript API.
  • Right not to be subject to solely automated decisions with legal effects — Personyze is used for content personalization, not for decisions with legal or similarly significant effects on individuals.

5. Data minimization and built-in controls

Personyze is designed around data minimization. Key controls include:

  • IP address handling. IP is used transiently for geolocation and then discarded; you can choose to anonymize or fully omit IP capture.
  • Configurable retention. When defining data containers and custom events, you choose whether the data is retained or discarded at the end of the session.
  • No sensitive data by default. Personyze is not designed to receive special categories of data under Article 9, government IDs, payment data, or health information. Do not configure Personyze to collect those fields.
  • Consent-aware tracking. Personyze tracking can be enabled, disabled, or scoped per visitor based on consent state, and consent decisions are logged.

6. Sub-processors and international transfers

Personyze uses a small set of vetted sub-processors to operate the Service (cloud hosting, email delivery, payment processing). All sub-processors are bound by data-protection obligations no less protective than those we owe you. A current list is available on request.

Where personal data leaves the EEA or the UK, we rely on Standard Contractual Clauses and the UK IDTA as appropriate; for Swiss data, we apply the FDPIC’s modifications.

7. Security

Personyze applies administrative, technical, and physical safeguards consistent with industry practice for SaaS providers of comparable size and scope. These include encryption in transit (TLS), role-based access control under least-privilege principles, network protections, regular patching, written incident-response processes, personnel under confidentiality obligations with privacy and security training, and reputable cloud-hosting providers for physical security. Further detail is provided in Annex 2 of our DPA.

8. Breach notification

If Personyze becomes aware of a confirmed security incident affecting your data, we will notify you without undue delay and in any event within seventy-two (72) hours of confirmation, and will provide reasonable cooperation in any investigation, mitigation, and regulator-notification obligations under the GDPR.

9. Retention

Personyze retains personal data only as long as needed to provide the Service or as configured in your account. On termination, data is returned or deleted within ninety (90) days, subject to applicable legal-retention requirements and standard backup-rotation cycles. Aggregated or de-identified data that cannot reasonably be linked to a person is not subject to deletion.

10. Signing a DPA with Personyze

Our standard DPA is incorporated by reference into our Terms & Conditions and applies automatically when you process EU/UK personal data through Personyze. If your organization requires a signed copy or has specific amendments, contact us at support@personyze.com.

11. Contact

For any GDPR question, request, or complaint:

Personyze
Email: support@personyze.com
Website: www.personyze.com