Braze and Data Protection – What Website Operators Need to Know

When a website operator uses Braze for customer engagement and email marketing, it processes user data (name, email, behavioural data, segments) for the purpose of marketing, push notifications and in-app messaging on the basis of consent and legitimate interests. Braze Inc. (USA), a leading customer engagement company, acts as a processor and is subject to the Data Privacy Framework (DPF) for data transfers to the USA.

This guide is aimed at website operators who use Braze for email campaigns, push notifications, in-app messages or customer segmentation and therefore require a GDPR-compliant privacy policy.

A. Purpose and Function of Braze

Braze is a Customer Engagement Platform (also called a »Customer Data Platform« or CDP) that enables companies to:

• Email marketing: Automated email campaigns to segmented customer lists
• Push notifications: Mobile and web push notifications
• In-app messaging: Contextual messages within an app or website
• SMS/messaging: Direct communication via phone, WhatsApp or other channels
• Customer segmentation: Automatic categorisation of users into target groups based on behaviour, demographics and preferences
• Journey automation: Automated workflows based on user behaviour ("if user X buys, send email Y")

The integration function is performed by:

1. SDK/API: The website operator implements the Braze SDK on its website or app
2. Event tracking: The SDK records user behaviour (page visits, clicks, purchases)
3. Data exchange: This data is transferred to Braze servers
4. Campaigns: The website operator creates campaigns in the Braze platform and delivers them targeted to audiences
5. Analytics: Braze provides reports on campaign performance, open rates, clicks

B. Mandatory Disclosures in the Privacy Policy regarding Braze

The GDPR requires for every processor: purposes (Art. 13(1)(c)), legal bases (Art. 13(1)(a)), consent (if required, Art. 7 GDPR), categories of recipients (Art. 13(1)(e)), third-country transfers (Art. 13(1)(f)) and retention period (Art. 13(2)(a)).

Perspective on Braze integration: Many website operators only write about Braze »Braze processes marketing data« – this is far too short. Instead, the following should become transparent:

• Which user data is collected (clicks, page visits, purchases)?
• For what purpose (email marketing, push notifications)?
• On what legal basis (consent, legitimate interests)?
• Where is the data processed (USA with DPF)?
• How long is it retained?

Better: A topic-oriented section "Marketing and Customer Engagement" with description of all engagement channels (email, push, in-app messaging).

C. Provider of Braze: Braze Inc. (USA)

Legal name: Braze, Inc.

Country of registered office: USA (New York or as subsidiary: Braze EU Limited, if EU company is available)

Privacy policy: https://www.braze.com/company/legal/privacy

DPA link: https://www.braze.com/company/legal/dpa

DPF status: Yes, DPF-certified. According to the company, Braze Inc. is certified under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the DPF and the Swiss-U.S. DPF (https://www.braze.com/company/legal/data-privacy-framework-notice). The DPF assures an adequate level of data protection for transfers from the EU to the USA.

You can verify the certification at: https://www.dataprivacyframework.gov/s/participant-search

Data Processing Agreement (DPA): Braze offers a Data Processing Addendum (DPA). This is available at https://www.braze.com/company/legal/dpa. The DPA regulates:

• Braze's role as processor (Art. 28 GDPR)
• Security standards and encryption
• Support for data subject rights
• Sub-processor management
• Third-country transfers via DPF

The DPA must be signed to use Braze in a GDPR-compliant manner.

D. Data Processing by Braze – Sequence

E. Data Collected when Using Braze

When using Braze, the website operator processes the following types of data:

• Name and email address
• Phone number (optional)
• Pages visited and click paths
• Product views and shopping cart contents
• Purchase history (amount, products, date)
• Page visits and visit duration
• IP address and geolocation
• Device information (operating system, browser, app version)
• User segments and audience assignment
• Marketing preferences (opt-in/opt-out for email, SMS, push)
• Date of birth (optional)
• Behavioural signals (scroll depth, mouse movements, dwell time)
• User content (if entered via Braze interface)

This data can be classified into the following standardised data categories:

• Web server log data: IP address, date/time, browser/OS, user agent
• Click paths: Pages visited, clicked links, referrer
• Device data: Device type, operating system, screen resolution, browser
• Browser information: Browser name, version, installed extensions
• Coarse location data: IP-based location at city/municipality level
• User account data: Name, email address, phone, date of birth
• User profiles: Segments, audiences, marketing preferences, conversion events
• Conversion events: Product purchase, registration, download, page view
• Interaction data: Scroll movements, dwell time, click sequences, open rates (for email)

F. Purposes of Use when Using Braze

When using Braze, data is processed for the following purposes:

Primary purposes:

• Provision of functionality: Provision of the Braze platform, campaign management, segmentation
• Communication: Email marketing, push notifications, in-app messaging, SMS
• Marketing and customer engagement: Targeted campaigns based on user segments
• Personalisation: Adaptation of content to user behaviour
• Performance of a contract: If the user has signed up for marketing (subscription)
• Product improvement: Analysis of campaign performance, A/B tests, optimisations
• General product improvement: Improvement of the Braze platform itself

