Book a demo

Data Protection Impact Assessment for Zoovu Advisor Studio (ZOE)

PURPOSE OF THE DPIA

The Data Protection Impact Assessment is a process designed to identify risks arising out of processing personal data. Its goal is to minimize these risks as far as and as early as possible.

IDENTYFYING THE NEED FOR A DPIA

DPIA is a risk assessment that should be carried-out by the data controller where processing of operations are likely to result in a high risk to the rights and freedoms of natural persons. It should evaluate, in particular, the origin, nature and severity of that risk. The outcome of the assessment should be considered when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the GDPR. One shall consult the supervisory authority prior to processing where the DPIA shows that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Whereas DPIAs are the responsibility of the controller, Zoovu has prepared this document to assist its clients in meeting their compliance obligations regarding the implementation of ZOE.

Project summary

The project involves the implementation of Zoe AI-Powered Assistant on the data controller's (Client’s) e-commerce platform. Zoe, provided by Zoovu, is an AI-driven digital assistant that helps end-users (shoppers) find suitable products. This is achieved by:

  1. Asking the end-user a series of questions to understand their needs, preferences and context.
  2. Processing the end-user's answers.
  3. Providing personalized product recommendations in real-time.

The processing involves collecting and analysing end-user interaction data and their responses to deliver this personalized shopping experience. Zoovu acts as a data processor on behalf of the controller.

Zoe functions as an AI shopping advisor, designed to interpret complex technical specifications and transform them into clear, customer-friendly descriptions and explanations. By contextualizing product details in everyday language, it ensures that end-users can easily understand how a product aligns with their specific needs and preferences.

For example, when a customer is considering a digital camera, Zoe uses specifications such as “24.2MP APS-C CMOS sensor, ISO 100–25,600, 4K UHD 30fps” and interprets them in plain language. For instance:

  • “The 24.2-megapixel sensor allows you to capture sharp, high-quality images, even if you want to print them in large formats.”
  • “The wide ISO range means the camera performs well in low-light settings, such as indoor events or evening photography.”
  • “4K video recording lets you create professional-looking videos with rich detail—ideal for travel vlogs or family memories.”

Zoe offers the following administrative capabilities to the Clients:

  • Conversation Configuration: Design/edit prompts and instructions, define guardrails, support and fallback topics, tone of voice
  • Testing & Preview: Validate and QA before publishing
  • Analytics: Monitor performance and user behavior, both aggregate and session-by-session.
  • Branding: Customize appearance and messaging

Along with Zoovu Platform, it offers the following additional administrative capabilities:

  • Data Management: Import, map, and structure product data
  • Syndication: Deploy across channels and manage settings
  • Access Control: Manage user roles and permissions

Reasons for conducting a DPIA:

a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences, or vulnerable data subjects
a systematic monitoring of a publicly accessible area on a large scale
processing that involves preventing data subjects from exercising a right or using a service or contract
systematic and extensive profiling or automated decision-making to make significant decisions about people
processing biometric or genetic data in combination with any of the criteria in the European guidelines;
combining, comparing or matching data from multiple sources
processing personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines
x processing personal data in a way that involves tracking individuals’ online or offline location or behaviour
processing children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them
processing personal data that could result in a risk of physical harm in the event of a security breach
x other processing using new technologies that is, taking into account the nature, scope, context and purposes of the processing, likely to result in a high risk to the rights and freedoms of natural persons: Processing using AI

Data categories processed

Zoe collects zero-party data, such as customer needs, preferences and usage context. It may also gather interaction behavior like selected answers and engagement paths, helping the controller to understand the intent behind each purchase. In particular, the following categories of personal data are processed:

  • User preference data: the end-user's answers to the relevant questions.
  • Interaction data: clicks, navigation path and user journey within the assistant interface.
  • Technical data: IP address, browser type, device information, session identifiers.
  • Recommendation data: the product recommendations shown to the user.

The “Zoe Conversation” functionality allows end users to provide free-text input. While Zoovu does not design or configure Zoe to request personally identifiable information or personal data (“PII”), end users may nevertheless disclose such data voluntarily in their responses. In such cases:

  1. Controller responsibility. The Client, as data controller, has access to and visibility over conversation data. It is the Client’s responsibility to review such data and, where PII is inadvertently captured, to submit a deletion request to Zoovu to [email protected]. Upon receipt of such a request, Zoovu will remove the identified PII without undue delay.
  2. Processor role. Zoovu acts strictly as processor with respect to such conversation data and does not independently use, mine, or profile on the basis of end-user free-text input.
  3. User disclaimer. Clients have access to a configurable disclaimer to be displayed to end users, clearly instructing them not to share PII or other sensitive information if they do not wish such data to be processed.
  4. Mitigation. This approach ensures data minimization in line with Art. (1)(c) GDPR, while providing Clients with both technical (configurable disclaimer) and organizational (post-hoc deletion on request) controls.

