Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Recombee is an AI-powered recommendation engine and personalisation API founded in 2016 and headquartered in Prague, Czech Republic. It serves real-time recommendations for e-commerce, media, news and education, with database regions in the EU, US and Asia Pacific. Customers select the database region, and the EU option keeps all data within the EEA, making Recombee a GDPR friendly choice for European deployments.
Recombee is an AI-powered recommendation engine and personalisation API founded in 2016 by Pavel Kordik and headquartered in Prague, Czech Republic. It powers real-time recommendations for e-commerce, media, news, education and dating platforms. Customers send catalogue items and user interactions to the Recombee API and receive recommendations through REST or client SDKs. Database regions include Frankfurt, Paris, Dublin (EU), Virginia, California, Iowa (US) and Singapore, Sydney, Tokyo (APAC).
Recombee ingests catalogue items (product or content metadata) and user interactions: detail views, add to cart, bookmarks, ratings, purchases, search queries. The optional JavaScript SDK assigns a recombee_uid identifier stored in local storage or as a cookie, used to attribute interactions to a returning anonymous visitor. When the visitor logs in or provides an email, the identifier can be merged with the known user. The API does not require cookies if interactions are sent server-side with the customer''s own identifiers.
Recombee is a data processor under Art. 28 GDPR. When the EU database region is selected, the data stays in the EEA, simplifying compliance. The recombee_uid identifier triggers Art. 5(3) ePrivacy and requires consent before being stored. Server-side personalisation using customer-provided user identifiers (e.g. logged-in user IDs) can rely on legitimate interest if the recommendation is part of the contracted service and the user has been informed.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent is required for the JavaScript SDK if it writes the recombee_uid in local storage or as a cookie. The server-side API does not require consent in itself, but personalised recommendations should be disclosed and an opt-out provided. Recombee can also be operated in a session-only mode without persistent identifiers, which may not trigger consent at all under Art. 5(3) ePrivacy.
If the customer selects an EU database (Frankfurt, Paris or Dublin), all recommendation data and interaction data stays in the EEA. Recombee s.r.o. itself is Czech, so support and engineering are conducted from the EU. If a non-EU region is chosen, Standard Contractual Clauses apply. Selecting an EU region is the cleanest path for European customers.
Pick an EU database region when provisioning, sign the Recombee Data Processing Agreement, load the client SDK only after consent if it writes identifiers, prefer server-side ingestion of interactions, set a clear retention policy for interactions, document Recombee in your Record of Processing Activities and privacy notice, run a DPIA if recommendations could affect rights (pricing, exclusion, sensitive content categories) and explain personalisation in your privacy notice.
Websites using Recombee must obtain user consent under GDPR regulations.
DPIA considerations
Recombee acts as a data processor under Art. 28 GDPR through its Data Processing Agreement. Key DPIA considerations: (1) the JavaScript SDK can write a recombee_uid identifier in local storage or a cookie, requiring consent under Art. 5(3) ePrivacy; (2) when the customer chooses an EU database region (Frankfurt, Paris, Dublin), no third country transfer occurs for recommendation data; (3) interaction data is highly granular and reveals tastes and preferences, special category data risks arise on news or content sites covering political or health topics; (4) profile based recommendations may produce automated decisions (Art. 22 GDPR) when used for pricing or exclusion; (5) retention should be set in line with the principle of storage limitation; (6) Recombee is established in the Czech Republic and is supervised by the Czech UOOU.
Sample consent text
We use Recombee to power personalised recommendations on our site. With your consent, our tracking SDK sends your interactions (page views, product details, cart additions) to the Recombee API hosted in the European Union. Recombee acts as our data processor, no data leaves the EEA when the EU database region is selected.
Third-party domains contacted
recombee.comrapi.recombee.comrapi-eu-west.recombee.comrapi-us-west.recombee.comrapi-ap-se.recombee.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| recombee_uid | Marketing | 1 year | Optional first party identifier set by the Recombee JavaScript SDK in local storage or as a cookie. Links interactions to a recurring anonymous visitor for personalisation. Not set when the integration runs server side only. |
Recombee uses cookies for user preferences — inform visitors with a consent banner.
Recombee itself does not require cookies. Its optional JavaScript SDK can write a recombee_uid identifier in local storage or as a first party cookie if you enable the cookie option. Server side ingestion of interactions using your own user identifiers does not set any client side storage.
Yes when you enable the client SDK with a recombee_uid stored in cookies or local storage, because Art. 5(3) ePrivacy applies. No consent is required if you run Recombee fully server side with identifiers you already process under another lawful basis (logged in user ID, customer ID).
Consent (Art. 6(1)(a) GDPR) for personalisation tracking that uses cookies or local storage. Legitimate interest (Art. 6(1)(f) GDPR) for server side recommendations to logged in users when the recommendation is reasonably expected as part of the service. Contract (Art. 6(1)(b) GDPR) for personalisation explicitly promised in your terms.
Recombee lets the customer pick a database region. EU options include Frankfurt, Paris and Dublin. Selecting an EU region keeps all recommendation and interaction data in the EEA. Recombee s.r.o. is established in Prague, so support and engineering also take place in the EU.
A DPIA is recommended when recommendations are based on extensive behaviour, when they affect access or pricing, or when content categories are sensitive (news, dating, health). It should cover the EU region selection, retention of interaction history, profiling logic and any onward processing for analytics.
Pick the EU database region at provisioning, sign the Recombee Data Processing Agreement, prefer server side ingestion of interactions, load the client SDK only after consent if it writes identifiers, set a retention policy via the Recombee API, document Recombee in your privacy notice as an EU based processor and run a DPIA for sensitive use cases.
EU based recommendation alternatives include Algolia Recommend (France), Crossing Minds (US with EU options), Dynamic Yield (Israel/US with EU regions), Bloomreach (Netherlands), Klevu (UK/Finland) and self hosted open source projects such as Gorse. Recombee itself is one of the strongest EU based options given its Czech incorporation.
Disclose Recombee as a processor and name the chosen database region, explain whether your integration uses cookies or local storage (recombee_uid), describe the interactions sent (views, cart, purchase), specify retention, link the Recombee Data Processing Agreement and offer a way to opt out of personalisation.