Notes

Customer record: what to note, how to keep it

What a shop's customer record should contain, the 30-second note that keeps it alive, what GDPR lets you write, and the CNIL three-year retention rule.

A regular walks into a music shop and asks whether the strings he bought last spring will suit the guitar he wants to trade in. The owner who wrote three lines after that sale answers in ten seconds; the owner who trusted memory starts guessing. That gap is the whole case for a customer record: not the form you fill in once, but the history you keep alive. This guide covers what belongs on the record, the 30-second habit that makes it worth keeping, and the part almost no guide touches: what you are legally allowed to write down.

The four blocks a customer record needs

Four blocks cover everything a shop's customer record needs: identity and contact details, preferences and context, a dated event history, and consents. Nothing else belongs. GDPR Article 5(1)(c) supplies the sizing rule: personal data must be "adequate, relevant and limited to what is necessary", so every field has to earn its place.

BlockWhat goes inWhy it earns its place
Identity and contactName, email, phoneReaching the client; email doubles as a reliable identity key
Preferences and contextSizes, instrument, equipment owned, habitsThe next visit starts as a conversation, not a cold start
Event historyDated purchases, repairs, questions, promisesThe part that compounds; see the 30-second note below
ConsentsEmail and SMS opt-ins, with the date givenWhat lawful prospecting rests on, and the first thing a check looks at

Notice what is missing. Birthday, profession, family situation: tempting columns, and each one is personal data you must protect, keep accurate and eventually erase. A field collected "just in case" is a liability wearing a nice label. Lean records are not only easier to defend; they are also the only ones that stay accurate.

A record is not a persona

Individual and operational, a customer record describes one actual person: their contact details, their history, their consents. A persona is an aggregate marketing sketch ("women 25 to 40 who shop on Saturdays"), useful for choosing stock or ad placements, useless at the counter. Many of the "customer profile" templates online describe the second while promising the first. Behind the counter, no persona tells you Martin plays a five-string bass and is waiting on a quote; only his record does. Quick test: if a template asks for "purchase motivators" instead of a phone number, it is a persona in disguise.

The 30-second note after each visit

One habit separates a live record from a dead form, and it takes half a minute: after each visit that matters, write the date, the context, the fact, and the next step. "March 12, repair drop-off. Jazzmaster, crackling jack. Quote promised Friday." Four fragments, written before the door closes. No prose required.

Each note is an event, not a task: it does not vanish once handled, it accumulates. Twenty notes later, the record answers questions memory cannot: what he bought, what he asked, what you promised. Of the four fragments, "next step" pays fastest, because a promise written down becomes a follow-up that actually happens rather than an apology in the making. Retention economics back the discipline too: Harvard Business Review (2014) puts acquiring a new customer at five to 25 times the cost of retaining an existing one, and the customers you retain are precisely the ones whose history you kept.

What can you legally write in a note?

Anything factual, relevant and not excessive, and nothing you would be embarrassed to hand over, because under the GDPR right of access the customer can read every note at any time. In its 2019 guidance on free-text comment zones, the French regulator CNIL draws the lines most template guides skip entirely.

Three of those lines matter daily. Notes must stay objective: "difficult exchange with the customer" is acceptable where "customer lost it" never is. Sensitive data (health, religion and the like) stays out without explicit consent, even when the customer volunteers it in conversation. And details that feel like harmless context can be excessive on their own: the CNIL names "going through a divorce" and "unemployed" as notes a customer file should not hold. It even recommends dropdown values over free text where possible, which is an argument for structured records in general.

None of this is theoretical. In its 2025 annual report, the CNIL counts a record 20,150 complaints received in 2025, 10% more than in 2024, with commerce among the leading complaint themes. Retention has a benchmark too: under the CNIL's commercial-management guidance (2022), customer data used for prospecting may be kept for the length of the relationship plus three years from its end; data on prospects who never bought, three years from collection or last contact. That is a regulator's recommendation rather than a statute: invoicing and warranty obligations can justify holding specific data longer.

Paper, spreadsheet, or a structured customer record

Shop tooling follows a natural progression (a notebook by the till, then a spreadsheet, then a structured record), and every stage is legitimate. Switching is due not when a vendor says so, but when the current tool starts losing history.

Paper works until you need to search it. A spreadsheet works until three limits bite: duplicate rows quietly split one client's history in two (one client, one record is harder than it sounds), a cell overwrites its previous value exactly where the record should accumulate dated events, and consents and retention turn into promises nobody can enforce. Our full comparison lives elsewhere; the short version is that a spreadsheet stores a state while a customer record is a history.

Whatever the tool, keep it small and clean, because sprawl is how records rot. Historis, a client-tracking CRM built for retail stores, is shaped around those four blocks: one record per person carrying contact details, context and consents, and a timeline where each 30-second note lands as a dated event. The records a team ends up trusting are the ones topped by a recent dated note, not the ones with the most fields filled in. No structure writes the notes for you; it just makes sure the ones you write are still there, on the right person, three years later.

Why a customer record matters

Memory is a shop's edge over a chain: the strings Martin buys, the hem Mrs. Blanc always asks about, the quote you promised for Friday. Templates sell the form, and the form is the cheap part. What actually pays is a four-fragment note per visit, plus the discipline to write it as if the client will read it, because legally they can. Keep the customer record lean, keep it factual, keep it alive.

Related: why one client must mean one record and why events beat tasks for client work.

Frequently asked questions

What fields belong on a customer record?
Four blocks: identity and contact details (name, email, phone), preferences and context (sizes, equipment owned, habits), a dated history of interactions (purchases, repairs, questions), and consent flags for email or SMS marketing. GDPR's data-minimisation principle is the sizing rule: data must be adequate, relevant and limited to what is necessary, so every field must earn its place: a birthday field you never use is a liability, not an asset.
Can customers read the notes I keep about them?
Yes. The GDPR right of access covers free-text notes, and the French regulator CNIL reminds businesses that a customer can exercise it at any time and read every comment. Its guidance: keep comments factual, relevant and non-excessive, never insulting, and never record sensitive data such as health or religion without explicit consent. The practical rule is simple: never write anything you could not hand to the customer.
How long can I keep a customer record?
For prospecting purposes, the French CNIL's benchmark is the duration of the commercial relationship plus three years from its end; prospects who never bought can be kept three years from collection or their last contact. It is a regulator's recommendation rather than a statutory limit, and legal obligations such as invoicing or warranties can justify keeping specific data longer. Outside France it remains a sound default: it puts the GDPR's storage-limitation principle into practice.
Is a spreadsheet enough for customer records?
At the start, yes: a spreadsheet is free, familiar and better than memory. Its limits appear with volume: duplicate rows split one client's history, a cell overwrites the previous value where a record should accumulate dated events, and there is no access control or reliable way to apply retention rules. When you find yourself scrolling to remember what happened last visit, it is time for a structured record.

Related posts