Brevo Meetings (Appointment Booking) and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Brevo Meetings (Brevo's appointment-booking feature), the loading of the booking page and the completion of a booking lead to the processing of web server log data, device and browser information, and the booking details entered by the visitor – on the basis of consent (for iframe embedding), pre-contractual measures, and legitimate interests. This page explains what Brevo Meetings does, which data is processed and which mandatory information needs to be included in the privacy policy. The description is based on publicly available information from the provider and generally researchable sources; it does not replace a case-by-case legal assessment.

A. Purpose and Functionality of Brevo Meetings

Brevo Meetings is the online appointment-booking feature within the marketing and CRM suite of Brevo (formerly Sendinblue). It provides website visitors with a booking page where they can choose from the meeting types defined by the website operator, select a free time slot, enter contact details and – if configured – answers to up to 15 individual questions, and confirm the booking. Both the visitor and the operator then receive an automated confirmation email; the appointment and its participants are added to the operator's calendar, optionally connected to Google Meet or Zoom.

Brevo offers two main integration variants for websites: a hosted link to the booking page hosted under meet.brevo.com (or provider-specific subdomains), and an iframe embed of that booking page directly inside the operator's own website. Both variants result in visitor data being transmitted to Brevo as soon as the booking page is opened. This tool page focuses on these integration functions of Brevo Meetings; other Brevo modules such as newsletter sending, transactional email, marketing automation, chat, or CRM are not covered here and should be addressed in dedicated tool pages.

Brevo Meetings is designed as a self-service tool: the website operator defines meeting types, availabilities, mandatory fields, and notifications. Optional features include charging for paid appointments, redirects to thank-you pages (e.g., for conversion tracking), and reminder emails.

B. GDPR Mandatory Information about Brevo Meetings in the Privacy Policy

In addition to general information about the controller, the supervisory authority and data subject rights, the GDPR requires specific mandatory information for the use of concrete tools such as Brevo Meetings.

This includes in particular the purposes of processing and the legal bases (Art. 13(1)(c) GDPR), in the case of legitimate interests (Art. 6(1)(f) GDPR) the specific interests pursued (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), information on any transfer to insecure third countries and the safeguards used (Art. 13(1)(f) GDPR), the storage period or the criteria for it (Art. 13(2)(a) GDPR), and – where data are not collected directly from the data subject – the categories of data (Art. 14(1)(d) GDPR).

These mandatory items are broken down for Brevo Meetings in sections C through G below.

In practice, many privacy policies include a separate text block for each individual tool – including Brevo Meetings. This "one text block per tool" approach has become widespread, but it is not a legal requirement. On the contrary, it produces long, lawyer-drafted boilerplate that overlaps heavily, is hard to maintain, and is barely readable for users – sitting in tension with the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented, hybrid model: processing operations are described across topic blocks (server operation, third-party content, appointment booking, newsletter, tracking, sales …), and the concrete service providers – such as Brevo SAS for Brevo Meetings – are listed in a recipients appendix. This is exactly the methodology of the matterius generator.

C. Provider of Brevo Meetings

According to publicly available information, the contractual partner for website operators in Germany is

Brevo SAS 9-17, rue Salneuve 75017 Paris France

Brevo SAS (formerly Sendinblue SAS) is registered with the Paris Trade and Companies Register under number 498 019 298 RCS Paris and is headquartered in France, i.e., within the EU. Direct DPF certification is not required for Brevo SAS because of its EU seat. To the extent that Brevo uses subprocessors in third countries (e.g., the United States, India), the provider states that appropriate safeguards (in particular EU Standard Contractual Clauses) are in place; details are set out in Brevo's DPA and subprocessor list.

Relevant primary sources for Brevo Meetings:

D. Data Processing in Brevo Meetings – Step by Step

E. Data Collected by Brevo Meetings

When the Brevo Meetings booking page is opened and a booking is made, the following data categories are typically processed according to the provider's information: technical connection data when the booking page is loaded (IP address, timestamp, requested URL, referrer, user agent), information about the device and browser (device type, operating system, screen size, browser name and version), the booking data entered by the visitor (name, email address, optionally phone number, free-text answers to up to 15 individual questions, the chosen meeting type and time slot), and the booking event itself with date, time, and meeting-type assignment.

These data fall into the following standardized data classes:

• Web server log data – connection data sent to Brevo when the booking page is accessed, e.g., IP address, request date and time, URL of the booking page, referrer, transferred data volume.
• Device data – information about the visitor's device, e.g., device type, operating system, screen resolution.
• Browser information – information about the browser used, e.g., browser name and version.
• User content – content entered into the booking form by the visitor, e.g., name, email address, phone number, comments, answers to questions configured by the operator.
• Conversion events – the booking event itself (a successful appointment booking) and, where applicable, the call to a configured thank-you page after a successful booking.

F. Purposes of Use for Brevo Meetings

The website operator uses Brevo Meetings to give prospects and existing customers a low-barrier way to schedule appointments – for first calls, demos, consulting sessions, or support calls. The data collected primarily serves to provide the booking function and to prepare and conduct the appointment, including the related communication (confirmation and reminder emails, possible cancellation or rescheduling messages). Booking events can also be used for general optimization of the website (e.g., which meeting types are booked, from which entry points) and – within the scope of the relevant consent – be reported as conversions to tracking or advertising systems.