The aggregated usage data described above is processed by Zoovu only where the Client has lawfully obtained the necessary end-user consent through its own consent management platform (“CMP”) and via the use of a first-party cookie. Zoovu provides technical configuration options that enable Clients to integrate their CMP and ensure compliance with applicable global data protection and e-privacy regulations. IP addresses of end-users and other users’ data related to their devices through which they access the service are used for breach prevention and analysis mechanisms (anti-DDOS protection etc.) Special category data: Zoe does not process special categories of data (as defined in Article 9 of the GDPR) by default.

Zoe only uses data in the Zoovu Data Platform and the rules the controller set for it to interact with customers.

Collection, use, storage and deletion of the data.

  • Collection: data is collected directly from the end-user via their interaction with the Zoe assistant embedded on the controller's website/app.
  • Use:
    • To provide the core service: helping end users choose the best fit and delivering a conversational shopping experience.
    • To enable the controller to analyse the performance of the assistant (e.g. usage analytics, conversion rates).
    • Zoovu uses aggregated and anonymized data to improve its AI models and service performance. This data is not traceable to any individual.

Storage: data is stored in a secure cloud environment (Microsoft Azure) within the European Union.

  • Deletion: personal data is retained and deleted in accordance with the controller's instructions as set out in the Data Processing Agreement. The controller is responsible for defining the appropriate data retention period.

  • Numbers of individuals involved.

    • This will depend on the traffic to the controller's website, but the service is designed for processing on a large scale, potentially involving thousands or millions of end-users. Processing occurs for each user session that interacts with the assistant.

  • Retention period.

    • Where enabled on the basis of valid end-user consent, the first-party cookie may persist on the end user’s browser for up to three hundred sixty-five (365) days. Such cookie will not be created absent consent, and its lifespan is limited to the stated duration, subject to earlier deletion upon withdrawal of consent or user action.

    Zoovu stores conversation transcripts as part of its reporting and analytics services (“Insights”) made available to Clients and for the limited purpose of retraining and refining Zoovu’s models to improve future performance of the Service. All conversation data is processed in an anonymous manner and cannot be attributed to any identified or identifiable individual. Conversations are used solely to provide Clients with aggregated insights and reporting and to enhance Zoovu’s technology; they are never shared with third parties other than sub-processors or used for unrelated purposes. Each conversation is assigned a unique session key, which is linked only to a server-side session on Zoovu’s systems and is not connected to any user identifier. In accordance with Zoovu’s internal policy and data protection commitments, Zoovu does not engage in browser fingerprinting, identity stitching, or other techniques intended to re-identify end users. Conversation transcripts are retained by Zoovu for the duration of the contractual relationship with the relevant Client. Where expressly agreed with the Client, Zoovu may also use such data to train and enhance its AI systems. In such cases, the training data set forms part of Zoovu’s proprietary models and is not deleted upon contract termination, but remains in anonymized form within the AI training corpus.

  • Geographical area.

    • The service is offered globally. This DPIA specifically considers processing activities that fall under the territorial scope of the GDPR and UK GDPR.

  • Nature of the relationship with the individuals.

    • Zoovu, as the processor, has no direct relationship with the end-users. The relationship is between the end-user and the controller (the e-commerce business). End-users would reasonably expect a product recommendation tool to use their stated preferences to suggest products. Whereas they may not be specifically aware of Zoovu's role as a processor, the GDPR and UK GDPR only require controllers to disclose categories of recipients, without the need for providing specific details.

  • Risks to rights and freedoms of data subjects.

    • Risk of unwanted profiling: the creation of a detailed profile of a user's preferences, which could be inaccurate.
    • Risk of bias or discrimination: the AI algorithm could potentially lead to biased recommendations, unfairly favouring certain products or user groups.
    • Risk of low transparency: the user may not understand that an AI system is making the recommendations or how it works, leading to a lack of trust and control.

  • Specific issues of public concern.

    • The use of AI and profiling in e-commerce is a subject of public and regulatory scrutiny. Concerns often focus on the potential for "dark patterns," algorithmic bias and the lack of explainability in AI systems. This DPIA acknowledges these concerns and incorporates measures to address them.

  • Intended purpose.

    • To enhance the end-user's shopping experience by making product discovery easier, faster and more accurate. For the controller, the goal is to increase sales, customer satisfaction and reduce product returns.

INTERNAL CONSULTATION

Intended effect on individuals and benefits of the processing.

  • For the individual: a more personalized and efficient shopping experience, helping them make better-informed purchasing decisions with less effort.
  • For the controller: increased conversion rates, higher average order value, improved customer loyalty and valuable insights into customer needs and product performance.

Consultation with security experts or any other experts.

As the provider of the service, Zoovu has developed the Zoe assistant in consultation with its internal teams, including:

  • AI/Machine Learning engineers
  • Data privacy and legal experts (including its DPO)
  • Information security and infrastructure teams

Controllers implementing the service should consult with their own DPO and relevant stakeholders.

Data subjects’ views obtained or explanation why it is not necessary to seek them.

