Brevo Conversations and Data Protection – What Belongs in Your Privacy Policy

When a website operator uses Brevo Conversations (formerly Sendinblue Chat) as a live chat widget, the operator processes web server log data when the chat is loaded and user content (input, name, email, messages, files) when it is used – for purposes of communication, providing the function and security, typically based on a third-party content consent and legitimate interests. This page outlines which data Brevo Conversations processes, what the website operator uses the data for, and which mandatory information regarding Brevo Conversations belongs in the privacy policy.

A. Purpose and Functionality of Brevo Conversations

Brevo Conversations is the chat and messaging module of the French email and marketing provider Brevo (formerly Sendinblue). According to the publicly available information from the provider, the product comprises in particular a live chat widget that can be embedded into a website, an inbox for incoming and outgoing messages, optional chatbot scenarios, and integrations with email, WhatsApp, telephony and the Brevo CRM.

This page focuses on the integration function typical for website operators: the live chat widget is embedded on the operator's website by means of a JavaScript snippet served from https://conversations-widget.brevo.com. As soon as the widget loads, the visitor's browser establishes a direct connection to Brevo servers. Other Brevo functions such as newsletter sending, transactional email, marketing automation or the CRM are not covered here and are addressed in separate articles.

Functionally, Brevo Conversations is intended to address website visitors in real time, to answer requests, to qualify leads, and – if activated – to deliver automated responses through chatbot scenarios. Optionally, replies may be supported by AI components.

B. Mandatory Information in the Privacy Policy When Using Brevo Conversations

In addition to general information on the website operator, on the rights of the data subject and on the supervisory authority, the GDPR requires specific mandatory information regarding the use of tools such as Brevo Conversations. These obligations follow in particular from Art. 13 and Art. 14 GDPR and include:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of the personal data (Art. 13(1)(e) GDPR),
• whether data are transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or, if not possible, the criteria used to determine that period (Art. 13(2)(a) GDPR),
• and – where the data are not collected from the data subject directly – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory items are broken down for Brevo Conversations specifically in the sections that follow.

A frequently observed practice is to include a separate, lawyer-drafted boilerplate text for each tool – including Brevo Conversations – in the privacy policy. This "one boilerplate per tool" approach has established itself as bad practice: the texts repeat themselves, grow with every additional service, and turn the privacy policy into something hard to maintain and barely readable for users. This conflicts with the transparency requirement of Art. 12(1) GDPR, according to which information must be precise, transparent, intelligible and easily accessible.

A topic-oriented approach is more appropriate. It describes processing activities at an aggregate level (server operation, newsletter, tracking, sales, chat …) and lists only the recipients – such as Brevo SAS – in an annex. The matterius generator implements exactly this methodology.

C. Provider of Brevo Conversations

According to the publicly available information from the provider, the contractual partner for German website operators using Brevo Conversations is

Brevo SAS (formerly Sendinblue SAS) 17 rue Salneuve 75017 Paris France

Brevo SAS is based in France and therefore within the EU. The company is registered with the French commercial register (RCS Paris) under SIREN no. 498 019 298. Until 2023 it operated under the name Sendinblue SAS and was then renamed to Brevo SAS; the term "Sendinblue Chat" still found in the market refers to the same product that is now marketed under the name Brevo Conversations.

Because Brevo SAS is based in the EU, the contractual partner itself does not constitute a third-country transfer. According to its own information, however, the provider engages sub-processors, including cloud infrastructure providers such as Amazon Web Services (AWS); depending on the chosen region, processing in the USA may occur there. The current sub-processor list is part of Brevo's data processing agreement (DPA).

Further sources:

D. Data Processing in Brevo Conversations – Step by Step

E. Data Collected by Brevo Conversations

According to the publicly available information from the provider, the use of the Brevo Conversations widget involves the processing of the following specific data items in particular: IP address of the visitor, date and time, page visited (referrer/click path), user agent and browser information, approximate location at city/region level, device information (device type, operating system), internal visitor IDs of the widget, text entered in the chat by the user, optionally name and email address transmitted, uploaded files, and interaction data (e.g. typing status, read receipts, clicks within the widget).

These data fall into the following standardized data categories:

• Web server log data: data the Brevo server receives from the device on every widget request, in particular IP address, date/time, URL of the requested resource, referrer, browser/operating system/device identifiers, and technical metadata (status code, data volume).
• Click paths: information on which page the chat was opened from and clicks on widget controls (e.g. "open chat", "send file").
• Device data: information about the device, e.g. device type, operating system, screen resolution, touch support.
• Browser information: browser name, browser version, language settings if applicable.
• Approximate location data: location of the user at city or region level derived from the IP address.
• Interaction data: behavior within the chat window, e.g. typing status, key presses, clicks, scroll movements – with date and time.
• User content: content entered by the user in Brevo Conversations, e.g. chat messages, name, email address and phone number entered in the form, uploaded images or files.
• Technical telemetry data: technical information on the use of the widget, e.g. error messages, load times, data volume.

Brevo Conversations may use cookies or similar technologies (local storage) on the device to recognize users and manage sessions.