These purposes fall into the following standardized purpose classes:

• Provision of functionality – making the booking page available, displaying available slots, processing inputs, sending confirmation emails, calendar synchronization.
• Contract performance – preparing and initiating the appointment as part of (paid or unpaid) contractual or pre-contractual measures between the visitor and the website operator, including booking confirmation and handling.
• Security and abuse prevention – detection and prevention of abusive bookings (e.g., bot bookings, spam sign-ups), protection against improper use of the booking feature.
• Communication – confirmation, reminder, and follow-up communication around the booked appointment.
• General product improvement – aggregated evaluation of booking usage (e.g., preferred meeting types, utilization, cancellation rates).
• Compliance with retention obligations – where bookings relate to contracts whose records are subject to statutory retention periods.

G. Legal Bases for Brevo Meetings

From the website operator's perspective, Brevo Meetings primarily falls into the Third-party content / Appointment booking category, since both integration variants (hosted link and iframe) cause data to be sent to a third-party provider (Brevo SAS) as soon as the booking page is loaded.

Several legal bases typically come into consideration in parallel:

• Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG for iframe embedding of the booking page on the operator's website, where data is already transmitted to Brevo on page load or where cookies / similar storage mechanisms are placed on the visitor's device (typically as a third-party content consent or functional consent via the consent banner).
• Art. 6(1)(b) GDPR for the actual booking as a (pre-)contractual measure where the visitor is scheduling an appointment that serves to initiate or perform a contract (e.g., consulting, demo, support).
• Art. 6(1)(f) GDPR (legitimate interests) in efficiency (efficient self-service appointment scheduling), provision of functionality, security and abuse prevention, and where applicable enforcement of legal claims (booking proof, no-show handling).

If the booking page is referenced only as an external link (to meet.brevo.com) and no data flows to Brevo from the operator's website, the visit becomes the visitor's own decision; on the Brevo page, Brevo's own privacy policy applies. With iframe embedding, by contrast, the transmission is triggered by the page load itself – here, prior consent is generally required.

Which legal basis actually applies depends on the integration variant, cookie usage, and booking purpose, and must be examined by the website operator on a case-by-case basis.

H. Notes and Specifics for Brevo Meetings

• EU-based provider: Brevo SAS is headquartered in Paris, France. The transmission to Brevo itself is therefore not a third-country transfer within the meaning of Art. 44 et seq. GDPR. Where Brevo uses subprocessors outside the EU (the provider notes that processors in the United States and India are involved), transfers are based, according to the provider, on appropriate safeguards (in particular Standard Contractual Clauses). The current subprocessor list is part of Brevo's DPA.
• DPA: Brevo provides a pre-filled Data Processing Agreement that is typically accessible inside the Brevo account or under https://www.brevo.com/legal/dpa/. Concluding a DPA pursuant to Art. 28 GDPR is required before processing begins.
• iframe embedding and consent: With iframe embedding, requests are typically loaded only after consent has been given via the consent banner (e.g., behind a "Show booking page" gate or through a consent-mode switch). Linking out to the hosted booking page reduces the third-party footprint on the operator's own website.
• Operator settings: Brevo's settings allow the operator to configure, among other things, the scope of booking questions (data minimization), retention periods for contacts, double opt-in for newsletter sign-ups during booking, tracking pixels in confirmation emails, and the display of privacy notices directly on the booking page. These options should be set in a privacy-friendly way.
• Visitor opt-out: Visitors can revoke consent for the iframe embed at any time via the consent tool; bookings can be canceled via the cancellation link in the confirmation email or by contacting the website operator.
• Storage location: According to the provider, the main processing takes place in EU data centers (notably OVH in France/Germany and Google Cloud).

I. FAQ on Brevo Meetings and Data Protection

J. Conclusion and Call to Action

Brevo Meetings is an appointment-booking feature integrated into the Brevo platform that gives website operators a lean self-service solution with a hosted booking page and iframe embedding. Depending on the integration, web server log data, device and browser information, the booking data entered by the visitor, and the booking event itself are processed. The provider is Brevo SAS in Paris; the relevant legal bases are consent (for iframe embedding), pre-contractual measures, and legitimate interests.

For the privacy policy this means: it is generally of little benefit to map Brevo Meetings into a separate, standalone text block. Such tool-by-tool boilerplate makes the privacy policy long, redundant, hard to maintain, and barely understandable for users – at odds with the transparency requirement of Art. 12(1) GDPR.

A structured, topic-oriented approach is recommended: processing operations are described across topic blocks (server operation, third-party content, appointment booking, newsletter, tracking, sales …), and the concrete service providers – such as Brevo SAS for Brevo Meetings – are maintained in a recipients appendix. This is exactly the methodology of the matterius generator.

This article provides general information about Brevo Meetings and does not replace individual legal advice. Last updated: 7 May 2026.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com