Skip to main content
This page describes how cookies and similar technologies are handled when Kleep is installed on your storefront, the exhaustive list of trackers and data involved, and the role your Consent Management Platform (CMP) / tag manager must play. It is intended for your data protection and legal teams. Throughout this page, “you” / “the merchant” refers to the website operator acting as Data Controller, and “Kleep” refers to Kleep SAS.
Wherever a legal reference is needed, this page maps to the French framework (Article 82 of the Loi Informatique et Libertés and the CNIL guidelines on consent), which is among the strictest in the EU. The same logic applies under the GDPR and the ePrivacy Directive across the EU.
The Kleep script is loaded and executed only after consent has been collected through your CMP. As long as no consent has been given (a refusal or the absence of any choice), Kleep does not load: nothing is written to the browser, no event is transmitted, and no recommendation is computed. It is therefore your CMP / tag manager that conditions the loading of Kleep and must trigger our script exclusively after consent has been granted.
Do not load the Kleep script or call kleep.load(...) until your CMP signals that consent has been granted for the relevant purposes. If consent is later withdrawn, stop loading Kleep on subsequent page views. See the JS Library guide for the exact consent-gating wording and implementation.
All of the items below are placed on the product page exclusively after consent. localStorage and sessionStorage are treated as trackers within the meaning of Article 82 of the Loi Informatique et Libertés and are therefore subject to consent.
TrackerStoragePurposeDescriptionRetentionLegal basis
kleep_uidlocalStorageRecommendation + audience measurementVisitor identifier (random UUID)Persists in the browser until cleared; associated data purged at 12 monthsConsent
kleep_user_uuidlocalStorageRecommendation + audience measurementIdentical to kleep_uidSame as kleep_uidConsent
kleep_session_uuidsessionStorageRecommendation + audience measurementSession identifier (random UUID)The session (cleared when the tab is closed)Consent
kleep_midlocalStorageRecommendationTechnical measurement / product identifier12 monthsConsent
kleep_recommendation_typelocalStorageRecommendationProduct type (clothing / footwear)12 monthsConsent
kleep_retailerlocalStorageRecommendationMerchant domain12 monthsConsent
kleep_is_testlocalStorageFunctioningTechnical flag (0/1)12 monthsConsent
PostHogCookie + PostHog local storageAudience measurement and A/B testingAnalytics provider storage12 monthsConsent

3. Data processed (in addition to trackers)

  • Kleep questionnaire answers: age, height, weight, and answers to the morphological questions — collected only when the user submits the questionnaire — purposes: size recommendation and algorithm improvement (see §4) — retention: 12 months.
  • Navigation events: product_viewed, add_to_cart, checkout (including the product variant, price and currency) — purpose: audience measurement and A/B testing — retention: 12 months.
  • No directly identifying data about your customers (name, e-mail, address) is transmitted to Kleep. The identifiers used are pseudonymous UUIDs specific to Kleep. All data is processed in a pseudonymised manner.
Three purposes, all subject to the consent collected through your CMP:
  1. Size recommendation for clothing and footwear, on behalf of the merchant (Data Controller).
  2. Audience measurement and experience improvement (A/B testing), via PostHog.
  3. Reuse of data to improve and develop Kleep’s recommendation algorithm. This reuse is carried out exclusively on pseudonymised or aggregated data, without any direct identifier, without re-identification; for this purpose Kleep acts as a subsequent data controller in compliance with the GDPR.
As things currently stand, consent is collected globally: accepting Kleep covers all three purposes. Per-purpose granularity is on our roadmap (see §7).
Your CMP / cookie banner must expose two processing purposes, and Kleep may only be loaded once the visitor has consented to both. Pick your storefront language below and copy the wording (the French version is authoritative).
Finalités (FR)
1ère finalité : le traitement des données à des fins de recommandation de taille de vêtements et de chaussures pour le compte du Responsable de traitement.

2ème finalité (réutilisation des données) : le traitement des données à des fins d'amélioration et de développement de vos Services et Produits. Plus précisément à des fins d'amélioration et de développement de l'algorithme de recommandation des tailles de vêtements et de chaussures de la société Kleep.

5. Decision matrix

The Kleep script loads; the module is displayed; identifiers are stored; events are transmitted; the questionnaire is functional; the recommendation is rendered; all three purposes apply.
The Kleep script is not loaded; nothing is stored (localStorage / sessionStorage / cookie); no event; no recommendation; no reuse. The module is not active; the site works normally.
Treated exactly like a refusal (continuing to browse does not amount to consent, in line with the CNIL’s position). Nothing is stored and nothing is processed until the user has actively consented.

6. Hosting, subprocessors, security, retention

  • Hosting: Amazon Web Services, Ireland region (European Union).
  • Subsequent subprocessors: AWS (hosting, EU) and PostHog (audience measurement / A/B testing, EU Cloud instance).
  • Transfers outside the EU: none. All processing is carried out within the European Union.
  • Security: encryption in transit (TLS/HTTPS) and at rest; identity and access management (IAM); an incident management process including notification within the regulatory deadlines; auditability (AWS CloudTrail / CloudWatch logs). Security officer (CISO): Théophile Bousquet (theophile@kleep.ai). Our detailed security questionnaire is available on request.
  • Retention: 12 months.

7. Roadmap

Per-purpose consent granularity (allowing visitors to consent to each of the three purposes in §4 independently) is planned. Until then, consent is collected globally as described in §4.
Questions about cookies, data processing or our security posture? Contact theophile@kleep.ai.