Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Ometria is a Customer Data Platform and marketing engagement product built for retail brands, headquartered in London. It combines website behavioural tracking, e commerce integration, an email and SMS engine and an AI driven personalisation layer. EU customer data is processed entirely in EU and UK data centres (AWS Ireland and London) under the EU UK adequacy decision, which makes Ometria a privacy friendlier option than US headquartered CDP competitors for European retailers.
Ometria is a Customer Data Platform (CDP) and marketing engagement product built specifically for retail brands. It was founded in 2013 in London and has grown to serve hundreds of European and US retail brands, with EU customer data processed exclusively in EU and UK data centres. Ometria combines four major components: website behavioural tracking via the Hummingbird tracker SDK (OmetriaJS), e commerce platform integration (Shopify, Magento, Salesforce Commerce, Hybris, BigCommerce) that ingests order and product data, an email and SMS engine with marketing automation, and an AI driven recommendation and segmentation layer.
On the website, OmetriaJS writes the ometria_id cookie (default 1 year lifetime) on the operator''s first party domain and transmits events to Ometria: page views, product views, add to cart, purchase, search queries and any custom events. When the visitor identifies themselves (sign up, login, email click), the ometria_id is joined to the customer profile via email address, creating a deterministic link between website behaviour and the CRM record. From the e commerce platform integration, Ometria ingests order data including line items, totals, discounts and product attributes, as well as customer profile fields.
OmetriaJS writes a cookie not strictly necessary, so ePrivacy Art. 5(3) requires prior informed consent. Under GDPR, consent under Art. 6(1)(a) is the appropriate basis for the cookie and behavioural tracking. Marketing emails and SMS require their own consent under ePrivacy and PECR, with soft opt in available for existing customers in some jurisdictions. The AI recommendation engine qualifies as profiling under GDPR Art. 22 and must be transparent and reviewable.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Ometria processes EU customer data exclusively in EU and UK data centres (AWS eu-west-1 Ireland and eu-west-2 London). The European Commission''s UK adequacy decision (June 2021) covers transfers from EU/EEA to the UK as if to another member state, so there is no Schrems II transfer assessment burden for Ometria itself. This is a structural advantage for European retailers compared to US headquartered CDP competitors. Narrow ancillary transfers to US sub processors (e.g. Stripe for billing) exist but are documented under SCCs and are not part of the CDP processing.
For retailers selling cosmetics, supplements, sex and wellness products or health adjacent items, purchase history may reveal special category data within the meaning of GDPR Art. 9 (data concerning health, religious beliefs, sexual orientation). The DPIA must reflect this and the lawful basis should be reviewed (consent often the only option, with separate explicit consent under Art. 9). Ometria supports excluding categories from profiling and segmentation rules to limit exposure.
Gate OmetriaJS behind a Consent Management Platform with explicit marketing or personalisation consent. Collect a separate consent (or soft opt in where allowed) for marketing email and SMS. Sign the Ometria DPA. Document the processing in the record of processing, including the EU/UK data residency, the e commerce integration scope and the AI profiling. Run a DPIA covering the deterministic identity link and any sensitive product categories. List the ometria_id cookie in the cookie policy and disclose Ometria as a processor in the privacy notice.
Websites using Ometria must obtain user consent under GDPR regulations.
DPIA considerations
Ometria writes the ometria_id cookie (Ometria visitor ID, default lifetime 1 year) on the operator's first party domain to identify the visitor and join their website activity to their customer profile. DPIA considerations: (1) the ometria_id is a persistent online identifier and personal data under GDPR, with deterministic linking to email and order data when the visitor signs in or clicks an email; (2) Ometria processes EU customer data in EU and UK data centres only, which keeps transfers within the adequacy umbrella and removes Schrems II concerns; (3) the AI recommendation engine is profiling under GDPR Art. 22 and must be transparent and controllable by the visitor; (4) integration with Shopify, Magento and other e commerce platforms ingests order data with potentially sensitive product categories (cosmetics, health, financial). A DPIA is recommended for any non trivial Ometria deployment, particularly for retailers selling sensitive product categories.