As a processor, it is not feasible for Zoovu to directly consult with the controller's end-users. The controller may consider it beneficial to seek user feedback on the assistant's functionality and transparency through methods like user testing, surveys or feedback forms. The intuitive nature of the service (answering questions to get recommendations) aligns with general user expectations for such tools, making formal consultation on the processing itself less critical, provided full transparency is ensured in the privacy notice.

ASSESS THE NECESSITY AND PROPORTIONALITY

It is important that the processing will not go beyond what is reasonably necessary to achieve a specified purpose, as well as using the data for limited purposes.

Lawful basis for processing.

This determination is the responsibility of the data controller. The likely lawful basis is Legitimate Interest (Art. 6(1)(f) GDPR). The controller has a legitimate interest in providing an effective and user-friendly shopping experience on their website to promote and sell their products. The end-user, in turn, benefits from a tool that helps them find what they are looking for.

If using this basis, the controller must conduct a Legitimate Interests Assessment (LIA) to balance their interests against the rights and freedoms of the data subject. The processing is proportionate as it is limited to providing recommendations based on data actively provided by the user for that specific purpose.

Alternatively, controllers may choose Consent (Art. 6(1)(a) GDPR), particularly if the data collected is intended for subsequent marketing personalisation.

Does the processing achieve the purpose of processing?

Yes, the processing is directly necessary to achieve the purpose of providing personalized product recommendations. While users could use traditional filters and search bars, these methods are often less effective and intuitive for complex product catalogs, making the AI assistant a more proportionate and efficient solution.

Measures planned to mitigate the identified risks to rights and freedoms of the data subjects.

  • Transparency: the controller must update their privacy notice to clearly explain the use of the AI assistant, the types of data collected, the purpose of processing and the categories of recipients. Zoe enables Clients, in their capacity as data controllers, to configure and display their own informative messages to end users (e.g., disclosures that the user is interacting with an AI system). The content and adequacy of such messages remain the sole responsibility of the Client, who must assess and implement them in line with applicable national and regional legal requirements. Zoovu has established this warning in the dashboard that Clients have access to: Some AI regulations require to inform end users when they are interacting with an AI system. Zoovu enables its Clients to include their own disclaimers and/or terms and conditions to help meet these transparency obligations. Clients are solely responsible for ensuring that any content, including inserted text, complies with applicable laws, including AI-related laws.
  • Data minimisation: the controller is responsible for setting the rules for Zoe to interact with the end-users. The Zoovu platform is designed to only process the data required to function.
  • Security measures: Zoovu implements robust technical and organizational security measures, including encryption of data in transit and at rest, strict access controls and regular security audits. Zoovu complies with industry-recognized security frameworks, including SOC 2 and ISO 27001.
  • Algorithmic fairness: Zoovu is committed to mitigating bias in its AI models through regular testing, monitoring and by avoiding the use of sensitive personal data in its algorithms.
  • Data subject rights: as the processor, Zoovu will assist the controller in responding to data subject rights requests as contractually agreed in the DPA.

Prevention of function creep.

Function creep is prevented through:

  • Contractual controls: the DPA strictly limits Zoovu's use of data to the provision and improvement of the contracted service.
  • Technical controls: the platform is designed for the sole purpose of providing product recommendations.
  • Controller responsibility: the controller must not use the data collected via the assistant for purposes other than those disclosed to the user without a new lawful basis.

Information shared with data subjects.

The controller is responsible for sharing the following in their privacy notice:

  • The purpose of the AI assistant.
  • The legitimate interest or consent-based legal basis for processing.
  • The categories of personal data processed.
  • The category of recipient to which Zoovu belongs (for example, AI-powered digital assistant provider).
  • Information about international data transfers.
  • The data retention period.
  • Clear instructions on how users can exercise their rights (access, rectification, erasure, etc.).

Measures taken to ensure that data recipients, including processors, comply.

As a processor, Zoovu ensures compliance of its own sub-processors through:

  • A formal due diligence process for selecting sub-processors.
  • GDPR-compliant DPAs with all sub-processors.
  • For international transfers, Zoovu ensures appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs). A list of sub-processors is available to controllers here.

Measures to ensure the quality of data and its processing, and data minimization.

  • Data duality: data is collected directly from the user, which ensures it reflects their current intent.
  • Data minimization: the principle is applied by design; the assistant only collects the data needed to perform its function.
  • AI fairness and explainability: Zoovu employs a multi-faceted approach to avoid bias. This includes designing algorithms that can be interrogated for their logic, regular monitoring of outcomes for anomalous or potentially discriminatory patterns and continuous model refinement. While full explainability of complex AI can be challenging, the logic is based on user inputs, making the outcomes inherently traceable to the user's choices.

RESULTS OF THE DPIA

x Privacy risk is not high
Privacy risk is high but can be mitigated to an acceptable level through proposed measures - prior consultation with the ICO or another DPA needed!
Privacy risk is high but cannot be mitigated - the project may not go ahead