Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Bloomreach is a commerce experience platform combining a Customer Data Platform (Engagement, formerly Exponea), AI-powered search (Discovery), and a headless CMS (Content). Bloomreach Engagement tracks visitors via JavaScript SDK cookies (__exponea_etc__, xnpe_<project-id>) and processes extensive personal data for personalization, A/B testing, email campaigns, and customer profiling. US-headquartered with EU hosting options.
Bloomreach is a commerce experience platform that combines three core products: Bloomreach Engagement (a Customer Data Platform, formerly Exponea), Bloomreach Discovery (AI-powered site search and merchandising), and Bloomreach Content (a headless CMS, formerly Bloomreach Experience Manager). Bloomreach Engagement is the most data-intensive component, enabling real-time customer profiling, behavioural tracking, email and push campaigns, A/B testing, web layers, and personalised product recommendations. The platform is used by major ecommerce brands and processes significant volumes of personal data.
Bloomreach Engagement uses a JavaScript SDK that sets several cookies. The primary tracking cookie is __exponea_etc__, a first-party client-side cookie that stores the visitor's unique identifier (default expiration: 3 years, subject to Safari ITP 7-day limitation). The __exponea_time2__ cookie handles time synchronisation between client and server. A server-side cookie xnpe_<project-id> is set by the Bloomreach API (api.exponea.com) as a third-party cookie, unless a Custom Tracking Domain (CTD) is configured to make it first-party. The cookie acts as a "soft ID" that tracks all visitor actions (page views, clicks, purchases, events) and is linked to a "hard ID" (email, account) when the visitor identifies themselves. Bloomreach also processes IP addresses, device information, browsing behaviour, purchase history, and custom event data.
Bloomreach Engagement raises significant GDPR and ePrivacy concerns. The platform performs extensive customer profiling by linking anonymous browsing sessions to identified customer profiles, tracking behaviour across multiple devices, and building detailed visitor profiles for personalisation and marketing. Under the ePrivacy Directive, explicit consent is required before setting tracking cookies and accessing information on the user's device. Under GDPR, a lawful basis (typically consent) is required for processing personal data for profiling and marketing purposes. Bloomreach, Inc. is headquartered in the United States, meaning data transfers to the US require appropriate safeguards such as Standard Contractual Clauses (SCCs). A Data Processing Agreement (DPA) with Bloomreach is essential, clearly defining the processor/controller relationship.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Bloomreach Engagement includes a built-in consent management system with three consent categories: general consent, specific consent, and legitimate interest. Every consent interaction (grant or revocation) is recorded as an auditable event in the customer profile, providing proof of consent for regulatory compliance. The platform supports granular consent categories allowing customers to opt in or out of specific processing purposes independently. Tracking consent can be configured to block all tracking (including cookies, email open tracking, push notification tracking, and in-app messages) until explicit consent is given. Bloomreach integrates with external CMPs and supports server-side GTM tracking. For compliance with the German BGH ruling (May 2022), Bloomreach offers standalone tracking consent configuration that requires explicit consent for pseudonymised tracking across all channels.
Bloomreach, Inc. is headquartered in Mountain View, California. The default API endpoint (api.exponea.com) may route data through infrastructure outside the EU. EU-based instances are available for clients requiring data residency within the European Economic Area. When using the default configuration, the xnpe_<project-id> cookie is set as a third-party cookie under the api.exponea.com domain, which can be mitigated by configuring a Custom Tracking Domain (CTD) under the client's own domain. International data transfers require Standard Contractual Clauses (SCCs) and supplementary measures as outlined in the Schrems II decision. The client acts as the data controller and Bloomreach as the data processor.
To achieve GDPR compliance with Bloomreach: execute a Data Processing Agreement (DPA) with Bloomreach covering SCCs for international transfers. Conduct a DPIA before deployment given the high-risk profiling activities. Configure consent management with granular consent categories matching your processing purposes. Integrate with a CMP to collect consent before the Bloomreach SDK initialises. Enable tracking consent to block all non-essential tracking until consent is given. Set up a Custom Tracking Domain (CTD) to convert third-party cookies to first-party. Request an EU-based instance to minimise international data transfers. Document Bloomreach in your Record of Processing Activities (ROPA). Update your privacy policy and cookie policy to disclose Bloomreach usage, cookies set, data processed, and the Bloomreach processor relationship. Configure data retention policies and enable the right to erasure (exponea.anonymize()) for GDPR data subject requests.
Websites using Bloomreach must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for Bloomreach Engagement deployments due to: extensive customer profiling and behavioural tracking across sessions and devices, automated decision-making for personalization and A/B testing, processing of email addresses and customer identifiers as hard IDs, potential cross-device tracking via cookie and identity merging, data transfers to the US (Bloomreach, Inc. headquarters), and integration with third-party services (Google Analytics, marketing platforms). The volume and sensitivity of data processed, combined with the profiling capabilities, place most implementations in the high-risk category under GDPR Article 35.
