Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Doofinder is a Spanish ecommerce search and discovery SaaS founded in Madrid in 2012. It powers instant search, autocomplete, product recommendations, personalization and A/B testing for online stores running on Shopify, Magento, PrestaShop, WooCommerce and BigCommerce. Core infrastructure is hosted on AWS Frankfurt and Dublin in the European Union. Doofinder sets first party and third party cookies to track visitor sessions, search behaviour and personalization preferences, which makes it subject to the GDPR and ePrivacy rules on consent.
Doofinder is a Spanish search as a service platform built specifically for ecommerce. It was founded in Madrid in 2012 and has since opened an office in San Francisco to serve North American clients, but the company and its main data processing operations remain anchored in the European Union. Online stores use Doofinder to replace the limited native search of their ecommerce platform with a faster engine that supports typo tolerance, synonyms, faceted navigation, autocomplete, product recommendations and merchandising rules. Doofinder ships official integrations for Shopify, Magento, PrestaShop, WooCommerce, BigCommerce and Shopware, along with a JavaScript SDK and REST APIs that make it possible to use the engine on any custom storefront.
To deliver relevant results and analytics, Doofinder collects search queries typed in the search box, click events on suggestions and result cards, add to cart and checkout events forwarded by the integration, the referring page and the device user agent. It also sets a pseudonymous visitor identifier stored in a cookie so that the same browser can be recognised across sessions, which is what powers personalization, A/B testing of result ranking and reporting on conversion rate per query. None of this data is directly nominative, but combined with a logged in customer identifier or an email address it can become personal data under the GDPR.
Doofinder cookies are not strictly necessary to display a product catalogue, so under Article 5(3) of the ePrivacy Directive and its national transpositions they require prior informed consent before being written on the user device. Consent is also the most defensible legal basis under the GDPR for the behavioural tracking and personalization features. Aggregated search analytics that do not rely on individual identifiers can sometimes be processed under legitimate interest, but the safest pattern is to gate the full Doofinder script behind the consent management platform and only fall back to a fully anonymous mode if consent is refused.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Compared to most ecommerce search competitors, which are operated by US companies and rely on US infrastructure, Doofinder offers a strong EU footprint. The legal entity Doofinder S.L. is established in Madrid, the search and analytics backends run on AWS regions in Frankfurt and Dublin, and customer support for EU clients is handled by EU based teams. This significantly reduces exposure to the Schrems II problem and makes the data flow easier to document in records of processing and transfer impact assessments. For controllers based in France, Germany, Spain or Italy, Doofinder is one of the few mainstream choices that does not require a default transfer to the United States.
On Shopify, PrestaShop, Magento and WooCommerce, the recommended pattern is to install the official Doofinder app or module but to disable its automatic script injection, then load the Doofinder snippet only after the visitor has granted consent to the search or personalization category in the CMP. Cookie policy entries should be added for the visitor identifier and session cookies, indicating the controller, the EU hosting, the 12 month retention and the purpose. A data processing agreement signed with Doofinder S.L. should be filed alongside the other vendor DPAs, and the cookie banner should give a clear path to refuse Doofinder without breaking the rest of the store.
Websites using Doofinder must obtain user consent under GDPR regulations.
DPIA considerations
A formal DPIA is generally not mandatory for a standard Doofinder deployment because data stays inside the EEA and the categories of data are limited to search queries, click events, cart events and a pseudonymous visitor identifier. A DPIA should however be considered when Doofinder personalization is combined with logged in customer profiles, when search logs are cross referenced with CRM data, or when special category interests can be inferred from queries. Document the legal basis (consent for tracking cookies, legitimate interest for aggregated analytics), retention periods, sub processors and the role of the AWS EU regions in your record of processing activities.
Sample consent text
We use Doofinder, an EU based search engine, to power product search, autocomplete and personalized recommendations on this site. With your consent, Doofinder may set cookies to remember your search session, measure click through rates and tailor results to your behaviour. You can accept, refuse or change your choice at any time from the cookie settings.