F. Purposes of Use When Using Brevo Conversations

The website operator typically uses Brevo Conversations to engage with visitors directly, to answer questions, to qualify leads and to provide support. Data primarily serves to handle the chat request; additional technical data is processed for providing the widget, for bot/spam prevention and for the general improvement of customer service.

The purposes that the website operator typically pursues with Brevo Conversations fall into the following standardized purpose categories:

• Provision of functionality: providing the chat function on the website, displaying and adapting the chat window, error detection, error correction and error prevention.
• Communication: direct communication with the visitor in connection with the request, customer service and support.
• Performance of contract: where the chat request concerns the initiation or performance of a contract between operator and user (e.g. pre-sales advice, order or support questions).
• Security and abuse prevention: spam and bot defense in the widget, detection and prevention of misuse, session management.
• General product improvement: evaluation of frequency statistics (e.g. frequent questions, average response times) for the user-friendly design of FAQs and online services.
• Legal claims: assertion, exercise or defense of legal claims, e.g. evidencing statements or complaints made through the chat.

G. Legal Bases for Using Brevo Conversations

In line with the structure of the privacy notice template, Brevo Conversations falls into the tool category third-party content / chat: the widget is loaded via a script from a third-party domain (conversations-widget.brevo.com) and triggers direct connections to Brevo servers when the page loads.

Legal bases that may regularly come into consideration when using Brevo Conversations include:

• Consent (Art. 6(1)(a) GDPR in conjunction with sec. 25(1) TDDDG) as a so-called third-party content consent or function consent, where the chat is loaded only after consent in the consent banner, or where cookies/similar technologies are stored on the device for recognition.
• Legitimate interests of the website operator and the user (Art. 6(1)(f) GDPR) in a direct and quick communication channel (communication, efficiency) and in security and abuse prevention (e.g. bot/spam defense in the chat).
• Performance of contract (Art. 6(1)(b) GDPR), where the request concerns the initiation or performance of a contract.
• Legal obligation (Art. 6(1)(c) GDPR) as well as legitimate interests in compliance and legal claims for fulfilling commercial and tax retention obligations and for evidencing matters.
• Where chatbot or AI components are used: an additional notice on the AI use is required; the legal basis remains case- and configuration-dependent (often legitimate interests in efficiency, improvement; consent for sensitive data).

Which legal basis applies in a given case depends on how the widget is configured, on the data collected in the chat, on the consent banner used and on the individual circumstances. The website operator must assess this on a case-by-case basis.

H. Specifics and Notes on Brevo Conversations

• DPA: Brevo SAS offers a data processing agreement, which is typically provided as part of its general terms of use (brevo.com/legal/termsofuse) or via the help center. Concluding a DPA when using Brevo Conversations is regularly required (Art. 28 GDPR).
• Sub-processors: According to its own information, Brevo uses sub-processors (in particular for cloud hosting, possibly AI and telephony providers). The current list is part of the DPA or maintained in the trust center / DPA annex – to be reviewed there by the website operator.
• Third-country transfers: Brevo SAS is based in France (EU). Sub-processors such as AWS may, depending on the chosen region, process data in the USA. The provider typically relies on standard contractual clauses (SCC) and, where applicable, the EU-US Data Privacy Framework (DPF), to the extent the relevant sub-processor is certified (to be verified by the website operator at dataprivacyframework.gov).
• Settings for the website operator: widget visibility rules (pages/devices/languages), auto-messages, chatbot scenarios, fields in the pre-chat form (name, email), file uploads, retention rules and integration into the Brevo CRM. Apply data minimization where possible (Art. 5(1)(c) GDPR): only set fields that are actually needed as mandatory.
• Consent banner: the widget should be included in the consent banner and – when embedded as third-party content with cookie/storage usage – be loaded only after consent.
• AI notice: if chatbot or AI-driven responses are used, this must be made transparent in the widget or in the privacy policy.
• Source notice: the description above is based on information from the provider (privacy policy, help center, terms / DPA) and on publicly available sources and does not replace a case-by-case assessment by the website operator.

I. FAQ on Brevo Conversations and Data Protection

J. Conclusion on Brevo Conversations and Call to Action

Brevo Conversations is an EU-based live chat tool that, when used on a website, processes web server log data, click paths, device and browser information, approximate location data, interaction data and – when the chat is actively used – user content (messages, name, email, files). The contractual partner is Brevo SAS in Paris; according to the publicly available information, it typically acts as a processor for these activities and engages further sub-processors (in particular cloud hosting). Third-party content consent and legitimate interests regularly come into consideration as legal bases; the actual classification depends on the specific configuration.

For the website operator, including a separate boilerplate text for Brevo Conversations in the privacy policy is usually not appropriate. It makes the policy long, hard to navigate, hard to maintain and runs counter to the transparency requirement of Art. 12(1) GDPR – particularly when further tools with similar texts are added. A structured, topic-oriented approach that explains processing by topic blocks (server operation, newsletter, tracking, sales, chat …) and only refers to individual tools and providers such as Brevo SAS in a recipients annex is more appropriate and more user-friendly. This is exactly the methodology of the matterius generator: a clearly structured text, a central recipients list and a privacy policy that remains maintainable when tools such as Brevo Conversations are added or replaced.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com