Dynamic Yield is fully compliant with GDPR and CCPA data privacy regulations as a data processor, and is ISO 27701 compliant.
Dynamic Yield also provides you with tools to enable you to comply with data privacy regulations in your role as a data controller. We provide ways to prevent user data collection and remove user data.
How we track and store general user information
The Dynamic Yield script generates and manages a unique and random ID for each end user who visits your website. This script relies on Local Storage and cookies for storing this value on the user's browser. The cookie is referred to as DYID and is saved with the key _dyid.
Dynamic Yield does not track users across multiple sites. The ID is unique to each visitor on each website. If a user visits two different websites that have Dynamic Yield scripts, two DYIDs are generated for that user. We do not associate the two DYIDs with each other.
The DYID tracks information such as gender, lead color, purchase category, referring domain, URL visit, number of page views, purchase info, device info, geolocation, and more.
Dynamic Yield does not store any personally identifiable information (PII) about users as part of DYID.
How we track and store user email addresses
User email addresses are used to enable triggered emails and exporting audiences. This is done by uploading a data feed with user email addresses or using the message opt-in/opt-out events. When we receive an email address that identifies a particular user, we hash the address before storing it to protect the user's privacy. This means that Dynamic Yield is not able to use the email address or identify any users externally without additional steps.
The feeds are provided to us by you, our customer (the website owners), and consist of one column of user email addresses (see Opted-In User Email Addresses). Dynamic Yield then hashes these identifiers and checks for matches among identified users. When a match is found, these users are called matched users and are eligible to be included in triggered emails and audience exports. The unhashed email addresses are stored separately from other Dynamic Yield data in an isolated location.
Removing user data
When you want to remove a site user, do the following:
- If you use an Opted-in User Email Addresses feed: Remove the user's identifier from the uploaded file.
- If you use API opt-in/opt-out events: Fire an opt-out event with the user's identifier.
- If you use neither of these, no action is needed. Dynamic Yield is not storing any user PII data.
What happens after the data is removed?
Dynamic Yield erases any PII data that is permanently stored across our databases within 1 business day. You are responsible to delete any CRM data stored in your databases.
General information is still stored in a DYID in the user’s local storage and cookies. This information is anonymized and cannot be used to identify the user. Dynamic Yield cookies are set to expire after one year using the local browser expiration policy, but the local storage has no set expiration policy.
Users who want to remove this data can clear cookies and local storage data in their browser. We recommend that you notify your users to do so as part of the removal process, to prevent any further data collection.
Preventing user data collection
GDPR and other regulations require you to allow users to prevent your website from tracking them. Dynamic Yield enables you to comply with these regulations using either the assumed consent method (requires users to opt out) or the active cookie consent method (requires users to opt in).
If users are not tracked, they are only eligible to receive experiences that are not personalized. Even when users actively agree to data tracking, Dynamic Yield does not collect or store IP addresses.