Third-party domains contacted
eu1-search.doofinder.comeu1-stats.doofinder.comcdn.doofinder.comapp.doofinder.comwww.doofinder.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __df_visitor | third_party | 12 months | Pseudonymous visitor identifier used to recognise the same browser across sessions for personalization, A/B testing and conversion reporting. |
| __df_session | third_party | Session | Scopes a single browsing session on the storefront and links search and click events generated within it. |
| __df_search_id | third_party | Session | Search session identifier that ties together queries, suggestions, click events and conversions for analytics and ranking tuning. |
| __df_ab | third_party | 6 months | Stores the bucket assigned by the Doofinder A/B testing engine so that the same visitor consistently sees the same ranking variant. |
Doofinder collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Doofinder typically sets a small set of first party and third party cookies on the storefront. The visitor identifier cookie __df_visitor is used to recognise the same browser across sessions for personalization, A/B testing and reporting. The session cookie __df_session scopes a single browsing session, __df_search_id ties together the events of a single search session and __df_ab stores the bucket assigned by the A/B testing engine. None of these cookies are strictly necessary for an ecommerce site to function, so they must all be presented in the cookie banner and gated behind consent.
Yes. Under Article 5(3) of the ePrivacy Directive and its national transpositions in the EU, prior informed consent is required before writing or reading non strictly necessary cookies on the user device. Doofinder cookies fall in that category because they enable behavioural tracking and personalization that go beyond what is needed to deliver the product catalogue. The Doofinder script and its cookies must therefore only be loaded once the user has explicitly accepted the relevant category in the consent management platform.
For the behavioural tracking, personalization and A/B testing features, the only solid legal basis under the GDPR is consent under Article 6(1)(a). Legitimate interest under Article 6(1)(f) can be considered for fully aggregated and de identified search analytics, provided that a documented legitimate interest assessment is performed and that users are given a clear right to object. The same logic applies to recommendations powered by visitor history, which always require consent.
By default, no. Doofinder S.L. is established in Madrid and operates the search and analytics backends on AWS regions in Frankfurt and Dublin, both inside the European Union. A subsidiary in San Francisco supports US clients, but EU customer data is kept on EU infrastructure. Some limited support and sub processor flows may involve other countries; these are covered by Standard Contractual Clauses and listed in the Doofinder data processing agreement. This makes Doofinder a notably low risk vendor from a Schrems II perspective.
A standard Doofinder deployment limited to anonymous search and recommendations on an ecommerce site does not usually trigger the mandatory DPIA criteria. A DPIA becomes recommended or necessary when Doofinder is combined with logged in customer profiles to build personalized recommendations, when search and click data are cross referenced with CRM data, or when categories of queries may reveal sensitive information such as health or political opinions. Document the assessment in the records of processing and revisit it after major integration changes.
On Shopify, Magento, PrestaShop and WooCommerce, install the official Doofinder app or module but disable any automatic script injection in the store theme. Add Doofinder to the analytics or personalization category of your consent management platform and configure the snippet to load only after the user has accepted that category. Make sure that the rest of the catalogue remains usable when consent is refused, by falling back on the native platform search. Finally, document the cookies in your cookie policy and link the Doofinder DPA in your vendor register.
The main competitors in ecommerce search include Algolia in France and the United States, Klevu in Finland and the United Kingdom, Searchspring in the United States, FactFinder in Germany, Searchanise in the United States and Bloomreach in the United States and Czech Republic. Many of these alternatives are US based and route data through US infrastructure, which makes the transfer impact assessment heavier. Doofinder stands out as one of the few mainstream choices with a Spanish parent company and primary EU hosting, which is a meaningful differentiator for controllers in the European Union.
The cookie policy entry for Doofinder should identify Doofinder S.L. as the controller or processor, state that the service is operated from Spain on AWS infrastructure in the European Union, list the cookies set on the domain with their retention (typically up to 12 months for the visitor identifier and session duration for the others) and describe the purposes: product search, autocomplete, recommendations, personalization and analytics. Add a link to the Doofinder privacy notice and to the cookie settings panel where users can withdraw consent at any time.