Skip to main content

GDPR & CCPA

The GDPR and CCPA are legal frameworks for how businesses process and handle personal data of individuals. Under these frameworks, Sumatra is considered the data processor or service provider, whereas your company is considered the data controller.

As the data controller, you maintain full ownership and responsibility of your data. Sumatra simply processes any data our customers send. We never sell, share, or distribute your data. We take data security and privacy very seriously and are SOC2 Type 2 compliant.

What data does Sumatra process?

The information that you provide us and the data that we gather about your visitors on your behalf are used for the sole purpose of helping you deliver optimized experiences to your visitors. To deliver those experiences:

  • Sumatra's SDK collects behavioral data about how visitors navigate your web site
  • Sumatra uses publicly-available GeoIP data for geographic context
  • Optionally, customers can choose to send first-party enrichment data from their systems for use in personalization

If you use cookies or other local storage mechanisms on your website, you are responsible for requesting user consent in compliance with the CCPA and GDPR before setting any cookies other than those deemed strictly necessary for site operation.

There are two ways to collect customer consent: opt in or opt out. The preferred method is opt out, to maximize the number of visitors that receive optimized experiences.

Implementing opt out (preferred)

Install the Sumatra snippet in the <head> tag of your site, per the standard instructions.

If the user opts out of cookie tracking, call the following function to delete the user id from local storage and to prevent Sumatra from tracking the user:

window.sumatra.optOut()

This function should only be called after a user opts out of cookie tracking.

Implementing opt in

The Sumatra snippet should still be installed in the <head> tag of your site to ensure that experiences are delivered without flicker. However, the snippet should be loaded with a flag that prevents Sumatra from storing any cookies or tracking the user ID until the user opts in.

To implement this approach, when you install the standard snippet, replace this line:

sumatra.load("SUMATRA_API_KEY", "https://api.sumatra.ai")

with this line:

sumatra.load("SUMATRA_API_KEY", "https://api.sumatra.ai", {defaultOptOut: true})

When the user consents to cookies, call the following function:

window.sumatra.optIn()

Calling this function enables cookie storage and tracking in Sumatra for this user.

Q & A

If I implement cookie consent, can I still A/B test on my landing page?

Yes. Traffic will still be split across variants as expected. However, a non-consenting user may see different variants from session to session. Also, reported conversion rates may be lower than reality, as conversions from non-consenting users cannot be linked across subdomains or across sessions.

If I implement cookie consent, can I still create target experiences on my landing page?

Yes. Attributes that rely on user ID, such as session_count or utm_by_user will not be available for non-consenting users. However, all attributes that do not rely on user ID, such as utm_by_session and referrer are still available, even prior to consent, on the landing page.