Secondary purposes (if activated):

• Analytics: Internal Braze analytics for service improvement
• Fraud prevention: Identification of bot activities, abuse
• Compliance: Compliance with CAN-SPAM (USA), GDPR, ePrivacy Directive

G. Legal Bases for Braze

Step 1: Categorisation of Braze Braze is a processor (Art. 28 GDPR). The website operator is the controller. The website operator is responsible for ensuring that:

• A legal basis for processing exists
• Customer consents are required (especially for marketing)
• A DPA with Braze exists

Step 2: Applicable legal bases

1. Consent (Art. 6(1)(a) GDPR) – primarily for marketing:

   • For email marketing, push notifications and SMS, the opt-in principle applies in Germany and the EU (ePrivacy Directive 2002/58/EC, for electronic direct marketing)
   • The user must explicitly consent before receiving marketing emails
   • Exception: »existing customer advertising« for similar products (somewhat looser in some countries)
   • Consent must be documented (time, content, type of consent)

2. Legitimate interests (Art. 6(1)(f) GDPR) – for analysis and product improvement:

   • The website operator has a legitimate interest in analysing user behaviour (for improvement)
   • This applies to non-invasive tracking (e.g. analysis of which pages are popular)
   • Balancing: The website operator's interests must outweigh the user's interests
   • Legitimate interest is not sufficient for marketing itself (consent required)

3. Performance of a contract (Art. 6(1)(b) GDPR) – for transactional communication:

   • If the user buys something, you can send them a confirmation by email (necessary for performance of a contract)
   • If the user has taken out a subscription, you can send transactional messages

Special feature – Section 25 TDDDG and ePrivacy Directive: For electronic direct marketing (email, SMS, push for marketing purposes), opt-in consent is required (Section 25(1) TDDDG for natural persons). This is of higher value than consent under Art. 6(1)(a) GDPR.

H. Special Features and Notes on Braze

1. Consent for marketing is mandatory Braze is primarily used for marketing. This means: you need explicit consent (opt-in) from the user before sending them marketing emails, push notifications or SMS. Setting the Braze SDK is already a data processing operation, but using it for active marketing requires consent.

Recommendation:

• Show a cookie banner or consent bar when the website is visited
• »I accept marketing emails from [website name]« – This should be a separate checkbox (not pre-checked)
• Store this consent in a documented manner (date, wording, IP address)
• Only use Braze if users consent

2. DPA is mandatory You must have a Data Processing Agreement (DPA) with Braze. Available at: https://www.braze.com/company/legal/dpa. The DPA must be signed before you use Braze.

3. Braze is DPF-certified Braze uses the Data Privacy Framework (DPF) for third-country transfers. This means:

• Data is transferred to the USA
• Braze has self-certified that it meets the DPF requirements
• You can verify the certification at: https://www.dataprivacyframework.gov/s/participant-search
• In the event of the DPF being invalidated, Braze has Standard Contractual Clauses (SCCs) as a fallback

You should disclose in your privacy policy: »Marketing data is transferred to the USA to Braze. Braze is Data Privacy Framework certified.«

4. Sub-processors and email delivery Braze itself does not send emails – it commissions email delivery service providers (e.g. SendGrid, AWS SES). These sub-processors are documented in the Braze sub-processor policies. You should review these policies and mention them in your privacy policy.

5. Opt-out and data subject rights

• Data subjects can unsubscribe from marketing at any time (unsubscribe)
• Data subjects can request information about their data (Art. 15 GDPR)
• Data subjects can request erasure (Art. 17 GDPR)
• You should have a procedure to receive these requests and forward them to Braze

6. Retention period and data minimisation Specify how long users are stored in Braze. Recommendation:

• Active customers: For the duration of the customer relationship
• Inactive customers: e.g. 2 years after last purchase or contact
• Cancelled campaign subscriptions: 6 months (to prove opt-out)

I. FAQ on Braze

J. Conclusion and Recommendation on Braze

Braze is a powerful marketing tool, but is complex from a data protection perspective: consent for marketing communication is mandatory, third-country transfers to the USA, sub-processors, and several legal bases depending on the use case.

Tool-specific text templates ("Braze processes marketing data") are far too short and hide the important information (third-country transfer, consent required).

Recommendation: Use a topic-oriented structure:

• Section "Marketing and Customer Engagement" with description of all channels (email, push, SMS)
• Clear information: "We will only send you marketing emails if you consent"
• Section "Your Rights" with info on opt-out, access, erasure
• Section "Third-country Transfers" with reference to DPF
• Appendix with sub-processor list

Make sure that:

• An opt-in consent mechanism is in place (cookie banner or checkbox)
• The DPA with Braze is signed
• Users can easily unsubscribe (unsubscribe)
• An internal process exists for data subject rights requests