ClickFunnels and Data Protection – What Belongs in the Privacy Policy

When a website operator uses ClickFunnels, they regularly process contact, interaction and order data of website visitors (e.g. name, email address, opt-in form entries, click paths, order data) for the purpose of building sales funnels, landing pages and membership areas, regularly based on contract performance, legitimate interests or consent. This article summarises which data ClickFunnels touches and which mandatory information has to appear in the privacy policy.

The following remarks are based on publicly available information from the provider and on publicly researchable sources; they do not replace a case-by-case review by the website operator.

A. Purpose and Functioning of ClickFunnels

ClickFunnels is a US-based SaaS platform for building funnels, landing pages, opt-in pages, order pages, upsell sequences, membership areas and simple email workflows. Website operators use it in particular for lead generation funnels (e.g. whitepaper download, webinar registration) and sales funnels (e.g. one-step or multi-step checkout flows).

In the website context, two integration functions are particularly relevant: First, the hosting of complete funnel and landing pages on a ClickFunnels subdomain or under the website operator's own domain, where all visitor interactions (page views, form entries, clicks) are processed at ClickFunnels. Second, the embedding of individual funnel elements (e.g. opt-in forms, order pages) into an existing website. Other functions such as the integrated email tool, chat or affiliate components are not deepened here.

This page focuses on the use of ClickFunnels as a hosted funnel/landing page builder, i.e. the data flow from the ClickFunnels page to the website operator's CRM and marketing tools.

B. Mandatory Information in the Privacy Policy When Using ClickFunnels

In addition to general information (controller, data protection officer, data subject rights, supervisory authority), the GDPR requires specific mandatory information for the privacy policy with regard to the use of concrete tools, in particular under Art. 13 and Art. 14 GDPR.

Mandatory information includes:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests, the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data is transferred to an insecure third country outside the EU/EEA and on which basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• where data is not collected directly from the data subject, additionally the categories of personal data (Art. 14(1)(d) GDPR).

These mandatory items are broken down for ClickFunnels below.

In practice, it has become common to include a separate text block per tool in the privacy policy. This is not a mandatory requirement of the GDPR and regularly leads to long, redundant and poorly maintainable privacy policies that tend to conflict with the transparency principle of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented one, where processing operations are described across the board (e.g. hosting/funnel provision, newsletter sign-up, sales, tracking) and concrete service providers such as ClickFunnels are listed in a recipients appendix. This is the approach of the matterius generator.

C. Provider of ClickFunnels

According to publicly available information, the contracting party is Etison LLC (DBA ClickFunnels), 3443 W. Bavaria Street, Eagle, Idaho 83616, USA. There is no separate EU entity acting as contracting party for German website operators according to publicly available information; the contracting party for a German website operator is therefore regularly the US entity.

According to publicly available information at https://www.dataprivacyframework.gov/s/participant-search, Etison LLC is listed as a participant in the EU-US Data Privacy Framework. According to provider statements, the third-country transfer to the USA is supported by the DPF and/or EU Standard Contractual Clauses. The specific transfer mechanism is to be reviewed by the website operator on a case-by-case basis.

ClickFunnels' privacy policy is available at https://signup.clickfunnels.com/privacy-policy, and the Data Processing Addendum at https://signup.clickfunnels.com/dpa or https://www.clickfunnels.com/dpa.

D. Data Processing by ClickFunnels – Step by Step

1. Collection: When a ClickFunnels page is accessed, connection data and, where applicable, cookies are recorded. When forms are filled in, the entered content is collected. In order processes, order and payment data are added.
2. Storage: The data is stored on the ClickFunnels platform and at subprocessors (in particular hosting and payment service providers). The locations may be in the USA and other third countries.
3. Use: The website operator uses the data to provide the funnel function, generate leads, execute contracts and, where applicable, for marketing. According to provider statements, ClickFunnels processes the data on instructions to provide the platform.
4. Transmission: ClickFunnels may engage subprocessors (e.g. hosting, payment service providers, email delivery). The website operator may forward data to connected CRM, email and tracking tools.
5. Deletion: The website operator defines deletion and retention rules in the ClickFunnels account and can delete records manually or via API. After contract termination, deletion takes place in accordance with the contractual provisions.

E. Data Collected in ClickFunnels

In the ClickFunnels context, the following data is typically processed: first and last name, email address, phone number, address, order data (selected products, prices, payment status), payment data (via connected payment service providers), entries in custom fields, click paths through the funnel, conversion events (e.g. opt-in, purchase, upsell acceptance) and technical connection data.

