Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Hosted site search service whose JavaScript widget submits user queries to Queryly servers and tracks result click throughs.
Queryly is a hosted site search service used by publishers and large content websites. A JavaScript widget on the publisher site renders the search box and result page, while queries are processed by Queryly servers that maintain an index of the publisher content and provide ranking and suggestions.
Queryly transmits the typed query, the page on which it was issued, IP address and user agent to its US infrastructure. It tracks which result was clicked to measure relevance, and may set first party cookies on the publisher domain to keep a session identifier and recent queries.
While the core search functionality can be argued as necessary for the service requested by the user, the click tracking and analytical cookies set by Queryly go beyond what is strictly necessary and therefore trigger Article 5(3) ePrivacy and GDPR Article 6(1)(a) consent. Transfers to the United States require appropriate safeguards.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Risks include the disclosure of sensitive queries to a US provider, persistent identification across sessions and lack of transparency on retention. Mitigations include configuring short retention, blocking analytics cookies until consent, encouraging users not to include personal data in queries, and signing a data processing agreement with Queryly.
Load the Queryly widget through a consent management platform with analytics tracking blocked until consent. Configure the widget so that only the strictly necessary search functionality runs without consent if your CMP supports it. Document the processing and transfer in your records and privacy notice.
Websites using Queryly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when the search index covers sensitive content (health, political, religious) or large volumes of visitor data, given the US data transfers. Document data flows, retention, transfer safeguards and risks of disclosing sensitive queries.
Sample consent text
We use Queryly to power the search on our website. This service stores cookies, collects your queries and transfers them to the United States. You can accept or refuse from our consent banner.
Third-party domains contacted
queryly.comapi.queryly.comcdn.queryly.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| qly_sid | functional | Session | Session identifier used by the Queryly widget to associate consecutive search interactions of a visitor. |
| qly_uid | analytics | 1 year | Persistent identifier that recognises a returning visitor for search personalisation and analytics. |
| qly_recent | functional | 30 days | Stores recent queries typed by the visitor for autocomplete suggestions in the Queryly search box. |
| qly_click | analytics | 30 days | Records which search results were clicked to measure relevance and improve ranking. |
Queryly collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Queryly sets first party cookies on the publisher domain (typically with a qly_ prefix) to store a session identifier and the user's recent queries for autocomplete and personalisation. These cookies are not strictly necessary for search to work and therefore require user consent.
Yes for the analytics and tracking features. The base search functionality may be argued as necessary, but click tracking and analytical cookies fall under Article 5(3) of the ePrivacy Directive and require prior consent. Many regulators recommend treating Queryly as a non essential tool.
The legal basis is the user consent under Article 6(1)(a) of the GDPR for the analytical features, and possibly contract or legitimate interest for the core search. Article 5(3) of the ePrivacy Directive applies to all non essential cookies.
Yes. Queryly is a US based provider hosting data in the United States, so transfers from the EU to the US occur. They require Standard Contractual Clauses or DPF certification, plus supplementary measures to address US surveillance laws.
A DPIA is recommended when the website is large or covers sensitive topics, because search queries can themselves reveal sensitive information. The DPIA should describe what queries are sent, who has access, retention periods and the international transfer mechanism.
Load the Queryly widget only after consent for non essential cookies, or configure it to run a minimal essential search mode without analytics. Sign a data processing agreement, document the transfer to the US and warn users not to include personal data in queries.
Alternatives include self hosted search engines such as Meilisearch, Typesense and Elasticsearch hosted in the EU, or commercial offerings with EU hosting like Algolia EU and Doofinder. These options give better control over data location and retention.
Add an entry for Queryly under analytics or functional cookies (depending on configuration) with cookie names, durations and purposes. Mention that queries and IP addresses are sent to Queryly servers in the United States and describe the applicable transfer mechanism.