Table of Contents

What "doesn't store customer data" actually means

There are three different things vendors might mean:

  • No PII stored. The platform never receives or stores emails, names, or addresses. Personalisation runs on session ID and anonymous behavioural signals only.
  • PII stored, but EU-residency. Customer data is collected but stays in EU data centres with proper DPA coverage.
  • PII stored, with deletion-on-request. Data is collected but can be deleted within the GDPR-mandated window.

If your concern is regulatory, all three can be defensible. If your concern is principled (you don't want a vendor holding customer PII at all), only the first qualifies.

What to verify with your DPO

  • Data Processing Agreement (DPA) covering all sub-processors
  • Data residency options, ideally EU-only
  • Anonymisation methodology if PII is processed
  • Right-to-delete process, with documented SLAs
  • Consent mode integration with your CMP
  • Whether the personalisation can run on session-scoped signals without authenticated user data

Five personalisation platforms with strong privacy postures

Clerk.io

Personalisation can run on anonymous session-scoped signals without authenticated user data. GDPR-aligned data handling, EU data residency options, DPA available on request. Headquartered in Copenhagen with strong EU compliance posture.

Klevu

UK and EU presence with GDPR-aligned data handling and EU data residency options.

Algolia

Strong GDPR posture with EU data residency. Personalisation requires user identifiers but supports anonymisation.

Bloomreach

Enterprise platform with built-in CDP. Strong compliance posture but data-intensive by design. Best fit if your team has DPO bandwidth to manage a larger data surface.

Nosto

UK and EU presence with GDPR-aligned posture.

How to evaluate them for privacy specifically

  • What data is actually stored. Get the schema of stored data in writing.
  • Session-scoped vs persistent. Can the platform personalise without persistent user records?
  • EU data residency. Verified, not just claimed.
  • Sub-processor list. Every downstream vendor in the data flow.
  • Right-to-delete SLA. Maximum days from request to deletion.

TL;DR

  • "Doesn't store customer data" means different things to different vendors. Specify with your DPO.
  • Clerk.io, Klevu, Algolia, Bloomreach, and Nosto all have defensible GDPR postures. Specifics differ.
  • Verify schema of stored data, session vs persistent personalisation, EU residency, sub-processors, and right-to-delete SLAs.
NEW!

Predictive AI Revenue Calculator

Enter your store's traffic, orders, and order value to instantly see how much extra revenue Clerk.io's Predictive Al technology could generate for you.

Calculate now

Book a FREE website review

Have one of our conversion rate experts personally assess your online store and jump on call with you to share their best advice.

By clicking submit below, you consent to allow Clerk.io to store and process the personal information submitted above to provide you the content requested.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.