This data falls into the following standardised data categories:

• Web server log data: data the server receives with each request, e.g. IP address, date and time, URL of the funnel step, referrer, browser, operating system and device.
• Click paths: funnel steps accessed, buttons clicked, forms submitted, each with timestamps.
• Device data: device type, operating system, screen resolution.
• Browser information: browser name and version.
• Coarse location data: coarse location at city or municipality level derived from the IP address.
• User account data: for membership areas, user ID, email, login history.
• User content: entries in form fields, notes, uploaded files.
• User profiles: tag and segment assignments and funnel histories maintained for a lead/customer.
• Conversion events: opt-in, purchase, upsell acceptance, completion of a funnel step.
• Interaction data: scroll and mouse movements as well as keystrokes, where the website operator has activated corresponding extensions.

F. Purposes of Use When Using ClickFunnels

The website operator typically uses ClickFunnels to provide landing pages and funnels, for lead generation, for the execution of digital or physical sales, for the maintenance of membership areas, for the success measurement of marketing campaigns, and for conversion rate optimisation.

These purposes fall into the following standardised purpose categories:

• Functional provision: provision of the funnel, landing page and membership function, including error detection and resolution.
• Contract performance: preparation and execution of contracts with customers, e.g. orders, subscriptions, memberships, payment processing.
• Security and abuse prevention: authentication of users, bot and spam defence, fraud prevention in orders.
• General product improvement: evaluation of aggregated funnel metrics for optimising pages and processes.
• General marketing: reach analysis, success measurement of campaigns, comparison of funnel variants (A/B tests).
• User profile creation: creation of lead/contact profiles, segment assignment.
• User-individual product improvement: adaptation of further funnel steps based on prior interactions.
• User-individual marketing: alignment of individual email/advertising sequences, where appropriate consent has been given.
• Compliance with retention obligations: retention of contract-relevant and tax-relevant data in accordance with § 147 AO, § 257 HGB.
• Compliance: compliance with statutory requirements.
• Legal enforcement: assertion, exercise and defence of legal claims.
• Communication: handling of inquiries, customer service, support.

G. Legal Bases When Using ClickFunnels

In the website context, ClickFunnels falls primarily into the tool category hosting/third-party content/funnel provision with overlaps to newsletter (opt-in), sale/payment, user account (membership area) and – where activated – tracking (statistics/marketing).

The following legal bases typically come into consideration:

• Contract performance (Art. 6(1)(b) GDPR) for order processes, membership areas and contract execution.
• Legitimate interests (Art. 6(1)(f) GDPR) for general funnel provision, reach analysis and security; relevant legitimate interests are typically functional provision, efficiency, security, abuse prevention, improvement and business management.
• Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG) for newsletter sign-ups, marketing-related cookies and tracking-based evaluations.
• Legal obligation (Art. 6(1)(c) GDPR) for retention obligations regarding order and contract data.

Which legal basis applies depends on the case and is to be reviewed by the website operator on a case-by-case basis.

H. Special Considerations and Notes on ClickFunnels

• DPA: According to its own information, ClickFunnels provides a Data Processing Addendum (https://signup.clickfunnels.com/dpa). Concluding a DPA under Art. 28 GDPR is regularly required when using the system for own processing.
• Third-country transfer: Etison LLC is based in the USA. According to publicly available information, Etison LLC is listed under the EU-US Data Privacy Framework; EU Standard Contractual Clauses may additionally apply. The specific transfer mechanism follows from the contractual documents.
• Subprocessors: ClickFunnels engages subprocessors (e.g. hosting, payment and email service providers). A list is part of the contractual documents and should be reviewed by the website operator.
• Cookies and tracking: According to provider statements, ClickFunnels sets cookies and can integrate tracking scripts (e.g. Meta Pixel, Google tags). Before productive use, the tracking configuration and a consent banner under § 25 TDDDG are required.
• Custom domain and cookie banner: When hosting under an own domain, a consent banner and privacy notices need to be embedded on the ClickFunnels page.
• Payment service providers: In order processes, the engaged payment service provider (e.g. Stripe, PayPal) is to be considered separately and to be included in the website operator's privacy notices.
• Role: In the website context, according to provider statements, ClickFunnels acts as a processor of the website operator for the platform provision. The final classification is to be reviewed by the website operator.

I. FAQ on ClickFunnels and Data Protection

J. Conclusion on ClickFunnels and Call-to-Action

In the website context, ClickFunnels touches several topics simultaneously: hosting of funnel pages, lead capture, sales and membership functions, and marketing-related evaluations. From a data protection perspective, the third-country transfer to the USA, the conclusion of a DPA, the configuration of tracking and consent, and the integration of payment service providers are particularly relevant.

For the website operator, it is mostly not advisable to include a separate text block on ClickFunnels in the privacy policy. Such tool-specific blocks make the privacy policy long, redundant and hard to maintain and tend to conflict with the transparency principle of Art. 12(1) GDPR.

A structured, topic-oriented approach is recommended: the privacy policy describes hosting, funnel provision, newsletter, sales and tracking across the board and refers in an appendix to specific recipients such as ClickFunnels. This is the methodology of the matterius generator.

K. Curator