Data Handling

Page actionsInformation on cookie usage, server-side data processing, personal data removal policies, and security measures for user activity tracking and data storage.

Browser cookie

The Crownpeak Product Discovery activities SDK uses persistent cookies (or browser local storage) to store a user's session ID or a boolean representing user's opt-out choice. The session ID is either provided or generated by the SDK. When generated, it will be represented by a UUID.

The cookie persists until the user clears their browser cache.

Server side data processing

Collected data

Data points	Purpose	Data processor
Session ID and the anonymized logged in user ID (email, username, user ID)	Cookie matching feature and calculation of user journeys	Crownpeak
User traits (you decide what exact information is being sent)	Enables the use of personalization algorithms	Crownpeak
Users IP addresses	Operational monitoring (capability to implement active protection and to do post-mortem security reports in case of attacks or breaches)	Crownpeak

Personal data removal policies

Activity events data

User information is anonymized and impossible to retro-match to an individual user. All users activity data will be stored on the Crownpeak platform as long as the client contract dictates the access to services.

Operational data

The policy for operational logging is as follows:

• Online log analysis sub-system (ELK): Rolling window of 2 months

• Backup of logs: Retained for 2 years with regular monthly purging

Security measures

• Segregation: Strict access controls to ensure proper separation of sensitive data

• Changing Security Settings: Only privileged administrators with dedicated and trained teams can modify security settings

• Encryption: Applied to logging storage to protect data integrity

• Secure Communication: All communication over the internet uses secure transport protocols (HTTPS/SSH)

Place of processing

User data (IDs, traits, IPs) is stored and processed in the EU. Activity events are stored and processed in the EU and the same region as FHR or XO.

FAS/XO region	User data (IDs, traits, IPs)	Activity data
EU	EU	EU
US	EU	US + EU
AP	EU	AP + EU