Do I need to disclose Klaviyo in my privacy policy?

Yes. Klaviyo collects personal data including email addresses, browsing behavior, and purchase history, making disclosure legally required under GDPR, CCPA, and similar privacy regulations. Your policy must identify Klaviyo as a third-party processor and explain what data you share with them and why.

What specific data does Klaviyo collect?

Klaviyo collects email addresses, customer profiles, browsing behavior on your website, and purchase history. This data is used to segment audiences and personalize marketing emails. Klaviyo also sets the __kla_id cookie to track visitors across sessions for up to 2 years.

Does Klaviyo require a cookie consent banner?

Yes. The __kla_id cookie that Klaviyo uses for visitor tracking is a marketing cookie in most jurisdictions. Under GDPR and CCPA, you must obtain explicit user consent before this cookie is set, typically through a cookie banner or consent management platform.

Who processes my data with Klaviyo and where is it stored?

Klaviyo Inc., a United States-based company, acts as your data processor. Data is transferred to and stored in the US. If your users are in the EU, you must have appropriate legal mechanisms (like Standard Contractual Clauses) in place to permit this transfer, as required by GDPR.

Email Marketing

Privacy policy clauses for Klaviyo

Klaviyo is an email marketing platform that tracks customer behavior and purchase history to send targeted promotional campaigns. E-commerce sites use it to build subscriber lists, segment audiences, and automate personalized email communications based on user activity.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Klaviyo collects

Your privacy policy must disclose each of the following data types when you use Klaviyo.

Browsing behavior

Purchase history

Customer profiles

When does Klaviyo trigger privacy obligations?

Installation triggers immediate tracking

The moment Klaviyo's tracking code is deployed, the __kla_id cookie is set on visitors' browsers with a 2-year lifespan. This initiates behavior tracking—Klaviyo begins collecting browsing activity, email addresses, and purchase history without waiting for opt-in. This cookie placement itself is a legal event.

GDPR applicability (if EU visitors present)

If your site receives traffic from the EU, GDPR Article 4(11) classifies Klaviyo as a joint controller (you set collection purposes; Klaviyo processes). The __kla_id cookie qualifies as tracking under ePrivacy Directive Article 5(3)—you must obtain prior explicit consent before the cookie fires, not after. GDPR Article 13 requires a privacy notice *before* data collection begins, disclosing Klaviyo as a processor, data categories (browsing behavior, purchase history), and retention (2 years for the cookie). Consent must be granular: Article 7(4) prohibits pre-ticked boxes.

Privacy policy clauses for Klaviyo

What data Klaviyo collects

When does Klaviyo trigger privacy obligations?

Installation triggers immediate tracking

GDPR applicability (if EU visitors present)

CCPA applicability (if CA residents targeted)

First concrete step

Where data goes

Cookies set by Klaviyo

Common compliance pitfalls

Forgetting to disclose behavioral tracking in privacy policy

Treating Klaviyo as a vendor without a DPA

Conflating consent categories: marketing vs. analytics

Sample privacy policy clause

What regulators look for

Primary audit focus: consent timing and specificity

Data Processing Agreement execution

Disclosure completeness

Frequently asked questions

Do I need to disclose Klaviyo in my privacy policy?

What specific data does Klaviyo collect?

Does Klaviyo require a cookie consent banner?

Who processes my data with Klaviyo and where is it stored?

Don't ship without Bandit.