Services Privacy Notice
Last updated: May 21, 2024
Bloomreach takes privacy very seriously. This Services Privacy Notice (“Privacy Notice“) explains the information practices and policies of Bloomreach, Inc. and its subsidiaries (“Bloomreach”). It describes how we collect, use, and share personal information about you when providing the Bloomreach Services, and how you can exercise your privacy rights.
Please review our Website Privacy Notice here for information about how we collect and process personal information, through our corporate websites (such as, www.bloomreach.com) (“Websites“) and in connection with our events, sales and marketing activities.
If you have any questions about this privacy notice please contact us using information provided below.
QUICK LINKS
We recommend that you read this entire Privacy Notice to ensure you are fully informed. However, to make it easier for you to review those sections of this Privacy Notice that apply to you, you may click on the links below:
B. PRIVACY FOR CLIENTS AND USERS
INFORMATION WE COLLECT ABOUT CLIENTS AND USERS
INFORMATION WE COLLECT ABOUT CONSUMERS
LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION
A. ABOUT BLOOMREACH
We provide publishers, retailers, websites, ecommerce businesses and others (our “Clients”) and their end users authorized to use the Bloomreach Services (“Users“) with tools, analytics, personalization services and marketing platform that help our Clients develop and publish content and their consumers find content they want and deliver personalized customer experiences.
We deliver the Bloomreach Services on our Clients’ commercial websites, mobile applications, and digital properties (collectively the “Digital Properties“) as part of the content they display to consumers who interact with their Digital Properties (“Consumers“).
For example, Bloomreach may analyse what products visitors actually view or purchase on a Client’s website when they enter certain search terms to improve the likelihood that those search terms will bring up the same products or related products faster (on that website) in the future.
You can find out more about Bloomreach and the Bloomreach Services here.
B. PRIVACY FOR CLIENTS AND USERS
INFORMATION WE COLLECT ABOUT CLIENTS AND USERS
This Section describes what information we collect about our Clients and their Users (“you”) when they use the Bloomreach Services.
Information you provide to us:
You may provide personal information to us through the Services – for example, when you sign up for and use the Services, consult with our customer support teams, send us an email, integrate the Services with another website or, or communicate with us in any other way.
We will let you know prior to collection whether the provision of personal information we are collecting is compulsory or may be provided on a voluntary basis and the consequences, if any, of not providing the information.
The information you provide to us may include:
- Account Information: You need a Bloomreach account to use the Bloomreach Services as a User. When you register for an account, we ask you to provide contact information such as your name, telephone number, job title, country and organization name.
- Billing Information: If you purchase the Bloomreach Services, you may also need to provide us with payment and billing information such as your credit card details and billing address.We will also maintain a record of your purchases, transactional information, your history and any communications and responses.
Information we collect automatically:
When Users use certain Bloomreach Services, like Hippo CMS software, Bloomreach Personalization, Bloomreach Engagement or Bloomreach Experience software, we automatically collect and process certain information about that Users device and use of the Bloomreach Services. In some countries, including countries in the European Economic Area or United Kingdom, this information may be considered personal information under applicable data protection laws.
We may use cookies and other tracking technologies to collect some of this information. Our use of cookies and other tracking technologies is discussed in more detail in our Services Cookie Notice that can be found here.
We use this information to learn how we can improve the user experience and our support and quality improvement processes.
The information we automatically collect through the Services includes:
Information about you as a user such as your name, company name, email, phone number, position, or country.
Device Information, such as your IP address, device attributes (for example: hardware model, operating system, web browser version, as well as unique device identifiers and characteristics), longitude, latitude, connection information (for example, name of your mobile operator or Internet Service Provider, browser type, language and time zone; and device locations (for example, internet protocol (IP) addresses and Wi-Fi information).
Product usage data, which may include the dates and times you access the Bloomreach Services, page views, clicks, invitations, which activities and features are used, crash logs, page load time, how you navigate to and within the Bloomreach Services, the Bloomreach Service version number if applicable, storage configuration settings, language preferences, and technical data relating to devices accessing and using the Bloomreach Services and the performance of the Bloomreach Services in doing so.
If your organization runs Hippo CMS or Bloomreach Experience on premise, then the information collection can be turned off globally if that is desired. For documentation on how to do this, please click here.
Bloomreach Engagement collects and processes the following data categories about its users:
- Metrics monitoring the application performance during your session such as page load time.
- Metrics monitoring in-app interactions and engagement such as actions, clicks, or invitations.
- User details including name, company name, email, phone number, position, or country.
- Device details such as device type, os, browser tracking identifier (cookie or Google Analytics ID), IP, longitude, or latitude.
