Skip to main content

Privacy, GDPR and Security

Written by Charley Bader

For detailed information about our security practices, data handling controls, approved subprocessors, and compliance documentation - and to receive notifications about future security and disclosure updates - please visit our Trust Centre.

Our Approach

Made with Intent is built with privacy, security and compliance at its core. Our platform is designed to help brands understand customer intent while adhering to major data protection regulations, including GDPR and PECR, and maintaining enterprise-grade security standards.

We rely solely on first-party browser storage, never on third-party cookies or external identifiers. This approach creates short-term behavioural continuity within your own domain, enabling you to understand how visitor intent evolves across pages and sessions without cross-site tracking or personal identification. Unlike fully cookie-less or storage-free solutions, this allows meaningful behavioural analysis while keeping data collection transparent and under your control.

Privacy is only one part of trust. We also maintain a comprehensive information security programme designed to protect customer data throughout its lifecycle. This includes ISO 27001-certified information security management, encrypted data in transit and at rest, secure software development practices, access controls based on least privilege, continuous monitoring, and regular security reviews.

Our approach balances capability, security and compliance, enabling brands to deliver more relevant customer experiences while maintaining appropriate governance over personal data.

Security

We protect customer data through a combination of technical, organisational and operational controls, including:

  • ISO 27001 certified Information Security Management System (ISMS)

  • Encryption of data in transit (TLS) and at rest

  • Role-based access controls and least-privilege permissions

  • Secure software development lifecycle (SSDLC)

  • Infrastructure hosted on trusted cloud providers

  • Continuous monitoring, logging and incident response processes

  • Regular vulnerability management and security testing

  • Vendor risk management and documented subprocessor reviews

First-Party Tracking Only

All tracking and storage mechanisms used by Made with Intent are first-party. This means:

  • Data is stored within your own domain, not shared across sites.

  • We act as a data processor on your behalf - you remain the data controller.

  • We only process data from users who have provided the necessary consent.

Our customers typically configure MWI to load after consent has been given for performance or analytics cookies, in the same way they would for tools like Google Analytics or Hotjar.

This setup is familiar to most retailers and rarely presents friction. When consent is declined, our tracking is automatically disabled, as it would be for any analytical tracking system. As we serve experiences online, too, experiences are naturally disabled; personalisation (serving different experiences) is not able to exist without the acceptance of such tracking.

Flexibility

Our platform gives brands the flexibility to use it even before cookie consent is granted. If you choose to deploy our script outside of cookie acceptance, it will still function as designed because we don’t block data collection at the platform level. However, responsibility for that decision sits with your team, as storing even anonymous event data tied to a browser ID can still require user consent under GDPR when used for analytics, profiling, or personalisation purposes.

Data We Collect

We do not intentionally collect any personal data. We collect:

  • Contextual data — URL, user agent, screen dimensions, page referrer, local time and timezone.

  • Client-available data — exposed eCommerce data such as product name, price, brand and category.

  • Interactive data — event names and timestamps, associated DOM information, scroll positions, cursor info, and search field contents.

Retention, sharing & deletion

  • Data is retained for 2 years by default — this can be adjusted to your business requirements — then automatically deleted from the system. We comply with GDPR with respect to data retention upon service termination and on request.

  • We do not share any collected data with third parties outside of authorised data subprocessors

  • Data used for model training is anonymised and scaled before processing.

Risk mitigation measures

We apply automated deletion schedules, de-identification via random user IDs, aggregation of all data, low-volume segment warnings (to prevent identification by deduction), automated detection and deletion of inadvertently collected personal data, data partitioning, and anonymisation before any modelling.

What Data Is Stored

MWI does not set any cookies. Instead, it uses localStorage and sessionStorage within the browser. These mechanisms allow MWI to deliver intent-based experiences while maintaining privacy compliance.

LocalStorage

Key

Purpose

intent.user.id

Arbitrary user identifier for session stitching (could be considered personal data under GDPR)

intent.inference.store

Stores references to matched segments

intent.inference.last

Holds last analytical inference object

SessionStorage

Key

Purpose

intent.segments.persisted

Temporarily stores references to active segments

intent.campaigns.fired

Tracks which campaigns have already fired during the session

While none of this data qualifies as Personally Identifiable Information (PII) on its own, intent.user.id is an arbitrary user identifier. Under GDPR, this may be considered personal data when combined with other data sources.

Despite operating only within consented traffic, we maintain strong model performance and statistically significant coverage. That’s because modern ecommerce brands are incentivised to encourage consent to deliver better on-site experiences. The data we do capture is high quality, and enables everything from real-time in-session activation to post-session analysis and segmentation.


We continuously monitor changes to UK and EU privacy legislation and evolve our platform accordingly. Our architecture is designed around data minimisation, first-party data collection and privacy-by-design principles, positioning customers to adapt as regulatory guidance evolves.

Did this answer your question?