Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Attraqt is a UK based search, merchandising, and personalisation platform for e-commerce, providing site search, category navigation, recommendations, and AI driven product discovery, originally built on the Fredhopper search engine acquired in 2017.
Attraqt is a London headquartered software company that provides search, merchandising, and personalisation services to online retailers and brands. The platform combines the Fredhopper search engine, acquired in 2017, with category page management, product recommendations, and AI driven product discovery widgets. Merchants integrate Attraqt through a JavaScript SDK and server side catalog feeds, and the platform powers the on site search bar, faceted navigation, category ordering, and recommendation carousels. Attraqt is used by large European fashion, beauty, and home retailers and competes with vendors such as Algolia, Bloomreach, and Coveo.
Attraqt writes a first-party cookie to identify the browsing session, track click positions in search results, and link multiple visits to the same anonymous profile. The SDK captures product views, add to cart, search queries, filter clicks, and purchases, and forwards them to the Attraqt event API. Where the merchant uses the personalisation modules, a longer lived identifier is used to build a behavioural profile across sessions. The cookies and identifiers stored on the visitor device fall within the scope of ePrivacy Article 5(3), so consent is required before they are written for purposes that go beyond strictly necessary search.
When a merchant uses Attraqt, the merchant is the controller and Attraqt acts as a processor under Article 28 GDPR. The data processing agreement should describe the categories of data, the purposes, the retention, and the sub processors. The categories typically include online identifiers, behavioural events, search queries that may reveal interests, and, for logged in customers, hashed customer identifiers. Special categories should not be sent to Attraqt unless a specific lawful basis under Article 9 applies. The Digital Services Act adds transparency obligations for very large online platforms that use recommender systems.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Strictly necessary search that simply finds products matching a query can rely on Article 6(1)(f) legitimate interest and does not require ePrivacy consent if no non essential identifier is stored. Personalisation, behavioural recommendations, A: B testing, and cross session profiling require Article 6(1)(a) consent because identifiers are stored on the device for non essential purposes. The CNIL and the ICO confirm that cookie banners must offer an equally accessible refuse option, and the AEPD adds that scrolling does not constitute consent. Configure the SDK to operate in a non personalised mode when consent is refused.
Attraqt processes data primarily in EU regions but routes some support and engineering operations through the United Kingdom. The UK benefits from an EU adequacy decision adopted in 2021, so transfers do not require Standard Contractual Clauses, but controllers should record the transfer in the records of processing and inform data subjects in the privacy notice. Where Attraqt uses sub processors in countries without adequacy, such as engineering support from third countries, Standard Contractual Clauses with supplementary measures must apply. Review the sub processor list in the data processing agreement at least annually.
Map every Attraqt cookie and event to a purpose in the cookie policy and the records of processing. Configure the SDK so that the personalisation and recommendation modules load only after consent for personalisation, while basic search remains available. Update the privacy notice to mention Attraqt as a processor, the categories of data, the retention, and the UK adequacy decision. Sign the Attraqt data processing agreement, request the latest sub processor list, and ensure that data subject access and erasure requests are routed correctly. Test pages with consent denied to confirm that no profiling cookie is set.
Websites using Attraqt must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Attraqt is used for behavioural personalisation, customer profiling, or AI driven recommendations that influence the products shown to each visitor. Document the categories of personal data, the retention applied to events and profiles, the legal basis for each module, and any transfers to the United Kingdom under the UK adequacy decision. Reference the EDPB guidelines on automated processing and recommender systems and the ICO age appropriate design code where minors may be involved.
Sample consent text
We use Attraqt to power search, merchandising, and product recommendations on this store. With your consent, we store an identifier and behavioural events on your device to personalise results, suggest products, and measure the effectiveness of our merchandising. You can change or withdraw your choice at any time from the cookie settings link in the footer.
Third-party domains contacted
attraqt.ioapi.attraqt.iosearch.attraqt.ioexperiences.attraqt.comfredhopper.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| atrqt_sid | first_party | Session | First-party session identifier set by the Attraqt SDK to group search and click events for the current visit on the merchant site. |
| atrqt_uid | first_party | 1 year | First-party persistent identifier used by Attraqt to recognise the visitor across sessions and to power personalisation and recommendations. |
| atrqt_test | first_party | 30 days | Stores the variant assignment for A: B tests configured in Attraqt Experiences, so the same visitor sees a consistent merchandising variant. |
| atrqt_consent | first_party | 6 months | Records the visitor consent state shared with the Attraqt SDK so that personalisation and recommendations only run after consent. |
Attraqt collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Attraqt sets a first-party cookie to identify the session, track interactions, and link visits when personalisation is enabled. Additional identifiers may be stored for longer periods when the merchant uses recommendations or AI discovery. These identifiers are stored on the device and used for purposes beyond strictly necessary search, so ePrivacy Article 5(3) applies and consent is required before they are written.
Consent is required for the personalisation, recommendation, and behavioural profiling features of Attraqt because they store and read non essential identifiers on the visitor device. A simpler search that does not store identifiers and does not profile the visitor can rely on legitimate interest. In practice, consent management platforms should gate the personalisation modules and allow basic search to function with consent refused.
Strictly necessary search that helps the visitor find products on the merchant site can rely on Article 6(1)(f) legitimate interest, with a balancing test documented by the controller. Personalisation, behavioural recommendations, and AI discovery rely on Article 6(1)(a) consent because they involve profiling and storage of identifiers. The merchant remains the controller and Attraqt acts as a processor under Article 28 GDPR.
The United Kingdom benefits from an EU adequacy decision adopted in 2021, so transfers from the EEA to Attraqt UK operations do not require Standard Contractual Clauses. Controllers should still mention the transfer in the privacy notice, in the records of processing, and in the data processing agreement, and monitor any future change to the adequacy decision. Sub processors outside adequacy must rely on Standard Contractual Clauses.
A DPIA is recommended when Attraqt is used for behavioural personalisation, AI driven recommendations, or large scale profiling of customer journeys, in line with the EDPB DPIA guidelines and the lists adopted by the CNIL and the AEPD. A DPIA is less critical when Attraqt is used only for non personalised search and merchandising. Document the categories of data, the retention, and the legitimate interest balancing test where applicable.
Wrap the personalisation, recommendation, and analytics calls of the Attraqt SDK in a consent management platform that exposes a consent state for personalisation and analytics. Load the personalisation modules only after consent, and configure a fallback to non personalised search with no behavioural cookie. Make the refuse option as accessible as the accept option, and document the configuration in the records of processing.
When consent is refused, configure Attraqt to run a strictly necessary search mode that does not store behavioural identifiers and does not profile the visitor. Recommendations can fall back to merchandising rules based on the catalog, the page context, and aggregated bestsellers. This mode preserves a usable search experience while respecting the choice of the visitor and avoids the need for ePrivacy consent.
List Attraqt as a processor that powers search, merchandising, and personalisation. Describe the cookies it sets, their duration, and purpose, and mention the categories of behavioural events captured by the SDK. Reference the UK adequacy decision for transfers to Attraqt UK operations and link to the Attraqt privacy notice. Provide the channels for data subject access, erasure, and objection requests.