Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Segmentify is a personalization and behavioral analytics platform for ecommerce retailers. Its JavaScript SDK captures product views, cart activity, search queries and session signals to build visitor profiles, then powers AI driven product recommendations, email triggers, push notifications and behavioral targeting across the customer journey. The platform uses first-party and third-party cookies, with primary processing in the EU (Ireland) and analytical processing in Turkey, which raises specific GDPR Chapter V transfer considerations.
Segmentify is a personalization and behavioral analytics platform built primarily for online retailers. Operators add a lightweight JavaScript snippet (segmentify.js) to every page of their site, and a server-side feed describing their product catalogue. The script then observes visitor behaviour in real time: page views, product impressions, add to cart events, checkout steps, on-site search terms, scroll depth and session duration. Each visitor is assigned a persistent identifier, stored in first-party cookies and in browser localStorage, and the resulting behavioural profile is enriched with attributes such as inferred product affinities, predicted purchase intent, churn risk and lifetime value. These profiles drive AI generated product recommendations, personalised category sorting, on-site banners, triggered emails, push notifications and audience segments that can be exported to advertising platforms.
Segmentify processes a wide range of identifiers and behavioural signals. Persistent first-party cookies on the operator domain, such as sgf_uid and sgf_session, store the visitor and session identifiers, typically for 13 months. Third-party cookies set on segmentify.com (for example sgf_cs and sgf_tg) support cross-domain analytics and audience syndication where the operator runs multiple properties. Additional data captured includes truncated IP address, user agent, device class, referrer URL, viewed product SKUs, search queries, cart contents and email hash (when the visitor logs in or signs up to a newsletter). Where the operator integrates Segmentify with its CRM, hashed email or customer ID can be passed to Segmentify to reconcile sessions across devices. All of these identifiers fall within scope of GDPR art. 4(1) personal data and require consent under ePrivacy art. 5(3) before any read or write to the terminal.
Segmentify operates primary collection infrastructure in the EU (AWS Ireland) but routinely transfers data to Turkey for analytical processing, model training, customer support and certain administrative functions. Turkey is not covered by a European Commission adequacy decision under GDPR art. 45, which means each transfer must be supported by an art. 46 mechanism. Segmentify relies on the 2021 Standard Contractual Clauses (Commission Implementing Decision EU 2021/914), Module Two (Controller to Processor) or Module Three (Processor to Processor) depending on the engagement. Operators are required, under EDPB Recommendations 01/2020 following the Schrems II judgment, to perform a Transfer Impact Assessment that considers Turkish intelligence and electronic communications surveillance laws, the practical effectiveness of supplementary measures (encryption at rest with operator managed keys is not currently offered by default), and the ability of Segmentify to challenge unlawful access requests from Turkish authorities.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Segmentify generates predictions (purchase propensity, churn likelihood, recommended products, optimal email send time) using machine learning models trained on aggregated client data. For most ecommerce use cases the output is product suggestions rather than legally binding decisions, so GDPR art. 22(1) is not triggered. However, where Segmentify drives dynamic pricing, eligibility for promotions or differential treatment that produces similarly significant effects on the data subject, art. 22(2)(c) requires explicit consent and the implementation of safeguards: meaningful information about the logic, the significance and the envisaged consequences (art. 13(2)(f) and art. 15(1)(h)), the right to obtain human intervention, to express a point of view and to contest the decision (art. 22(3)). Operators must also honour art. 21(2) objections to direct marketing profiling, which oblige immediate cessation of the profiling.
Because Segmentify is a non essential personalisation and analytics technology that relies on persistent identifiers, the operator must obtain prior, freely given, specific, informed and unambiguous consent (GDPR art. 4(11) and ePrivacy art. 5(3)) before the segmentify.js script loads. Consent must be as easy to refuse as to give (EDPB Guidelines 05/2020), with a clear granular toggle in the Consent Management Platform mapping to the personalization or recommendations category. The CMP should hold the script in a paused state (script type=text/plain with data category attribute, or equivalent server-side blocking) until consent is captured. Consent withdrawals must propagate to Segmentify via its API or via a documented event handler within the timeframe set by the operator privacy notice. The lawful basis cannot be legitimate interest given the granularity of profiling, the persistence of identifiers and the storage on the terminal, which falls within the exclusive scope of ePrivacy art. 5(3).
