CleverReach and Data Protection – What Belongs in the Privacy Policy

If a website operator uses CleverReach, they typically process email addresses, salutation and name details, plus sign-up and dispatch data for the purpose of newsletter dispatch on the basis of recipient consent. This article summarises which data processing is typically associated with CleverReach and what should be included in a website's privacy notice.

A. CleverReach – Purpose and Functionality

CleverReach is a German provider for email marketing and newsletter dispatch. Website operators use CleverReach primarily to provide sign-up forms, maintain recipient lists, send newsletters and automated email flows, and evaluate recipient responses to those emails.

Functionally, CleverReach bundles several building blocks: sign-up forms (embed and pop-up forms), list management with tags and segments, editor and templates for newsletters, automated email flows (so-called THEA workflows), reporting (open and click tracking), and interfaces to CMS, shop and CRM systems. The focus of this page is the integration feature that a German website operator typically uses: a newsletter sign-up form on the website and dispatch of email campaigns through CleverReach. Other use cases (e.g. pure API/SMTP integration) are covered on separate pages.

According to publicly available information, the provider is CleverReach GmbH & Co. KG, based in Germany. Processing takes place, according to provider information, in German data centres or in the EEA, which regularly avoids third-country transfers.

B. CleverReach – Mandatory Information in the Privacy Policy

The GDPR requires the privacy policy to contain not only general information about the website operator, the rights of the data subject and the supervisory authority, but also – with regard to the use of specific tools such as CleverReach – a series of specific mandatory items. They serve the transparency principle of Art. 12(1) GDPR and allow data subjects to understand the processing.

In particular, the following items must be included:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of the personal data (Art. 13(1)(e) GDPR),
• whether the data is transferred to an unsafe third country outside the EU/EEA, and on what basis (Art. 13(1)(f) GDPR),
• the storage period or – if not possible – the criteria for determining the storage period (Art. 13(2)(a) GDPR),
• and – where the data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory items are broken down for CleverReach below.

In practice, it has become common to give every individual tool its own template clause in the privacy policy. This "template-per-tool" practice has established itself as poor style: it leads to long, lawyer-drafted texts that repeat each other in substance, making the entire privacy policy hard to maintain and barely readable for users. A topic-oriented approach is more appropriate: it describes processing operations across themes (server operation, newsletter, tracking, sales …) and merely names specific service providers – such as CleverReach – in a recipients list in the appendix. This is exactly the methodology used by the matterius privacy policy generator.

C. CleverReach Provider

According to publicly available information, the contractual partner for CleverReach is CleverReach GmbH & Co. KG, based at Schafjückenweg 2, 26180 Rastede, Germany.

As the provider is based in Germany, processing takes place primarily in the EEA; a third-country transfer is regularly not required in standard operation. If sub-processors in third countries are used in individual cases, the safeguards intended for this (in particular Standard Contractual Clauses, where applicable the DPF) must be examined (to be verified by the website operator).

CleverReach's privacy notice is available at https://www.cleverreach.com/de/datenschutz/. The data processing agreement is provided by the provider; information is available at https://www.cleverreach.com/de/funktionen/datensicherheit-datenschutz/.

D. CleverReach – Data Processing Step by Step

1. Collection: When a user submits the CleverReach sign-up form on the website or is added as a recipient via API/interface integration, the entries (typically email address, optionally name, salutation, fields of interest), the IP address and a timestamp are transmitted to CleverReach.
2. Storage: Data is stored in CleverReach's infrastructure, according to provider information in German data centres or in the EEA.
3. Use: CleverReach dispatches the newsletters on behalf of the website operator and – where activated – measures open and click events. Bounces and unsubscribes are documented.
4. Disclosure: Disclosure occurs to the provider's sub-processors (in particular hosting). The provider publishes a list as part of the DPA or its trust information.
5. Deletion: The website operator can remove recipients from lists or delete entire lists at any time. Storage limitation must be configured via list and retention settings.

E. Which Data Does CleverReach Process?

When sending newsletters via CleverReach, the following personal data is typically processed: email address, salutation, first and last name, optionally further fields collected by the website (e.g. language, industry, interests), the IP address at the time of sign-up, timestamps of the sign-up and the confirmation in the double opt-in process, send time of the individual emails, delivery status, open and click events, and unsubscribes.

This data falls into the following standardised data categories:

• Web server log data: in particular the IP address and technical metadata when calling the sign-up form and when retrieving embedded tracking pixels and click links in sent emails.
• Click paths: clicks on links in the emails sent by CleverReach, each with date and time.
• Device data: information about the device opening the email, e.g. device type and operating system.
• Browser information: browser or email client used to open the email.
• Coarse location data: coarse location of the recipient at city or municipal level, derived from the IP address.
• User account data: data identifying the recipient in the list, in particular the email address as the key identifier.
• User profiles: interests, tags and segment assignments determined by the website operator for a recipient and metrics derived therefrom.
• Conversion events: where tracking is enabled, e.g. clicks on a call-to-action or visits to specific pages following a click in a newsletter.
• Interaction data: opening an email, clicks on individual links or buttons.
• Technical telemetry data: technical send and delivery metadata, bounce codes, loading times of tracking pixels.

