Do I need to disclose ConvertKit (Kit) in my privacy policy?

Yes. ConvertKit (Kit) processes personal data on your behalf, making it a third-party data processor that must be disclosed in your privacy policy. Users have a legal right under GDPR and CCPA to know which services receive their information. Omitting ConvertKit (Kit) from your policy creates compliance gaps and violates transparency requirements.

What data does ConvertKit (Kit) collect?

ConvertKit (Kit) collects email addresses, names, signup source information, and custom tag data you assign to subscribers. It may also track subscriber engagement metrics like opens and clicks. The platform does not set cookies, so engagement tracking relies on pixel tracking or server-side methods rather than persistent client-side storage.

Do I need a cookie consent banner for ConvertKit (Kit)?

No cookie consent banner is required specifically for ConvertKit (Kit), as the platform does not set cookies. However, if your website uses other tracking technologies or if ConvertKit (Kit) implements pixel-based tracking in the future, you should review your overall consent strategy to remain compliant with GDPR and ePrivacy regulations.

Who processes my data with ConvertKit (Kit) and where?

ConvertKit LLC, now operating as Kit, is the data processor. The company is based in the United States and stores subscriber data on U.S. servers. Under GDPR, data transfers to the U.S. require a lawful transfer mechanism such as Standard Contractual Clauses (SCCs). You should verify Kit's Data Processing Agreement confirms appropriate safeguards.

Email Marketing

Privacy policy clauses for ConvertKit (Kit)

ConvertKit (Kit) is an email marketing platform designed for creators and newsletter publishers to build subscriber lists, send campaigns, and monetize their audiences. Websites integrate it to capture email addresses and manage subscriber relationships.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data ConvertKit (Kit) collects

Your privacy policy must disclose each of the following data types when you use ConvertKit (Kit).

Email address

Name

Signup source

Tag data

When does ConvertKit (Kit) trigger privacy obligations?

ConvertKit (Kit) begins collecting data the moment a signup form is embedded on your site or app. Specifically, email addresses, names, signup sources, and tag data flow directly to ConvertKit LLC's servers in the United States.

GDPR applies if: You process any EU resident's data. ConvertKit's US location means data crosses borders—triggering GDPR Chapter 5 (transfers) requirements. You must establish a lawful transfer mechanism (Standard Contractual Clauses, adequacy decision, or binding corporate rules). Additionally, GDPR Article 13 requires you to disclose to EU visitors that their email is transferred to a US processor *before* they submit the form.

CCPA applies if: You collect California residents' data and meet CCPA thresholds (gross annual revenue >$25M, data on 100k+ consumers/households, or >50% revenue from selling personal information). CCPA Section 1798.100 requires you to disclose what data ConvertKit collects and its purposes in your privacy policy.

Privacy policy clauses for ConvertKit (Kit)

What data ConvertKit (Kit) collects

When does ConvertKit (Kit) trigger privacy obligations?

Where data goes

Common compliance pitfalls

Missing or Vague DPA with ConvertKit

Inadequate Pre-Submission Disclosure for EU Users

Forgetting CCPA Disclosure of ConvertKit's Role

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose ConvertKit (Kit) in my privacy policy?

What data does ConvertKit (Kit) collect?

Do I need a cookie consent banner for ConvertKit (Kit)?

Who processes my data with ConvertKit (Kit) and where?

Don't ship without Bandit.