Sample consent text
We use Bloomreach Engagement to personalise your experience and analyse site usage. Bloomreach sets tracking cookies (__exponea_etc__) to identify visitors across sessions, track browsing behaviour, and deliver personalised content and recommendations. Data is processed by Bloomreach, Inc. (US) under Standard Contractual Clauses. Do you consent to the use of Bloomreach tracking cookies for personalisation and analytics purposes?
Third-party domains contacted
api.exponea.com*.bloomreach.comdocumentation.bloomreach.comcdn.exponea.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __exponea_etc__ | first-party | 3 years (7 days on Safari ITP) | Stores the visitor's unique Bloomreach Engagement identifier (soft ID). Used to track all visitor actions (page views, clicks, purchases, events) and link them to a customer profile across sessions. |
| __exponea_time2__ | first-party | 1 hour | Synchronises local browser time with Bloomreach server time to ensure accurate event timestamping. |
| xnpe_<project-id> | third-party (first-party with CTD) | 3 years (default) | Server-side backend cookie set by the Bloomreach API (api.exponea.com). Stores the same visitor identifier as __exponea_etc__ for server-side identity resolution. Becomes first-party when a Custom Tracking Domain (CTD) is configured. |
| __exponea_ab_test__ | first-party | Configurable (default: 3 years) | Stores A/B test variant assignments to ensure visitors see consistent experiment variations across page loads and sessions. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Bloomreach Engagement sets several cookies: __exponea_etc__ (first-party client-side cookie storing the visitor's unique identifier, default 3 years, 7 days on Safari due to ITP), __exponea_time2__ (time synchronisation cookie, 1 hour), and xnpe_<project-id> (server-side backend cookie set by api.exponea.com, third-party by default, can be made first-party via Custom Tracking Domain). Additional cookies may be set for A/B testing experiments. Cookie expiration can be customised via the SDK configuration.
Yes. Bloomreach Engagement sets tracking cookies and processes personal data for customer profiling, personalisation, and marketing. Under the ePrivacy Directive, explicit consent is required before setting non-essential cookies. Under GDPR, consent is the appropriate legal basis for the profiling and marketing activities performed by the platform. Bloomreach provides built-in tracking consent features that can block all tracking until consent is obtained. The platform also supports integration with external CMPs.
Consent is the primary legal basis for Bloomreach Engagement due to the extensive profiling and marketing activities involved. Bloomreach supports three consent categories: general consent, specific consent, and legitimate interest. Legitimate interest may apply for limited, non-marketing analytics with a documented Legitimate Interest Assessment, but the scope of data processed by Bloomreach Engagement typically requires consent. Every consent event is recorded with a timestamp, source, and status in the customer profile for auditability.
Potentially yes. Bloomreach, Inc. is headquartered in Mountain View, California. The default API endpoint (api.exponea.com) may route data through US infrastructure. EU-based instances are available for clients requiring data residency within the EEA. For any international data transfer, Standard Contractual Clauses (SCCs) must be in place as part of the Data Processing Agreement with Bloomreach. Configuring a Custom Tracking Domain (CTD) helps keep cookie data under the client's own domain but does not eliminate all US data flows.
Yes, a DPIA is strongly recommended and likely required for most Bloomreach Engagement deployments. The platform performs high-risk processing activities including: extensive behavioural profiling across sessions and devices, automated personalisation and A/B testing decisions, cross-device identity merging (soft ID cookies linked to hard ID identifiers), email and push marketing based on profiling data, and potential international data transfers to the US. These activities fall squarely within GDPR Article 35 criteria for mandatory DPIA.
Key steps: sign a DPA with Bloomreach including SCCs. Conduct a DPIA. Configure consent management with granular categories. Integrate a CMP to collect consent before the SDK loads. Enable tracking consent to block non-essential tracking until consent is given. Set up a Custom Tracking Domain (CTD) to convert third-party cookies to first-party. Request an EU instance for data residency. Document Bloomreach in your ROPA. Update your privacy and cookie policies. Implement data subject rights processes using exponea.anonymize() for erasure and data export features for access requests.
Alternatives depend on which Bloomreach product you need to replace. For analytics and CDP: Matomo (open source, self-hosted), Piwik PRO (EU-hosted CDP with analytics), or Segment with EU data residency. For personalisation: Algolia Recommend (search-focused), or Dynamic Yield (with EU processing options). For email marketing: Brevo (EU-based), or Mailchimp with EU data processing. No single platform matches the full scope of Bloomreach Engagement while offering the same level of privacy by default.
Your cookie policy should list: __exponea_etc__ (persistent, visitor identification and behavioural tracking, default 3 years), __exponea_time2__ (session, time synchronisation, 1 hour), xnpe_<project-id> (persistent, server-side visitor tracking, default 3 years, third-party under api.exponea.com unless CTD is configured). Disclose that Bloomreach processes browsing behaviour, purchase history, device information, and links anonymous sessions to identified profiles. State that Bloomreach, Inc. (US) acts as data processor. Mention the availability of consent withdrawal and the right to request data erasure.