Do I need to disclose Brevo (Sendinblue) in my privacy policy?

Yes. Because Brevo processes personal data on your behalf as a third-party service provider, you must disclose its use in your privacy policy under GDPR and similar regulations. You should specifically name Brevo and explain that email addresses and form submissions are sent to their platform for campaign delivery and analytics.

What data does Brevo (Sendinblue) collect from website visitors?

Brevo collects email addresses, form submission data (names, contact information, etc.), and browsing behavior such as email open rates, click-through rates, and link engagement. If you use Brevo's tracking pixel or forms, they may also collect IP addresses and basic device information associated with email interactions.

Do I need a cookie consent banner for Brevo (Sendinblue)?

Brevo does not set cookies through typical website tracking mechanisms. However, if you embed Brevo forms or use their tracking pixel to monitor email engagement, you should check your specific implementation. When in doubt, disclosing Brevo in your cookie policy and obtaining consent for form submissions is a best practice under GDPR.

Who processes my data with Brevo (Sendinblue) and where is it stored?

Brevo, a company headquartered in France (within the EU), acts as your data processor. They store and process your email lists and campaign data on EU servers, which provides GDPR compliance. Brevo is the sole processor; data is not transferred outside the EU unless you configure additional integrations.

Email Marketing

Privacy policy clauses for Brevo (Sendinblue)

Brevo (formerly Sendinblue) is a cloud-based email marketing and transactional email platform that websites use to send newsletters, promotional campaigns, and automated emails to subscribers. We use Brevo to manage our email communications and track engagement metrics.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Brevo (Sendinblue) collects

Your privacy policy must disclose each of the following data types when you use Brevo (Sendinblue).

Form data

Browsing behavior

When does Brevo (Sendinblue) trigger privacy obligations?

Installation and data flows

The moment you embed Brevo (Sendinblue) on your site or integrate its API—whether for email capture forms, transactional emails, or contact syncing—you begin collecting and transmitting email addresses, form field data, and (if you use Brevo's tracking features) browsing behavior to Brevo's servers in France.

Regulatory thresholds

GDPR (if any user is in the EU/EEA): Applies immediately. Brevo is a data processor under GDPR Article 28. You are the controller. You must have a lawful basis (consent under Article 6(1)(a), legitimate interest under 6(1)(f), or contract) *before* collecting email or form data. You must provide a privacy notice under Article 13 or 14.

CCPA (if any user is in California): Applies if you collect personal information from California residents. Email and form data qualify. You must disclose categories of data collected, purposes, and third-party sharing under CCPA § 1798.100.

Privacy policy clauses for Brevo (Sendinblue)

What data Brevo (Sendinblue) collects

When does Brevo (Sendinblue) trigger privacy obligations?

Installation and data flows

Regulatory thresholds

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: No DPA or unsigned SCCs

Pitfall 2: Silent form embeds without consent disclosure

Pitfall 3: Relying on Brevo's privacy policy instead of your own

Sample privacy policy clause

What regulators look for

Enforcement priorities

Frequently asked questions

Do I need to disclose Brevo (Sendinblue) in my privacy policy?

What data does Brevo (Sendinblue) collect from website visitors?

Do I need a cookie consent banner for Brevo (Sendinblue)?

Who processes my data with Brevo (Sendinblue) and where is it stored?

Don't ship without Bandit.