Privacy policy clauses for Segment
Segment is a Customer Data Platform that collects website events and routes them to connected downstream analytics and marketing tools. Websites use Segment to unify customer data and automatically send it to services like Google Analytics, Salesforce, and advertising platforms.
Free scan · No signup · Results in 60 seconds
What data Segment collects
Your privacy policy must disclose each of the following data types when you use Segment.
When does Segment trigger privacy obligations?
Installation triggers immediate obligations
The moment Segment's JavaScript SDK (ajs_*) loads on your site or app, you begin collecting and transmitting user event data to Segment's US servers, then to whatever downstream tools you've connected (analytics, email, CRM, ads platforms, etc.). This is a *data processing chain*, not a single tool.
### GDPR (EEA users)
If you have *any* EEA visitors, GDPR applies. Segment sets persistent analytics cookies (ajs_*, 1-year duration), triggering ePrivacy Directive Article 5(3) requirements: you must obtain *prior* consent before the SDK fires. You also need a Data Processing Agreement (DPA) with Twilio under GDPR Article 28(3)—Segment is your processor. By installing Segment without a signed DPA, you are in breach immediately. Additionally, GDPR Article 13/14 requires you to disclose not just Segment, but *each connected downstream service* (e.g., if Segment routes to Mixpanel, Salesforce, and Google Ads, each must be named in your privacy notice).
### CCPA (California users)
CCPA Section 1798.100(d) requires disclosure of categories of personal information collected and the business purposes. Segment's event routing counts as "selling" or "sharing" under CCPA Section 1798.140(ad)