Sample consent text
We use Ometria (Ometria Ltd., London) as our Customer Data Platform and email marketing tool. Ometria places a cookie (ometria_id) on your device to link your browsing to your customer profile, and sends personalised emails based on your purchase and browsing history. Your data stays in the European Union and United Kingdom, with the UK relying on the European Commission's adequacy decision. We rely on your consent (Art. 6(1)(a) GDPR), which you can withdraw via our cookie settings or the unsubscribe link in our emails.
Third-party domains contacted
ometria.comcdn.ometria.comapi.ometria.commailings.ometria.comt.omtr.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ometria_id | Marketing / Personalisation | 1 year | Set by Ometria via OmetriaJS on the operator's first party domain. The Ometria visitor ID, a persistent online identifier used to recognise the visitor across sessions and to deterministically join their browsing activity to their customer profile when they sign in or click an email link. |
| ometria_session | Marketing / Personalisation | 30 minutes | Set by Ometria. Session level identifier used by Ometria to group page views and events into a single visit for recommendation and segmentation purposes. |
| ometria_anon_id | Marketing / Personalisation | 1 year | Set by Ometria. Anonymous browsing identifier used when the visitor has not yet identified themselves through email or login; merged into the customer profile upon identification. |
| ometria_pageviews | Marketing / Personalisation | 1 year | Set by Ometria. Aggregated page view counter used to evaluate visitor engagement levels and to feed segmentation rules. |
Ometria places tracking cookies for advertising — comply with GDPR using FlowConsent.
Ometria writes the ometria_id cookie (Ometria visitor ID, default 1 year lifetime) on the operator's first party domain. The cookie is a persistent identifier used to recognise the visitor across sessions and to deterministically join their browsing to the customer profile when they identify themselves. Additional cookies may track session level engagement.
Yes. The ometria_id cookie is not strictly necessary and ePrivacy Art. 5(3) requires prior informed consent. The behavioural tracking is a marketing/personalisation purpose under GDPR. Marketing emails and SMS require their own consent (or soft opt in under PECR) under ePrivacy.
Consent (GDPR Art. 6(1)(a)) for the website tracking and personalisation. Consent or soft opt in for marketing email/SMS under ePrivacy and PECR. Contract necessity (Art. 6(1)(b)) for transactional emails. The recommendation engine output is profiling under GDPR Art. 22.
No for the core CDP product. Ometria processes EU customer data exclusively on AWS infrastructure in eu-west-1 (Ireland) and eu-west-2 (London). The European Commission's UK adequacy decision covers transfers to the UK. Some narrow ancillary transfers to US sub processors (e.g. Stripe for billing) exist under SCCs but are not part of the CDP processing.
A DPIA is recommended for any non trivial Ometria deployment because of the deterministic identity stitching between cookie and customer profile, the profiling under GDPR Art. 22, and the potentially sensitive product categories in retail data. The Schrems II transfer factor that drives DPIA threshold for US CDPs does not apply here, lowering overall risk.
Gate OmetriaJS behind a Consent Management Platform with explicit marketing or personalisation consent. Collect a separate marketing email and SMS consent. Sign the Ometria DPA. Document the processing in the record of processing, including the deterministic identity link, the AI profiling and the EU/UK residency. Run a DPIA for the cookie plus customer profile combination and for any sensitive product categories.
Other retail focused CDPs and engagement platforms include Bloomreach Engagement (Czech Republic, EU), Emarsys (Austria/SAP), Klaviyo (US), Sailthru (US/Marigold), Salesforce Marketing Cloud, Mapp Cloud (Germany), Dotdigital (UK) and BeProduct/Brevo (Belgium/France). EU/UK options like Bloomreach, Emarsys, Mapp, Dotdigital and Brevo avoid the US data transfer burden by default.
List the ometria_id cookie under marketing/personalisation with a 1 year duration. Name Ometria Ltd. (London) as a processor in the privacy notice, declare the EU/UK data residency and reference the EU UK adequacy decision. Disclose the deterministic identity stitching between cookie and customer profile. Provide a working consent withdrawal link and an unsubscribe link in marketing emails.