HOW WE USE YOUR INFORMATION
We use the information collected about you for a variety of reasons, including the following purposes, as applicable:
- To keep track of billing and payments.
- To provide, support, personalize, maintain and enhance the Bloomreach Services.
- To fix bugs and troubleshoot product functionality.
- To track User behavior at an aggregate level to identify and understand trends in the various interactions with the Bloomreach Services, for gathering insights into how the users interact with the app, which parts of the application are or are not used, and how they are interacted with by different types of customers.
- To improve the Bloomreach Services for all Users.
- To respond to requests or provide requested information;
- To send administrative or account related information.
- To communicate updates to the Service.
- To communicate with you via post, telephone and/or email for the purposes of providing you with marketing and promotional content (where this is in accordance with your marketing preferences). For more information about managing your marketing preferences, please see “Your Rights“.
- To comply with and enforce applicable legal requirements, agreements and policies.
- To prevent, detect, identify, investigate, respond and protect against potential or actual claims, liabilities, prohibited behavior, and criminal activity.
- For other business purposes such as data analysis, identifying usage trends, determining the effectiveness of our marketing and to enhance, customize and improve our Websites, products and services.
C. PRIVACY FOR CONSUMERS
INFORMATION WE COLLECT ABOUT CONSUMERS
The Bloomreach Services are intended for use by our Clients. As a result, for much of the personal information we collect and process about Consumers, we act as a processor on behalf of our Clients (the data controllers).
We are not responsible for the privacy or security practices of our Clients, which may differ from those set forth in this Privacy Notice. We recommend that Consumer’s review the privacy policies and notices of our Clients Digital Properties they use.
Set out below is further information about the personal information that we collect about Consumers’ through the Bloomreach Services – Discovery & Content and Engagement.
Discovery & Content Services
These services use and rely on information, such as device and IP address information which is collected automatically through technologies such as cookies and similar tracking technologies. We use this to enable the services to provide better content experiences. You can learn more about how these automatically collect information below and in our Services Cookie Notice found here.
The information we automatically collect about you may include:
Device Information: We collect device-related information about a Consumer’s use of a specific Client’s Digital Properties and interactions with Bloomreach-created content widgets and pages on that Client’s Digital Properties through our “p.brsrver.com” domain. This device information is collected from a Consumer’s browser, and may include information such as their IP address, the date and time they use the Client’s Digital Property, technical attributes about the Consumer’s browser request, browser type, browser language, search queries, pages or products browsed, and details about whether they have made a purchase (collectively, “Consumer Data”).
We associate Consumer Data with an anonymous cookie tied to a specific Client’s Digital Property. This information does not enable us (and we don’t link it to any information that enables us) to specifically identify any Consumer (such as by reference to their name or email address).
These do not collect the name, address, phone number, or other personal information of individual Consumers that enables them to be specifically identified (although our Clients may have collected this information separately from these services).
We do NOT:
(1) Associate Consumer Data collected from one Client’s Digital Properties with Consumer Data collected from a different Bloomreach Client’s Digital Properties; or
(2) Track or resolve an individual Consumer’s online activities across multiple unrelated third party websites or online services (often called, “cross-device tracking”).
However, we may collect and use aggregate information about Consumers provided by third party service providers who may track individual Consumer online activities across multiple unrelated third party websites or online services.
Usage and Analytic Information: These services do not use data collected on behalf of one Client for the purpose of servicing a different Client, but we may use aggregated information compiled from multiple Client Digital Properties or provided by third party service providers for servicing Clients. For example, we may collect device and machine-generated information such as the request and response logs of our Client’s Digital Properties. These logs include click and browse information. For example, when Consumers visit our Client’s websites, information identifying the website they arrive from and the next website they visit is generated and available to the website operator for analysis.
We use this information on an aggregated basis alongside similar information from millions of other Consumers to enable us to improve and develop our products and services and to improve Consumers experiences on our Client’s Digital Properties.
This aggregated information may include basic reporting metrics like the number of Consumers who discovered content through Bloomreach-suggested content and connections, how frequently Consumer’s return to a Client’s Digital Property, and the aggregate revenues generated from those Consumers. Aggregated information may also be used to help Bloomreach and its Clients optimize products and services.
Cookies and Similar Tracking Technology
Cookies are files that web servers place on an Internet user’s computer that are designed to store basic information (such as visitor preferences). Cookie technology remains a fundamentally important part of how websites customize users’ online experiences. Through the use of cookies or similar technologies, we may automatically collect and store basic information about your visits to a Client’s Digital Property, so that we can help improve consumers’ online experiences.
