Personal data collected, processed, and stored by Sitefinity Insight

Your organization must work within the legal limits of GDPR, CCPA, and other relevant legal frameworks. You must be keenly aware of what Personally Identifiable Information (PII) is collected, processed, and stored at any time in any of your systems. In this article, you learn what information Sitefinity Insight processes about your visitors and how it is classified as PII or non-PII.

Sitefinity Insight collects and stores behavioral and demographic data of visitors interacting with tracked Sitefinity CMS web sites. You may use other data sources, such as manually imported CVS files or apps that use the Sitefinity Insight SDKs. The data is obtained by client-side and server-side tracking after the visitors have given their consent to be tracked, in case the consent management is enabled. For more information about consent tracking, see Tracking consent.

Sitefinity Insight collects and processes data to provide meaningful insights to the client organization's marketing and sales department based on website visits and user interactions. The data is processed and aggregated for the following needs:

1. Build a 360-degree contact profile for each visitor.
2. Identify each visitor as one of the configured Personas and serve relevant content for that Persona (Personalization).
3. Identify Hot and Marketing Qualified Leads for Sales operations.
4. Calculate metrics like Total and Unique hits per web site page and content.
5. Calculate how much a page or content contributes towards a given Goal (example: how much the Call us for Demo button on the Home page contributes to Product X sales).
6. Recommend web site optimizations that can bring more value to the web site owner.

Area #1 deals exclusively with PII, and areas #2 and #3 may result in PII usage by marketing or sales ops when performing their daily routines. Areas 4 to 6 are purely statistical operations that do not access PII at all.

Sitefinity Insight tracks the following behavioral data:

• Actions that the visitor has performed on the site via a web browser. Examples: visited the Contact Us page or submitted a web form,
• Actions that the visitor has performed on the site, but on the server-side. Examples: successful login as registered user or download of Product X whitepaper,
• The IP address of the user's device,
• Browser metadata, such as user agent string, version, language, time zone, and similar information.

Sitefinity Insight supports tracking the following demographic data out of the box:

1. First name
2. Last name
3. Email address
4. Company
5. Job title
6. Country
7. Address
8. Phone
9. Birthday
10. Gender

These are so-called attributes. Except for the "Email address" attribute, which is reserved, you may modify the list of attributes, delete existing, or define any number of new attributes.

RECOMMENDATION: We strongly recommend you not to process and store sensitive information like SSN, payment card numbers, username/password pairs, medical information, and similar in Sitefinity Insight.

After you define the list of demographic attributes, you must ask the web site visitors to enter some of these attributes on the site. Web forms are well suited for this goal. By default, all Sitefinity CMS forms do not track any demographic data. If you want a form to send data to Insight, you configure it and set the form fields to Insight contact property mappings.

Sitefinity Insight must identify and attribute behavioral and demographic data to its internal representation of a web site visitor in a consistent manner. This is done using two means:

• Sitefinity Insight client-side cookie – stores a unique identifier (GUID). This cookie expires automatically in 1 year,
• Sitefinity CMS user Id value for server-side events, if the user is logged in.

Both values have no meaning extracted from the context of Sitefinity Insight or Sitefinity CMS. They may be used to identify a person only in the context of a browsing session. Client-side identification is not 100% reliable as people often share the same device and browser with others – family members or publicly available machines.

Sitefinity Insight offers multiple tools for managing the privacy and PII of your visitors:

• As a developer, you have control over the customer tracking and consent prompts on your sites. For more information, see Tracking consent.
• As an administrator, you can manage the personal data stored in a data center.
  This is useful, for example, when implementing GDPR compliance. For more information, see Manage personal data.
• As an administrator, you can manage which Sitefinity Insight users have access to PII that is stored in data centers.
  For more information, see Manage Personally identifiable information.