When using Voyado Elevate, Voyado will process your end-customer personal data in accordance with the Data Processing Agreement (the “DPA”) entered into between us. The DPA includes the general processing activities that apply to all customers using Voyado Elevate.
The descriptions below are provided to clarify the meaning of the different data categories referenced in the DPA in the context of Voyado Elevate.
Personal data categories processed in Voyado Elevate
| Personal data category | Description |
| customerKey | customerKey is intended to function as a pseudonymized identifier for recognizing a returning visitor across visits. Please note, however, that the value is solely determined by the Customer. Voyado recommends using a random UUID but cannot technically control or guarantee that the Customer does not send an identifiable value (e.g. email address or username) to Voyado Elevate. Customer is responsible for ensuring that customerKey is pseudonymized and does not directly identify the data subject. If the recommendation is followed, Voyado cannot on its own link the customerKey to an end-customer, as it is the Customer who controls the information that could enable re-identification. Note that this may change if Customer uses Connected Capabilities (Voyado Engage & Voyado Elevate) that enables linking of customerKey to identified data in Voyado Engage, see article regarding Connected Capabilities for more information. Depending on the Customer’s technical implementation, Customer may store customerKey on the end-user’s device, e.g. by using a cookie or local storage. Any such storage is performed by or on behalf of Customer. Voyado Elevate receives customerKey only when it is transmitted by Customer to the service and thereafter processes it as part of the provision of Voyado Elevate. |
| SessionKey | SessionKey is a pseudonymized identifier relating to a visitor’s browsing session on the Customer’s website or application. SessionKey is used to associate a group of interactions occurring during a session within a defined timeframe (searches, clicks, views and similar behavioral events), thereby enabling Voyado Elevate to maintain session context and preferences as visitors navigate a site. A SessionKey is limited to the relevant session and does not, in itself, identify the end-customer. Depending on Customer’s implementation, a single session and its associated SessionKey may be linked to one or multiple customerKeys, e.g. where a visitor starts a session anonymously and later identifies themselves by logging in, without the session being terminated. In such cases, SessionKey enables continuity of the session while the relevant customerKey is updated. |
| IP-adress | Technical identifier, necessary for the functionality of the service. Handled in temporary memory and not stored persistently. |
| User agent | Browser/device identification, necessary for the functionality of the service. |
Behavioral data
| Views on products, purchases of products, clicks on products, add-to-carts on products, search phrases. Behavioral data is collected by the Customerand subsequently transmitted to Voyado Elevate, which processes it as part of the provision of the service. |
Consent, cookies and legal basis
It is important to distinguish between two related but separate legal assessments that are both relevant when using Voyado Elevate: (i) assessment of the requirements to store information on, or accessing information from, the end-user’s terminal equipment under applicable national law implementing the ePrivacy Directive (2002/58/EC) (the “cookie law”); and (ii) assessment of the legal basis under the GDPR for the processing of personal data, including any subsequent processing of personal data collected via cookies, such as consent, legitimate interests or performance of a contact.
| Legal basis | Description |
| Consent under cookie law | Governs the technical method, i.e. whether information may be stored on, or accessed from, an end-user’s terminal equipment/device (e.g. to retain or retrieve a customerKey in cookie/local storage). The applicable consent requirement depends on the Customer’s implementation and the relevant national rules implementing Article 5.3 of the ePrivacy Directive, including whether an exemption for strictly necessary storage/ access applies (strictly necessary cookies). Any consent obtained for such storage or access relates solely to that client-side storage/access and should not automatically be treated as the legal basis under the GDPR for any subsequent processing of that personal data, which requires a separate assessment. |
GDPR legal basis (Article 6.1 GDPR) | Legal basis for the processing of personal data, including any subsequent processing of personal data collected via cookies, under Article 6 GDPR. This is a separate assessment concerning the processing of personal data after collection of information from the visitor’s device. The applicable legal basis under Article 6 GDPR is context-specific and must be determined by the Customer in its capacity as controller for each relevant processing activity and purpose (e.g. personalization of search results, product recommendations based on behavioral history). Depending on the implementation and purpose, that legal basis may be consent, performance of a contract or legitimate interests. |
| Relationship between the two assessments | Cookie law determines whether prior consent is required before storing/accessing information by placing non-essential cookies or tracking technologies on a user's device (hereinafter, “cookie consent”), while the GDPR establishes the standards for how that consent must be collected, managed and relied upon as a legal basis for processing personal data. Where cookie consent is required, that consent must also meet the requirements set out under the GDPR. The two frameworks are therefore complementary - ePrivacy determines whether consent is needed for the technical act of storing or accessing information, while the GDPR governs how that consent must be obtained and the subsequent processing of personal data. In practice, the Customer may need to conduct two separate assessments: first, whether cookie consent is required for the technical method of storing/accessing information; and second, what legal basis under the GDPR applies to any subsequent personal data processing. The assessments may differ depending on the Customer’s specific implementation and the purpose of the processing. |
Visitor identification and on-site personalization
All personalization in Voyado Elevate requires that the visitor can be recognized in some way. How such identification takes place depends on the Customer’s implementation.
Voyado’s recommended implementation is that the Customer stores and reuses a persistent customerKey via cookie or local storage where permitted, allowing Voyado to personalize the site. Depending on the Customer’s technical setup, however, the visitor may also be identified server-side (e.g. when the visitor logs in, signs up, completes a purchase as a member, clicks a link in a Voyado Engage email or is otherwise recognized in the Customer’s backend systems), without relying on cookies for that identification step. What the Customer implements and how it chooses to configure Voyado Elevate is the Customer’s sole responsibility.
Article last updated