Operators remain the controller for visitor data passed to Segmentify and must be able to honour data subject rights end to end. This means publishing Segmentify clearly in the privacy notice (identity of the processor, categories of data, retention, transfer to Turkey, SCC reference), providing an effective opt out, deleting profiles on request via the Segmentify API, and answering art. 15 access requests including the inferred attributes generated by Segmentify models. Records of processing activities under art. 30 must list Segmentify as a sub processor, and the Data Processing Agreement signed with Segmentify must reflect art. 28(3) requirements, audit rights, sub processor notifications and breach notification timelines compatible with the operator art. 33 obligations.
Websites using Segmentify must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment under GDPR art. 35 is mandatory before deployment. Segmentify carries out large scale, systematic profiling of online behaviour combined with automated decision making for recommendations, which matches several EDPB criteria triggering the DPIA obligation (evaluation/scoring, automated decision with significant effect, systematic monitoring, innovative AI technology, large scale processing). The DPIA must address: (1) lawful basis (consent under art. 6(1)(a) and art. 22(2)(c) where profiling is involved); (2) the legitimacy and proportionality of building persistent behavioural profiles from product, cart, search and engagement events; (3) the EU to Turkey transfer under art. 46(2)(c) SCCs, including a Transfer Impact Assessment of Turkish surveillance legislation (Law No. 2937 on the Turkish National Intelligence Organisation, Law No. 5651 on Internet regulation); (4) data subject rights including objection to profiling under art. 21(2), access under art. 15, erasure under art. 17 and the right not to be subject to solely automated decisions under art. 22; (5) supplementary measures (pseudonymisation, encryption, contractual restrictions on Turkish government access requests); (6) retention of visitor profiles (typically 13 to 24 months) and proportionality with the personalisation purpose; (7) joint controller vs. processor analysis under art. 26 and 28, since Segmentify often acts as a processor but may determine purposes for benchmarking and model training; (8) interaction with the Consent Management Platform to ensure that scripts are blocked until consent is captured and that consent withdrawals propagate to Segmentify within a documented timeframe.
Sample consent text
We use Segmentify to personalise product recommendations and tailor our communications to your interests. With your consent, Segmentify places cookies on your device and processes information about the products you view, your searches, your cart activity and your interactions with our site to build a profile and predict what you may be interested in. Some of this processing takes place in Turkey, which is outside the European Economic Area and is not covered by a European Commission adequacy decision; we rely on Standard Contractual Clauses and additional safeguards described in our Privacy Notice. You can accept, refuse or change your choices at any time via our Cookie Settings link. Refusing will not prevent you from using the site, but recommendations will not be personalised.
Third-party domains contacted
segmentify.comcdn.segmentify.comapi.segmentify.comtr.segmentify.comeu.segmentify.comcollect.segmentify.comrecommend.segmentify.compush.segmentify.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sgf_uid | first_party | 13 months | Persistent visitor identifier stored on the operator domain. Used by Segmentify to recognise returning visitors across sessions, link behavioural events to a single profile and serve personalised recommendations. Treated as personal data under GDPR art. 4(1) and requires prior consent under ePrivacy art. 5(3). |
| sgf_session | first_party | 30 minutes | Session identifier set on the operator domain. Groups events (product views, search queries, cart actions) into a single visit context for behavioural analytics and within session personalisation. Requires consent under ePrivacy art. 5(3). |
| sgf_recs | first_party | 6 months | Records which recommendation slots and items have been shown to the visitor. Used to avoid repeating identical recommendations, to measure click through and to attribute conversions to specific recommendation strategies. Personal data given the link to sgf_uid; requires consent. |
| sgf_visitor | first_party | 13 months | Stores derived visitor segment attributes (e.g., inferred purchase intent, audience tags, lifecycle stage) for fast lookup on subsequent pageviews. Drives audience targeting and segment based campaigns. Requires consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3). |
| sgf_cs | third_party | 13 months | Cross site identifier set on segmentify.com. Used when the operator runs multiple properties or when Segmentify reconciles visitors across separate Segmentify tenants. Constitutes a third-party cookie under EDPB Guidelines 05/2020 and is subject to strict consent. |
| sgf_tg | third_party | 13 months | Targeting cookie set on segmentify.com that supports audience syndication and the export of behavioural segments to advertising platforms. Subject to consent for advertising under ePrivacy art. 5(3) and GDPR art. 6(1)(a). |
| sgf_consent | first_party | 12 months | Stores the visitor consent state communicated by the operator Consent Management Platform to Segmentify (e.g., personalization_granted=true/false, advertising_granted=true/false). Strictly necessary for the operation of the consent mechanism and exempt from prior consent under ePrivacy art. 5(3) recital 17. |
| sgf_email_hash | first_party | 13 months | When the visitor logs in or subscribes to a newsletter, stores a SHA 256 hash of the email address to reconcile the visitor profile across devices via Segmentify Email and Push modules. Constitutes personal data (pseudonymous identifier) under GDPR; requires consent and a documented retention policy. |
Segmentify collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Segmentify is a personalization and behavioral analytics platform aimed at ecommerce retailers. It deploys a JavaScript SDK on the operator site that observes visitor behaviour (product views, cart actions, search queries, session signals) and builds persistent visitor profiles. Those profiles power AI driven product recommendations, on site personalised banners, triggered emails, push notifications and audience segments that can be exported to advertising platforms. Segmentify is headquartered in the UK with significant operations in Turkey and serves clients mostly in Europe, the Middle East and Latin America.
