Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Emarsys is the SAP owned customer engagement platform built for B2C marketers. It combines email, SMS, push, mobile wallet, the Emarsys Web Channel and AI driven personalisation in a single suite. The Emarsys Web Tracking script captures product views, basket interactions, search queries and purchases on the merchant website, ties them to the contact record in Emarsys and feeds programs such as abandoned cart, replenishment and welcome journeys. SAP ownership and EU data centres make Emarsys one of the more European friendly enterprise marketing clouds.
Emarsys, headquartered in Vienna and owned by SAP since November 2020, is a customer engagement platform built for B2C marketers in fashion, beauty, sport, retail, travel and consumer goods. The Customer Engagement Cloud combines an email channel, SMS, push, mobile wallet, the Emarsys Web Channel for on site personalisation, AI tactics such as Send Time Optimisation and Product Recommendations, and predictive segmentation. The Web Extend JavaScript script (scarabresearch.js) is what most merchants integrate to feed the platform with browsing and purchase data.
Emarsys Web Extend (formerly Scarab) sets the first party cookie scarab.visitor (1 year, visitor identifier) and scarab.session (session). When the merchant uses the Email Channel, a tracking pixel measures opens and a redirect script measures clicks. The platform stores the standard customer profile (name, email, phone, postal address, custom fields), behavioural events (page views, basket, purchases) and predictive scores such as engagement, lifecycle stage and lifetime value.
Web Extend is a profiling tool: Article 5(3) ePrivacy requires prior consent for the scarab cookies and Article 6 GDPR requires consent for the behavioural personalisation. Marketing email follows the rules of national ePrivacy implementations and PECR style soft opt-in where applicable. SAP acts as processor for the customer data uploaded to Emarsys and provides the SAP Data Processing Agreement aligned with Articles 28 and 32 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU customers, Emarsys runs in Vienna, Cologne or Dublin data centres. Personal data stays inside the European Union. SAP support staff may access data from EU based service centres. The SAP DPA includes Standard Contractual Clauses for any incidental access from outside the EU (for example global SAP product engineering when a customer raises a critical incident).
Consent (Article 6(1)(a) GDPR) is required for marketing email, SMS, push and Web Extend tracking. Contractual necessity (Article 6(1)(b)) covers transactional and customer service messages such as order confirmations and password resets. Legitimate interest (Article 6(1)(f)) can support security telemetry and fraud detection on the platform.
Sign the SAP Data Processing Agreement, pin the Emarsys account to a Vienna, Cologne or Dublin pod, deploy Web Extend through a tag manager controlled by the Consent Management Platform, configure double opt-in for sign up forms, document the AI tactics and predictive scores in your records of processing, configure data retention, and provide a clear unsubscribe link in every marketing message.
Websites using Emarsys (SAP Emarsys Customer Engagement) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required when Emarsys handles large customer contact databases, when the Web Tracking script is deployed on high traffic retail websites or when AI driven segmentation builds predictive scores from purchase and browsing histories. The DPIA should cover the EU pod choice, the SAP Data Processing Agreement, retention of behavioural data, joint controllership with the merchant, and the sub-processors used by SAP Emarsys.
Sample consent text
Our website uses Emarsys, an SAP customer engagement platform, to send you personalised marketing emails and recommendations. The Emarsys Web Tracking script sets a first party cookie on this domain and sends product views, basket events and purchases to Emarsys servers in the European Union. By clicking Accept, you authorise this personalisation. You can also Reject and only strictly necessary site functions will run.
Third-party domains contacted
emarsys.comscarabresearch.comrecommender.scarabresearch.commailings.emarsys.comemarsystrack.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| scarab.visitor | HTTP cookie | 1 year | Emarsys Web Extend first party visitor identifier used to build the contact profile. |
| scarab.session | HTTP cookie | Session | Emarsys Web Extend session identifier used to scope events to the current visit. |
| emarsys_recommendation | HTTP cookie | 30 days | Stores the last recommendation request to ensure consistent personalisation. |
Emarsys (SAP Emarsys Customer Engagement) places tracking cookies for advertising — comply with GDPR using FlowConsent.
Emarsys Web Extend sets first party cookies on the merchant domain: scarab.visitor (visitor identifier, 1 year), scarab.session (session) and emarsys_recommendation (30 days). The email channel uses an open pixel and a click redirector through emarsystrack.com.
Yes for marketing email, SMS, push and Web Extend tracking. Transactional emails such as order confirmation can rely on contractual necessity. Marketing must be triggered by an opt-in collected through a CMP or sign up form.
Consent (Article 6(1)(a) GDPR) for marketing. Contractual necessity (Article 6(1)(b)) for transactional emails. Legitimate interest (Article 6(1)(f)) for platform security and fraud detection.
By default no. EU customers can pin the account to the Vienna, Cologne or Dublin pod. SAP support staff may access from EU service centres and Standard Contractual Clauses cover any incidental transfer outside the EU.
Yes when Emarsys handles large customer databases, runs Web Extend on high traffic sites or builds predictive scores from purchase and browsing histories. Document region, retention, sub-processors and joint controllership.
Sign the SAP DPA, pin the account to a EU pod, deploy Web Extend through a tag manager controlled by the CMP, enable double opt-in, document the AI tactics in your records of processing and integrate Emarsys preferences with an in app preference centre.
Other marketing clouds include Salesforce Marketing Cloud, Adobe Campaign, Bloomreach Engagement, Klaviyo, Dotdigital, ActiveCampaign and Braze. EU based alternatives include Splio (France) and Mapp (Germany).
List Emarsys eMarketing Systems AG and SAP SE as processors, describe the scarab.visitor and scarab.session cookies, mention the chosen EU pod (Vienna, Cologne or Dublin) and link to the SAP DPA and the Emarsys privacy policy.