AB Tasty and Data Protection – What Belongs in the Privacy Policy

AB Tasty is an experimentation and personalisation platform for A/B testing, multivariate testing and feature management. Website operators integrate the system via a JavaScript tag and use it to optimise user journeys through data-driven experiments. For German websites and privacy policies, a thorough engagement with the processing operations, the legal basis and the mandatory disclosures is required.

A. Purpose and Function of AB Tasty

AB Tasty is a Digital Experience Optimization platform that combines three functional areas: classic A/B testing (also: multivariate testing, split-URL tests), personalisation and feature management via feature flags.

A/B testing and personalisation: Website operators define target groups, test groups and variants of their website or application. AB Tasty determines for each visitor which variant they see, and measures interactions and conversions. The difference from classic web analytics (e.g. Google Analytics): AB Tasty shows different user groups different content and specifically measures which variant performs better – i.e. not only what users do, but how they react to different changes.

Feature flags and rollouts: AB Tasty enables new features to be rolled out in a controlled manner to a subset of users (progressive rollout) or made available to specific segments.

JavaScript integration: To work, a JavaScript tag is embedded on the website. This tag loads automatically when the page is opened and communicates with AB Tasty's servers. The tag stores data locally in the browser (cookie or local storage) and sends information to AB Tasty's data collection endpoints (e.g. ariane.abtasty.com).

B. Mandatory Disclosures in the Privacy Policy

Pursuant to Art. 13(1) GDPR (or Art. 14 for data not collected directly), controllers must inform data subjects comprehensively. For AB Tasty and similar tracking tools, the following mandatory disclosures are central:

• Identity and contact details of the controller (Art. 13(1)(a)): the website operator itself
• Purposes of processing (Art. 13(1)(c)): serving test variants, measuring conversions, creating user profiles for personalisation
• Legal basis (Art. 13(1)(e)): often Art. 6(1)(a) (consent, where cookies are involved), in individual cases Art. 6(1)(b) or (f)
• Recipients/processors (Art. 13(1)(e)): AB Tasty SAS (France) as processor, possibly sub-processors (AWS, Google Cloud)
• Retention period and erasure (Art. 13(1)(e)): e.g. cookie duration (often 365 days), retention period on servers, automatic erasure
• Data subject rights (Art. 13(2)(a)–(f)): access, rectification, erasure, restriction, data portability, objection, automated decision-making

A mere text template from cookie plugins or sample privacy policies is not sufficient, as these are often too generic and do not take into account the specific data flows and configurations of the website.

C. Provider

Name and address:

• AB Tasty SAS
• 8 Rue Sainte-Cécile, 75009 Paris, France
• Register number: Paris B 518 685 540
• VAT ID: FR92518685540
• Email (data protection): dpo@abtasty.com
• Phone: +33 (0)1 84 17 87 52
• Website: https://www.abtasty.com

Jurisdiction and data protection: AB Tasty SAS is a company based in France (EEA). As a processor, it is subject to the GDPR. France is an EEA country; there are therefore no concerns regarding a third-country transfer to AB Tasty itself. However, AB Tasty may use sub-processors (e.g. AWS with data centres outside the EU).

Privacy policy and documentation:

• General privacy policy: https://www.abtasty.com/privacy-policy/
• GDPR compliance: https://www.abtasty.com/gdpr-compliant/
• Customer Personal Data Processing: https://www.abtasty.com/customer-personal-data-processing/
• Technical documentation (cookies, consent): https://docs.abtasty.com/

D. Data Processing – Sequence

E. Data Collected

AB Tasty collects a combination of technical, behavioural and profile data:

• Visitor identification (hashed): Unique visitor ID (16 characters, hashed) to recognise visitors across multiple page views
• Network data: Visitor's IP address; according to AB Tasty, these are deleted immediately and not stored persistently
• Timestamps: Date and time of page views and events
• Page views and navigation: URL of the visited page, referrer, page path
• Click paths: Which elements the visitor clicked on (if action tracking is enabled)
• Device and browser information: Device type (desktop, tablet, mobile), operating system, browser name, browser version, screen size
• Coarse location data: Location derived from the IP address (region, country)
• Segment assignment: AB Tasty assigns visitors to segments (e.g. "premium user", "new visitor") based on behavioural rules or first-party data
• Test and variant assignment: Which test ID and which variant the visitor sees
• Conversion events: Predefined goal events (e.g. purchase, newsletter sign-up, download)
• Interaction data: Scroll behaviour, dwell time, engagement metrics
• Optionally custom events: Website operators can track any events (e.g. "video started", "form initiated")

Note: This data is provided to the processor AB Tasty; the website operator remains the controller and determines which data is collected and for which purpose it is processed.

