Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Customer data platform and marketing automation suite, now branded Bloomreach Engagement. Tracks visitor events, builds unified profiles and runs personalisation, email, SMS and push campaigns. Heavy tracking with EU and US hosting.
Exponea was a Slovak customer data platform launched in 2015. It was acquired by Bloomreach in 2021 and rebranded as Bloomreach Engagement. The platform combines a customer data platform, web and mobile analytics, marketing automation, email and SMS sending, in app messaging, web personalisation and predictive scoring in a single product. It serves mainly retail, fashion, financial services and travel customers in Europe and North America.
The Exponea JavaScript SDK sets a long lived first party cookie (__exponea_etc__) that stores the anonymous visitor identifier and a per session cookie (__exponea_time2__) for timing measurements. Every page view, click, scroll, form interaction, product view, cart event and purchase is sent to the Exponea API. The SDK can also collect device data (browser, OS, screen, language, rough geolocation from IP) and merge anonymous activity with the customer profile once the visitor logs in or provides an email. Server side events imported from a CRM or an e commerce backend are linked to the same profile.
Exponea sets non essential cookies and performs cross device profiling, so Article 5(3) of the ePrivacy Directive requires a prior informed opt in before the SDK loads. The downstream processing of behavioural data and the profiling under Articles 6(1)(a) and 22 GDPR require consent for marketing personalisation and impose transparency, opt out and human intervention rights. Regulators such as the French CNIL, the Dutch Autoriteit Persoonsgegevens and the Italian Garante have sanctioned CDP deployments that loaded scripts before consent or relied on legitimate interest for marketing.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Exponea SDK must be gated behind a cookie banner under an analytics and a marketing category. Bloomreach provides a consent management framework that lets you map purposes (functional, analytics, personalisation, marketing automation) and feed the SDK with the chosen state, so events can either be stored anonymously or attached to the full profile. Visitors must be able to refuse as easily as accept, withdraw consent, and ask for access, rectification, deletion and portability through the Bloomreach customer data centre.
Bloomreach Engagement runs on AWS with primary regions in Frankfurt, Dublin and Virginia. Customers choose where their production data is stored, but support, R&D and certain administrative systems are operated from Slovakia, the Netherlands and the United States. Transfers to the US rely on the EU US Data Privacy Framework and on standard contractual clauses; supplementary measures include encryption in transit, pseudonymisation of cookie identifiers and limited retention of raw events.
Sign the Bloomreach data processing addendum and the SCCs, choose the EU region where possible, list Exponea in your records of processing as a processor with sub processors disclosed, deploy a CMP that signals consent purposes to the SDK, configure the consent free anonymous mode for visitors who refuse, document the retention policies for events and profiles, run a DPIA before adding predictive models or audience synchronisation with advertising platforms, and review the deployment every twelve months.
Websites using Exponea must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA under Article 35 GDPR is strongly recommended. Exponea builds unified customer profiles from web, mobile and CRM data, enriches them with predictive scoring and triggers automated marketing actions. The scale, the profiling and the systematic monitoring of visitors qualify as high risk. Document the categories of identifiers and events ingested, the inferred attributes and predictive models, the retention rules, the recipients of synchronised audiences and the safeguards for transfers to the United States.
Sample consent text
We use Exponea (now Bloomreach Engagement) to recognise you across our website, app and emails and to personalise our communications. This sets analytics and marketing cookies and shares your interactions with Bloomreach in the European Union and the United States. We need your consent before activating these cookies. You can accept, refuse or withdraw your consent at any time.
Third-party domains contacted
exponea.combloomreach.cominfinario.comexponea.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __exponea_etc__ | first party analytics | 3 years | Long lived first party identifier used by the Exponea SDK to recognise the visitor across sessions and link events to the customer profile. |
| __exponea_time2__ | first party session | Session | Per session cookie used by the Exponea SDK to measure event timings and synchronise the device clock with the server. |
| __exponea_consent__ | first party preference | 13 months | Optional consent state cookie storing the visitor cookie banner choices for the Exponea SDK (analytics, personalisation, marketing). |
| xnpe_* | third party (web push) | 13 months | Web push notification cookie set when the visitor subscribes to push notifications via the Exponea web push channel. |
| ba_id | first party marketing | 13 months | Identifier used to link advertising audiences synchronised from Exponea with retargeting platforms. |
Exponea collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The Exponea JavaScript SDK sets a long lived first party cookie (__exponea_etc__) that stores the anonymous visitor identifier, a per session cookie (__exponea_time2__) used for timing measurements, and an optional consent state cookie (__exponea_consent__) that remembers the visitor choices. Server side events imported through the API do not add browser cookies but extend the same profile.
Yes. The SDK sets non essential cookies and starts collecting behavioural data as soon as it loads. Article 5(3) of the ePrivacy Directive requires a prior informed opt in. The SDK must be blocked by default in your tag manager or CMP and triggered only after acceptance in the analytics and marketing categories of the banner.
Consent (Article 6(1)(a) GDPR and Article 5(3) ePrivacy Directive) for the cookies, the profiling and the marketing personalisation. Legitimate interest (Article 6(1)(f) GDPR) may cover purely aggregated internal analytics, but is not accepted by EU regulators for marketing automation or for cross channel personalisation.
Yes. Bloomreach Engagement operates from EU regions (Frankfurt, Dublin) and US regions (Virginia), and support and R&D teams are based in Slovakia, the Netherlands and the United States. Transfers to the US rely on the EU US Data Privacy Framework and on standard contractual clauses, supplemented by encryption in transit, pseudonymisation and limited retention.
Yes, in practice. The scale of data collection, the cross device profiling, the predictive scoring and the systematic monitoring fall squarely within the Article 35 GDPR criteria. A DPIA must document the categories of data, the inferred attributes, the retention rules, the recipients of synchronised audiences and the safeguards for transfers to the US.
Sign the Bloomreach DPA and SCCs, choose the EU region, deploy a CMP that signals consent purposes to the SDK, configure an anonymous mode for visitors who refuse, restrict access to the back office with strong authentication, document retention rules for events and profiles, run the DPIA before activating predictive models or advertising synchronisation and review every twelve months.
Other CDPs and marketing automation platforms include Tealium AudienceStream, mParticle, Twilio Segment, Salesforce Data Cloud, RudderStack, Adobe Real Time CDP and Klaviyo. EU based alternatives include Commanders Act and Piwik PRO CDP. Each option still requires a DPA, a consent banner and a transfer assessment.
List Exponea (Bloomreach Engagement) as a processor with the cookies it sets (__exponea_etc__, __exponea_time2__, optional consent cookie), their purpose, duration and category. Mention the hosting region and the EU US Data Privacy Framework. Link to the Bloomreach privacy policy and to the preference centre that lets visitors exercise their rights. Review the entry every twelve months.