Yes. Segmentify is not strictly necessary for the provision of the service, and it reads from and writes to the visitor terminal via persistent cookies and localStorage. Both the ePrivacy Directive art. 5(3) and GDPR art. 6(1)(a) require prior, freely given, specific, informed and unambiguous consent before the segmentify.js script is loaded and before any personal data is processed. Legitimate interest is not an available legal basis for storage on the terminal, and the granular profiling carried out by Segmentify would in any event not pass the balancing test for the subsequent processing.
Segmentify sets several first-party cookies on the operator domain, including sgf_uid (persistent visitor identifier, typically 13 months), sgf_session (session identifier, typically 30 minutes), sgf_recs (recommendation impression log, typically 6 months) and sgf_visitor (visitor segment attributes, typically 13 months). It also sets third-party cookies on segmentify.com such as sgf_cs (cross-site identifier) and sgf_tg (targeting). The platform additionally writes visitor identifiers into browser localStorage, which is not a cookie but is treated identically under ePrivacy art. 5(3) and requires consent.
Yes. Primary collection runs in the EU (AWS Ireland, eu-west-1), but Segmentify routinely transfers personal data to its operations in Turkey for analytical processing, model training and customer support. Turkey is not covered by an adequacy decision under GDPR art. 45, so each transfer must rely on art. 46 safeguards. Segmentify uses the 2021 Standard Contractual Clauses (EU 2021/914), and operators must complete a Transfer Impact Assessment that considers Turkish surveillance laws (Law No. 2937 and Law No. 5651) and the practical effectiveness of supplementary measures such as pseudonymisation and transport encryption.
Segmentify generates predictions and recommendations using machine learning. In most ecommerce deployments the output is a product suggestion that does not produce legal or similarly significant effects, so art. 22(1) is not triggered. Where Segmentify is used for dynamic pricing, eligibility for promotions, or differential service that does produce significant effects, art. 22(2)(c) requires explicit consent plus safeguards: meaningful information about the logic (art. 13(2)(f), art. 15(1)(h)), human review, the right to express a viewpoint and to contest the decision (art. 22(3)). Operators must assess this on a per use case basis.
By default, Segmentify retains raw behavioural events for 13 months, derived visitor profiles for up to 24 months from the last interaction, and aggregated reporting data for up to 38 months. Retention is configurable at tenant level and operators should align it with the documented retention in their privacy notice and Records of Processing Activities under GDPR art. 30. Operators must also ensure that visitor deletion requests (art. 17) are honoured by calling the Segmentify deletion API, which removes the profile and pseudonymous identifiers within a documented service level.
The Consent Management Platform must hold the segmentify.js tag in a non executing state until consent for the personalization or recommendations category is granted. This is typically achieved by serving the tag as script type=text/plain with a data category attribute matched by the CMP, by using a tag manager trigger that fires only after consent, or by routing all requests through a server-side container that gates outbound calls. The CMP must also propagate consent withdrawals to Segmentify via its consent API or via a documented event handler within the timeframe stated in the operator privacy notice.
The operator is the controller and Segmentify acts as a processor under a Data Processing Agreement compliant with GDPR art. 28(3). The operator must: list Segmentify in the Records of Processing Activities and the privacy notice; carry out a DPIA under art. 35; perform a Transfer Impact Assessment for the Turkey transfer; obtain valid consent before any script load; honour data subject rights (art. 15, 17, 21 and 22) through the Segmentify API; configure retention; document sub processor approval; and align breach notification timelines (art. 33) with Segmentify obligations under the DPA.