F. Purposes of Use

AB Tasty processes the data for the following purposes:

• Provision of functionality: Delivering the correct test variant to the right visitor; technical functioning of experiments and feature flags
• General product improvement: Evaluation and analysis of test results to optimise UX and conversion rate
• User profile creation: Automatic segmentation of visitors based on their behaviour or first-party data, e.g. to reach specific target groups in future tests
• User-individual product improvement: Personalised content, recommendations or offers based on user profiles
• Security and operational stability: Monitoring and improvement of platform security
• Optionally consent management: Storage and management of consent status for 13 months

Website operators should specify in their privacy policy which of these purposes they specifically use and which segment criteria they apply.

G. Legal Bases

The legal basis/bases for processing depend on the specific configuration:

Consent (Art. 6(1)(a) in conjunction with Section 25(1) TDDDG): As soon as AB Tasty sets cookies (which is generally the case), these are not technically necessary under the German Telemedia Act (TDDDG, formerly TTDSG). This means: For cookie-based tracking of visitor ID, click paths and conversions, consent is required. This consent must be obtained before the cookie is set (opt-in principle). A cookie banner with an "Accept" button is therefore mandatory.

Legitimate interest (Art. 6(1)(f)) – exceptional case: In rare cases, a website operator could argue that A/B testing is necessary for the operation and improvement of its website and therefore falls under legitimate interests. This view is assessed very critically in practice and is not the rule. Better: obtain explicit consent.

Performance of a contract (Art. 6(1)(b)) – possibly B2B: For B2B contexts (e.g. when an agency uses AB Tasty for a client), performance of a contract could be relevant, but the end visitor must consent here too.

Conclusion for practice: The safest and most commonly applicable legal basis is consent.

H. Special Features and Notes

Processing on behalf and Data Processing Agreement (DPA): AB Tasty acts as a processor pursuant to Art. 28 GDPR. The website operator as controller must conclude a written Data Processing Agreement (DPA) with AB Tasty. This should include, among other things, the following content:

• Subject matter and scope of processing
• Nature, context, scope and purposes of the processing
• Assurance of technical and organisational measures (Standard Contractual Clauses, encryption, access control)
• Provisions on sub-processors

The DPA can be requested from AB Tasty (dpo@abtasty.com). The standard contracts are often available on the website or are provided on request.

Third-country transfer and sub-processors: AB Tasty itself is based in France (EEA), but has sub-processors:

• AWS: Operates infrastructure in several regions worldwide, partly outside the EU (e.g. USA). For transfers to the USA, the Standard Contractual Clauses (SCCs) or, if applicable, national adaptations apply.
• Google Cloud: Similar, with worldwide data centres.

The website operator should find out in which regions its data is stored. In the worst case, data may be transferred to the USA, which requires additional legal assessment (EU-US Data Privacy Framework, SCCs).

Cookie consent integration and consent mode: AB Tasty offers various consent options:

• Consent-based: The tag waits until the user has consented to the cookie before it is fully initialised.
• Consent mode: The cookie policy can be configured so that AB Tasty only reacts after consent and does not use all functions beforehand.

The website operator should configure its cookie banner (e.g. Consentmanager, Cookiebot, OneTrust) so that AB Tasty cookies fall under the "Marketing" or "Statistics" category and are only set after consent.

Opt-out and privacy settings: AB Tasty offers users an opt-out window/opt-out iFrame through which they can refuse to participate in tests. This should be documented or linked. Visitors can also request that their data be deleted (Art. 17 GDPR).

IP addresses: AB Tasty states that IP addresses are not stored, but deleted immediately. This is privacy-friendly, but limits functions (e.g. geo-targeting). The website operator should try to clarify whether and for how long IP addresses are temporarily available.

I. Frequently Asked Questions about AB Tasty and Data Protection

J. Conclusion

AB Tasty is a powerful tool for data-driven optimisation, but requires careful data protection documentation. The most important points for the privacy policy are:

1. Identity of AB Tasty SAS (Paris, France) and contact details (dpo@abtasty.com)
2. Specific purposes: A/B testing, personalisation, segment creation – not just "analysis"
3. Data collected: Visitor ID, click paths, device data, conversion events – list precisely
4. Legal basis: Consent (Art. 6(1)(a) + Section 25(1) TDDDG)
5. Processor and DPA: AB Tasty as processor, written DPA required
6. Retention period: Cookie lifetime (e.g. 365 days), consent storage (13 months)
7. Data subject rights: Access, rectification, erasure, opt-out options
8. Sub-processors: AWS and Google Cloud, possibly third-country transfer to the USA (review SCCs)
9. Cookie consent: Integration with cookie banner and consent management system

A blanket text template is not sufficient – the topic-oriented and website-specific approach is legally cleaner and more transparent.