F. CleverReach – Purposes of Use

The website operator typically uses CleverReach to inform subscribed recipients about its own content, products and offers, to document sign-up and consent in the double opt-in process, to ensure delivery quality and – where tracking is enabled – to measure the effectiveness of individual campaigns.

The purposes can be classified into the following standardised purpose categories:

• Provision of functionality: providing newsletter and email functionality, including sign-up form, double opt-in, dispatch of the requested emails as well as error detection and correction in the dispatch process.
• Security and abuse prevention: spam and bot prevention on the sign-up form, detection and prevention of list abuse (e.g. third-party sign-ups).
• General product improvement: aggregated evaluation of open and click rates to improve newsletter content and frequency in line with demand.
• General marketing: success measurement of campaigns, reach analysis and overall assessment of the email channel.
• User profile creation: assignment to segments or target groups based on tags, interests and click and open behaviour.
• User-individual marketing: tailoring newsletter content to the individual interests and behaviour of the recipient (segmentation, automation).
• Legal enforcement: assertion, exercise or defence of legal claims, in particular proof of recipient consent (sign-up IP, timestamp, double opt-in) vis-à-vis supervisory authorities, competitors or courts.
• Compliance: compliance with statutory requirements regarding consent records and advertising emails (Art. 7 GDPR, Sec. 7 UWG).

G. Legal Bases for CleverReach

For the use case covered here, CleverReach falls primarily into the tool category newsletter / email marketing.

The following legal bases typically come into consideration:

• Recipient consent (Art. 6(1)(a) GDPR in conjunction with Sec. 7(2) No. 3 UWG) for the dispatch of newsletters and – where activated – for open and click tracking.
• Legitimate interests (Art. 6(1)(f) GDPR) in legal enforcement and compliance for storing sign-up metadata (IP, timestamp, double opt-in confirmation) as proof of consent under Art. 7(1) GDPR and Sec. 7(2) No. 2 UWG.
• Legitimate interests in advertising within the scope of Sec. 7(3) UWG for direct advertising to existing customers for own similar goods or services, where the conditions are met.

Where open and click tracking is enabled, an explicit tracking consent of the recipient is typically required; if information is stored on or read from the device, Sec. 25(1) TDDDG must additionally be considered. The legal basis is to be assessed by the website operator on a case-by-case basis.

H. CleverReach – Special Notes

• Data Processing Agreement (DPA): The provider offers a DPA; concluding it is regularly mandatory, as CleverReach processes the recipient data on behalf of the website operator. Information is available at https://www.cleverreach.com/de/funktionen/datensicherheit-datenschutz/.
• Place of business and third-country transfer: CleverReach is a German provider; processing in the EEA is the standard case. A third-country dimension typically does not arise; individual sub-processors with a third-country dimension must be examined under the DPA.
• Sub-processors: An up-to-date list of sub-processors is available from the provider.
• Double opt-in: CleverReach supports double opt-in via the sign-up forms; the website operator should activate this setting in the relevant list and adapt the confirmation email accordingly.
• Consent record: Sign-up IP, timestamp and double opt-in confirmation should be retained permanently in order to provide evidence of consent under Art. 7(1) GDPR and Sec. 7(2) No. 2 UWG.
• Open and click tracking: These features can be enabled in CleverReach; they should only be used if tracking consent is obtained cleanly and described in the privacy policy.
• Opt-out: Every newsletter must contain a working unsubscribe link under Sec. 7(2) No. 4 UWG; CleverReach provides placeholders for this purpose.
• List hygiene: Inactive and no longer existing addresses should be removed regularly; storage should be aligned with the consent given.

The above presentation is based on publicly available provider information and supplementary publicly accessible sources. A case-by-case assessment by the website operator remains necessary.

I. CleverReach – FAQ

J. CleverReach – Conclusion and Call-to-Action

CleverReach is a Germany-based provider for newsletter dispatch and email marketing. From a data protection perspective, particularly relevant topics are recipient consent, consent records via the double opt-in process and – where activated – open and click tracking. Being based in the EEA helps avoid third-country transfers; the DPA and privacy policy must cover the essential mandatory items (purposes, legal bases, recipient categories, storage period).

For the website operator, it is mostly not particularly useful to include a separate template clause for every individual tool – including CleverReach – in the privacy policy. This makes the policy long, unclear, hard to understand and difficult to maintain – contrary to the transparency principle of Art. 12(1) GDPR.

A structured, topic-oriented approach is more appropriate: data processing operations are explained across topic blocks (server operation, newsletter, tracking, sales …); specific service providers such as CleverReach are simply listed in the recipients appendix. This is exactly the methodology of the matterius privacy policy generator.

K. Curator