Blog / Privacy
Privacy3 min read · July 5, 2026

Personalization that collects nothing

The industry answered privacy pressure with consent banners stapled onto identity harvesting. The real answer is architectural: personalize the session, collect no one.

The AXO Team
Notes on agentic personalization

There's a meeting that kills personalization projects in regulated industries, and it's a short one. Legal asks: "What does the tool collect?" The standard vendor's honest answer is: everything it can. Identity resolution, cross-site tracking, profile enrichment, a warehouse of PII whose retention policy is now your problem. The project dies — or worse, survives with a consent banner stapled over the top, which is the industry's main answer to privacy pressure: keep harvesting, add a modal.

The actual answer was always architectural.

Personalize the session, not the person

The signal you need to convert a visitor is mostly the signal they're generating right now: the pages, the dwell, the sequence, the hesitation at the pricing table. In-session behavioral scoring reads that, decides what the page shows, and lets the signal die with the session. No identity resolution, no third-party cookies, no profile accumulating in a warehouse. For the anonymous majority of traffic this isn't a degraded mode — it's the only mode that works, and it happens to be the one compliance can approve.

We've argued before that you don't need identity to convert. This is the stricter claim: in a regulated industry, you need the inability to collect — and it has to be provable, not promised.

Zero-PII as a switch, not a promise

For a hospital system or a bank, "we won't collect PII" is a sentence on a vendor slide. What passes review is a mechanism. AXO ships passive mode: one switch, enforced server-side, under which every PII-ingesting path in the product stops working. Lead capture no-ops. Identity attachment no-ops. CRM sync no-ops. The tag stops rendering forms that ask for contact information — the enforcement isn't a configuration the tag politely respects, it's the server refusing the data.

What still works is everything anonymous: behavioral scoring, cookieless personalization, conversion measurement, the holdout. So a pilot can run for a quarter, prove lift against a control group, and the total PII collected is zero. Not "minimal." Not "pseudonymized." Zero — and your compliance team reviews a switch, not a paragraph of assurances. Healthcare gets one more layer on top: a privacy-proxy deployment pattern for HIPAA contexts, so the story on covered pages starts from "nothing leaves that shouldn't" instead of being retrofitted.

Where AXO sits

Identity-free, in-session decisioning isn't a privacy feature we bolted on; it's the architecture the product started from — which is why the zero-PII configuration still personalizes and still measures. If your last personalization project died in that meeting with legal, the demo worth asking for is the one where the vendor turns collection off and shows you what still works. For most of the category, that demo is a blank page. For us, it's the same product.

QUESTIONS PEOPLE ASK

Can you do website personalization under HIPAA?

Yes, with the right architecture: in-session behavioral scoring that personalizes from anonymous behavior in the current visit, with no identity resolution and no PII collection, plus a privacy-proxy deployment pattern for covered pages. The key compliance property is enforcement — a server-side mode that disables every PII-ingesting path outright is reviewable in a way that a vendor policy promise is not.

How do you run a personalization pilot with zero PII?

Enable a server-enforced passive mode before the tag goes live: lead capture, identity attachment, and CRM sync are disabled at the API so no PII can be ingested even by accident, and the tag renders no contact forms. Anonymous behavioral scoring, personalization, conversion tracking, and the randomized holdout keep working, so the pilot still produces a causal lift measurement — with nothing for a privacy review to object to.

Does privacy-safe personalization still measure results?

Yes. Lift measurement needs a randomized holdout and anonymous conversion events, neither of which requires PII. A zero-PII deployment can still report conversion lift of treated sessions against held-out sessions; what it gives up is identity-dependent features like lead capture and CRM sync, not proof.

See it sort your own traffic.
One tag, live in about 15 minutes.
Start free trial →
RELATED NOTES