BloomReach Tracking and Non-Tracking Domains. BloomReach tracks Client Consumer Data only through it “p.brsrvr.com domain.” Our other domains, including “www.bloomreach.com,” “brcdn.com,” “brsrvr.com,” “brm-core-0.brsrvr.com” and “brm-suggest-0.brsvr.com” (collectively, our “Non-Tracking Domains”) do not track and store Client Consumer Data. BloomReach API requests to our Non-Tracking Domains are HTTP requests which include a user’s IP address in the header of the request. With respect to our Non-Tracking Domains, any information contained in the HTTP request is purged and BloomReach only retains information contained in the API URL. We do not use, collect or share any Consumer Data received through our Non-Tracking Domains.
How can I opt-out of Bloomreach cookies? While our Clients are responsible for communicating directly with their Consumers, we strive to offer Consumers choices about the collection of information using cookies. Consumers are welcome to opt out of being tracked by Bloomreach by clearing their browser’s cookies for the domain or URL that uses the Bloomreach Services or by blocking the use of cookies when they visit such domains or URLs. For more information about our use of cookies and how you can opt-out of cookies, please see our Services Cookie Notice here.
Engagement services
While using these services, our Customers may be providing us with their clients’ personal data.
This data may include following: (IP) address, name, surname, gender, email address, login information, time zone setting, operating system and platform, information about visits including the URL, the search terms, information about what you viewed or searched on our website, page response times, download errors, length of visits to certain pages, page interaction information, (such as scrolling, clicks, and mouse-overs) and the methods used to browse away from the page, activities of users, browsing web pages.
Bloomreach analyzes our Customers’ clients’ personal data to build individual profiles. These profiles are used to predict future interests and display targeted (online) advertisements. The aim is to provide Customers’ clients with offers that are relevant and interesting for them. The profiling is based on (surfing) behaviour of our Customers’ clients on Customer’s website. We conduct profiling solely for the purpose of providing them with more attractive offers for the purchase of goods and/or Services and customizing the content of websites according to our Customers’ clients’ preferences. The Customers have the obligation to ensure that they have collected their clients’ respective consents and approval in order to process such data in accordance with GDPR , other applicable data protection law and their agreement with Bloomreach.
D. GENERAL INFORMATION
HOW WE SHARE YOUR INFORMATION
BloomReach will share the information it collects:
- with our group companies. A list of our current group companies is available here;
- with our Clients, if you are a Consumer;
- with our third party services providers (our vendors) who provide data processing services to us (and with whom the sharing of your personal information is necessary to undertake the work e.g. to external consultants, professional advisors, payment processors, outsourced IT and document storage providers, auditors and accountants);
- with any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- with our marketing partners to offer certain marketing events and promotions and may share individual level information that we have collected with these business partners in order to carry out these events and promotions;
- with a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice; and
- with any other person with your consent to the disclosure.
INTERNATIONAL DATA TRANSFERS
We are a growing corporation with operations in multiple countries, including the United States, United Kingdom, India, the Netherlands, Germany, Czechia and Slovakia. While our primary data centers are in the United States, Ireland, the Netherlands and Belgium, we may transfer personal information or other information to Bloomreach offices outside of the United States, the European Economic Area or the United Kingdom. In addition, we may employ other companies and individuals to perform functions on our behalf.
These countries may have data protection laws that are different to the laws of your country. However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. These safeguards include implementing the European Commission’s Standard Contractual Clauses (including as amended by the UK Data Transfer Addendum to the Standard Contractual Clauses), as well as our certification to (and adherence to the Principles under) the Data Privacy Framework (defined below) in connection with transfers to Bloomreach Inc. in the US.
Our Standard Contractual Clauses can be provided to you upon request. We have implemented similar appropriate safeguards with our third-party service providers and partners, and further details can be provided to you upon request.
Data Privacy Framework
Bloomreach has certified its compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-US Data Privacy Framework (collectively the “Data Privacy Framework”) as set forth by the US Department of Commerce with respect to personal information concerning individuals from the European Economic Area, United Kingdom, and Switzerland. Please see our Data Privacy Framework Notice to learn more.
If there is any conflict between the terms in this Privacy Notice and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern.
DATA RETENTION
Generally personal data shall be kept for as long as necessary for the purpose for which it was processed. The length of time that Bloomreach will hold your personal data will also depend on the legal basis on which your data is processed. Shall the processing be based on legitimate interest, your data will be processed for as long as the given legitimate interest of Bloomreach is in place. For data kept based on legal obligations, the data-retention period is prescribed by applicable legal regulations. For data processed based on performance of a contract, the data is processed for the duration of the contractual relationship and for an applicable limitation period. Shall the processing be based on your consent, your personal data shall be erased after you withdraw your consent. Please bear in mind that the same data may as well be processed based on other legal basis in which case your withdrawal of consent might not mean a full erasure of your data.
LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION (FOR RESIDENTS OF EEA/UK ONLY)
If you are an individual from the EEA/UK, our legal basis for collecting and using personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we normally rely on our (or our Client’s) legitimate interest to collect personal information from you, except where such interests are overridden by your data protection interests or fundamental rights and freedoms. Where we rely on our legitimate interests to process your personal information, they include the interests described in this Privacy Notice.
In some cases, we may rely on our consent or have a legal obligation to collect personal information. If we rely on consent to collect and/or process your personal information, we will obtain such consent in compliance with applicable laws.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “Contacting Bloomreach” heading below.
YOUR RIGHTS
You have the following data protection rights:
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided under the “Contacting Bloomreach” heading below.
- In addition, if you are a resident of the European Economic Area (“EEA”) or United Kingdom (“UK”), you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “Contacting Bloomreach” heading below or via our Website in the section https://www.bloomreach.com/en/legal/control-your-data?_ga=2.163252412.1609075078.1640601789-1812993489.1640601789.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “Contacting Bloomreach” heading below or via our Website in the section https://www.bloomreach.com/en/legal/control-your-data?_ga=2.163252412.1609075078.1640601789-1812993489.1640601789.
- Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.You can withdraw your consent anytime using the contact details provided under the “Contacting Bloomreach” heading below or via our Website in the section https://www.bloomreach.com/en/legal/control-your-data?_ga=2.163252412.1609075078.1640601789-1812993489.1640601789.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the EEA are available here.) If you are a UK resident please contact the Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/.
Please note that because most of the information we store can only identify a particular browser or device, and cannot identify you individually, you will need to provide us with some additional information to enable us to identify the personal information we hold about you and ensure that it accurately fulfils your request. You may also be required to provide ID.
Further Information for Consumers: As described in this Notice, for much of the personal information we collect and process about you through the Bloomreach Services, we act as a processor on behalf of our Clients. In such cases, if you want to exercise any data protection rights that may be available to you under applicable law or have questions or concerns about how your personal information is handled by Bloomreach as a processor on behalf of our Clients, you should contact the relevant Client that has contracted with Bloomreach for the use of the Bloomreach Services, and refer to their separate privacy policies. If you are having difficulties finding this Client, you can contact us through our support team and we will try our best to help you.
SECURITY
We use appropriate technical and organizational security measures to protect any personal information we process against unauthorized access, disclosure, alteration, and destruction. For example, to protect your information access to data processing facilities is restricted, we deploy appropriate firewalls, anti-virus and other anti-malware software and technologies as well as access controls on our networks and systems.
Unfortunately, nobody is truly and completely safe from hackers. Although we do our best to protect your personal information, we cannot guarantee security, no Internet transmission can ever be guaranteed 100% secure, and so we encourage you to take care when disclosing personal information online and to use readily available tools, such as Internet firewalls, secure e-mail and similar technologies to protect yourself online.
CHANGES AND UPDATES
Bloomreach will maintain personal information in accordance with this Notice. We may update this Notice from time to time in response to changing legal, technical, or business developments. If we decide to change this Notice, we will post the changes on this page and update the “last updated” date at the top of this policy.
If at any point Bloomreach decides to retain or use previously collected personal information in a materially less restrictive manner, we will seek to provide affected individuals with additional notice (such as by way of email (where possible) or by posting a notice on our website or product login screens) for at least 30 days prior to the change in use. We encourage you to review our Notice whenever you use our Website to stay informed about our information practices and the ways you can help protect your privacy.
CONTACTING BLOOMREACH
If you have any questions, comments, or concerns about BloomReach or this Notice, please contact our Data Protection Officer by email at dpo(at)bloomreach(dot)com or using the contact details provided below.
Attn: Data Protection Officer
Postal Mail Address:
BloomReach, Inc.
82 Pioneer Way
Mountain View, CA 94041
If you are an EEA/UK resident:
BloomReach, B.V.
Oosteinde 11
1017 WT Amsterdam
The Netherlands
Attn: Data Protection Officer
We can be reached via e-mail at dpo(at)bloomreach(dot)com or you can reach us by telephone at +1 (888) 263-3917.
If you are resident in the EEA/UK, the data controller of your personal information is Bloomreach B.V., jointly with Bloomreach, Inc.
If you are a Consumer, the data controller of your personal information is our Client whose Digital Properties you use.