Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Recommy is an AI personalisation and product recommendation engine for ecommerce. It tracks visitor behaviour across sessions, builds individual profiles and serves dynamic recommendations and personalised content, which makes it subject to prior consent under GDPR and the ePrivacy Directive.
Recommy is an AI personalisation, analytics and product recommendation engine designed for ecommerce. The platform, developed by a Polish company, deploys a JavaScript tracker on the merchant store, ingests browsing events (page views, product views, basket actions, searches, purchases) and builds a behavioural profile for every visitor. It then exposes APIs and UI widgets to serve personalised product carousels, dynamic content and segmentation.
Under the hood, Recommy assigns each visitor a persistent identifier stored in first party cookies and local storage, sends events to a Recommy API endpoint and feeds machine learning models that compute similarity scores, look alike audiences and next best offers.
Recommy sets first party cookies such as recommy_uid, _rcm and recommy_session, and uses local storage to keep the visitor profile in sync between sessions. Collected data includes anonymous identifiers, page URLs, product identifiers, basket actions, search keywords, user agent, language preferences and, once the visitor logs in or completes a purchase, a hashed customer identifier.
Because Recommy reads and writes non essential information on the user device and builds behavioural profiles, Art. 5(3) of the ePrivacy Directive requires prior consent, and Art. 6(1)(a) GDPR is the appropriate legal basis. The CNIL, the UODO in Poland and the EDPB consistently consider that personalisation and recommendation engines require explicit opt in.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Recommy hosts its production stack within the European Union. By default no systematic data transfer outside the EEA is required, which is an advantage over US based personalisation engines. CDN providers, AWS or Hetzner edges and email gateways may still be involved as sub processors. The DPA should list them with their location and applicable transfer mechanism, in particular if any non EU region is enabled.
A DPIA is recommended. Recommy combines persistent identifiers, full browsing histories, basket content, search keywords and AI driven scoring on a large scale, which triggers several Art. 35(3) GDPR criteria. The DPIA should cover retention, profile portability, data minimisation, the explainability of recommendations and the rights of customers to object to personalisation under Art. 21(2) GDPR.
Block the Recommy tracker behind a Consent Management Platform, document a DPIA, sign the Recommy DPA, configure retention periods for inactive profiles, expose an opt out mechanism to logged in customers, list each Recommy cookie and event type in your cookie policy and update your privacy notice with the Polish processor and any sub processor.
Websites using Recommy must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is recommended because Recommy combines persistent identifiers, behavioural histories, basket data, search queries and AI personalisation. This meets several criteria of Art. 35(3) GDPR (systematic profiling, large scale, innovative technology). The DPIA should review data minimisation, retention of profiles, the explainability of AI recommendations, customer rights to opt out of personalisation and any sub processor edges in third countries.
Sample consent text
We use Recommy to remember your browsing on our store, build a personalised profile and show you AI driven product recommendations. This requires storing identifiers on your device and processing your browsing history. Recommy will only run after you click Accept. You can withdraw your consent at any time from our cookie preferences.
Third-party domains contacted
recommy.comapi.recommy.comcdn.recommy.comapp.recommy.comcdn.recommy.comtracker.recommy.comapp.recommy.comapi.recommy.comrecommy.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rcm_visitor | HTTP | 13 months | Persistent visitor identifier used to recognise returning users across sessions. |
| recommy_uid | first_party | 1 year | Persistent Recommy visitor identifier used to recognise the same browser across sessions and link behavioural events to a profile. |
| _rcm | first_party | 1 year | Stores Recommy tracking flags and last interaction state to feed the recommendation models. |
| rcm_session | HTTP | 30 minutes | Session identifier used to group events into a single browsing session. |
| rcm_consent | HTTP | 6 months | Stores the visitor consent state for Recommy to suppress repeated prompts. |
| recommy_session | session | Session | Holds the current Recommy session identifier for short term event correlation within a browser session. |
| recommy_profile | local_storage | Persistent | Local storage entry that caches the current visitor profile and segmentation tags computed by Recommy. |
| rcm_test | HTTP | Session | Stores the A/B test variant assigned to the visitor for personalisation reports. |
| recommy_ab | first_party | 6 months | Assigns the visitor to a stable A/B testing variant for personalisation experiments inside Recommy. |
Recommy collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Recommy sets first party cookies such as rcm_visitor (persistent visitor ID, ~13 months), rcm_session (session correlation, 30 minutes), rcm_consent (consent state) and rcm_test (A/B test variant). It also processes IP address, user agent and event metadata.
Recommy mainly sets first party cookies such as recommy_uid, _rcm and recommy_session, plus local storage entries for the visitor profile. These are persistent identifiers used to recognise visitors across sessions and feed the AI recommendation models.
Yes. Recommy stores a persistent identifier that allows cross session re identification, so its tag falls outside the strictly necessary exemption and requires an explicit opt in under Article 5(3) of the ePrivacy Directive.
Yes. Recommy stores identifiers on the device and performs profiling, so prior, freely given, specific, informed and unambiguous consent is required under Art. 5(3) of the ePrivacy Directive and Art. 6(1)(a) GDPR.
Consent (Art. 6(1)(a) GDPR) is the appropriate basis for the tag and cookies. Legitimate interest (Art. 6(1)(f) GDPR) may apply to internal aggregated reporting after a documented balancing test and only on properly anonymised data.
The primary basis is consent under Art. 6(1)(a) GDPR for personalisation and recommendations. Legitimate interest under Art. 6(1)(f) may cover narrow anti fraud or aggregated A/B testing scenarios, but never the personalised recommendation itself.
The Recommy backend is hosted in the EU but the tracker is delivered through a global CDN. CDN edge nodes outside the EEA require Standard Contractual Clauses under Article 46(2)(c) GDPR and a transfer impact assessment.
Not by default. Recommy is a Polish company hosting production data in EU regions. Some sub processors (CDN providers, email gateways) may operate edges in third countries, in which case the EU US Data Privacy Framework or Standard Contractual Clauses apply.
A DPIA is recommended when Recommy is combined with personal data from forms or CRM, when events are stored at user level rather than aggregated or when reports cross reference marketing platforms.
A DPIA is recommended. Recommy performs systematic profiling at scale combined with AI driven recommendations, which triggers Art. 35(3) GDPR criteria. The DPIA should focus on profile retention, opt out for personalisation, automated decision making and AI explainability.
Block the tag by default, load it after analytics consent, sign the Recommy DPA, list CDN and host as sub processors, set cookies to a maximum of 13 months, anonymise IPs and document retention.
Block the Recommy tracker behind a Consent Management Platform, fire it only after opt in, sign the Recommy Data Processing Agreement, define retention for inactive profiles, expose an opt out for logged in customers and declare Recommy in your privacy policy as a Polish processor.
Yes. Synerise (Poland), Algolia Recommend (France with EU regions), Crossing Minds, Nosto (Finland) and self hosted open source recommenders are credible alternatives to Recommy. Most of them are also EU based, which simplifies compliance.
For EU friendly analytics consider Matomo (self hosted or EU Cloud), Plausible (EU hosted), Pirsch (Germany), Fathom Lite, Simple Analytics or Cabin.
List the controller, the processor (Recommy), the purposes (analytics, reporting), the cookies and their lifetimes, the CDN sub processor, the international transfers and their legal basis, and the rights and withdrawal mechanism.
List recommy_uid, _rcm, recommy_session and local storage entries with purpose, type and duration, identify Recommy as a Polish processor, document any sub processor edge in third countries and explain how customers can opt out of personalisation.