Customer.io and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Customer.io, it typically processes recipients' email addresses, profile data and event data in order to send automated email and push campaigns, segment recipient groups and – where the corresponding snippet is embedded – also link website behaviour to recipient profiles. These processing activities are typically based on the recipients' consent under Art. 6 para. 1 lit. a GDPR, complemented by legitimate interests for record-keeping data. This page provides a compact overview of what data Customer.io processes according to the provider's publicly available information and which mandatory disclosures belong in the privacy policy.

A. Purpose and Functionality of Customer.io

Customer.io is a cross-channel customer engagement platform that allows companies to orchestrate email, push, SMS and in-app campaigns. Website operators typically use Customer.io for lifecycle mailings, trigger-based campaigns, recipient segmentation and customer communication along automated workflows ("campaigns" and "journeys").

This page focuses on the integration function typical for website operators: embedding an email sign-up form, the Customer.io track JavaScript snippet for linking website behaviour to recipient profiles, and the sending of mailings via Customer.io. Other functions such as push, SMS or in-app messaging are not within the scope of this article and must be examined separately by the website operator.

B. Mandatory Disclosures in the Privacy Policy when Using Customer.io

The GDPR requires the privacy policy to set out tool-specific minimum content in addition to general information about the website operator, data subject rights and the supervisory authority. For the use of Customer.io this includes in particular:

• the purposes of the processing (Art. 13 para. 1 lit. c GDPR),
• the legal bases (Art. 13 para. 1 lit. c GDPR),
• where based on legitimate interests, the specific interests pursued (Art. 13 para. 1 lit. d GDPR),
• the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR),
• whether data is transferred to an insecure third country (Art. 13 para. 1 lit. f GDPR),
• the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR),
• where data is not collected directly, additionally the categories of personal data (Art. 14 para. 1 lit. d GDPR).

It is not necessary to list Customer.io with its own boilerplate text in the privacy policy, even though that practice is widespread. The "one boilerplate per tool" approach has become poor practice: it leads to long, redundant texts, makes the privacy policy hard to maintain and tends to run counter to the transparency requirement of Art. 12 para. 1 GDPR. A topic-oriented approach is more appropriate – describing processing across topics (newsletter, tracking, etc.) and naming Customer.io only in an annex of recipients. This is exactly the methodology that the matterius generator follows.

C. Provider of Customer.io

According to the publicly available information from the provider, the contracting party for German website operators is Peaberry Software, Inc. d/b/a Customer.io, based in Portland, Oregon, USA. The exact address that is decisive in any individual case must be verified by the website operator on the basis of the contract documents.

According to the publicly available information, Customer.io is certified under the EU-US Data Privacy Framework (DPF); the status can be verified at https://www.dataprivacyframework.gov/s/participant-search. EU Standard Contractual Clauses are used as additional safeguards. Customer.io also offers an EU data residency region in which data can be processed within the EU – the website operator selects the region during account setup.

The provider's privacy policy is available at https://customer.io/legal/privacy/. The Data Processing Agreement is provided at https://customer.io/legal/data-processing-agreement/.

D. Data Processing by Customer.io – Step by Step

E. Data Collected by Customer.io

When using Customer.io, the data processed includes in particular email address, name, further profile data, IP address and timestamp at the time of sign-up, double opt-in confirmation, and opens and link clicks in the emails sent. If the track JavaScript is embedded, website behaviour data (pages visited, clicks, conversion events) is added.

The data can be classified into the following standardised data categories:

• Web server log data: IP address, date, time, URL, referrer, user-agent, status code when calling the tracking and sign-up endpoints.
• Click paths: visits to defined pages and buttons, clicks in Customer.io emails.
• Device data: device type, operating system.
• Browser information: browser name and version.
• Coarse location data: location derived from the IP address at city or municipality level.
• User account data: for recipient profiles, typically the user identifier (email) and profile data provided by the recipient.
• User profiles: segment assignments, engagement values, tag assignments, tracking histories.
• Conversion events: purchases, sign-ups, visits to defined target pages.
• Interaction data: behaviour in emails (opens, clicks) and – where the track JS is embedded – within the website.

F. Purposes when Using Customer.io

Website operators typically use Customer.io to send lifecycle mailings and transactional emails, to maintain and segment recipient lists, to trigger automated workflows, to measure campaign performance and – where consent has been given – to personalise content based on the recipient's behaviour.

The purposes can be classified into the following standardised purpose categories:

• Provision of functionality: provision of the cross-channel functionality, including sign-up confirmation, sending triggers, workflows.
• Security and abuse prevention: detecting and preventing improper sign-ups, spam and bot defence.
• General product improvement: evaluation of aggregated campaign metrics to optimise content and send times.
• General marketing: reach and campaign analysis.
• User profile creation: segment assignment and derivation of interests and preferences per recipient.
• User-individual product improvement: personalisation of content and suggestions.
• User-individual marketing: personalised direct marketing and trigger emails.
• Legal defence: documentation of sign-up and consent.
• Communication: handling enquiries.

G. Legal Bases when Using Customer.io

In a first step, Customer.io must be assigned to a tool category: it is mainly a tool from the Newsletter and email/cross-channel marketing category; if the track JavaScript is enabled, the Tracking (statistics or marketing) category may also apply.

In a second step, the following legal bases typically come into consideration:

• For sending newsletters and advertising emails: the recipient's consent under Art. 6 para. 1 lit. a GDPR in conjunction with § 7 para. 2 no. 3 UWG.
• For storing sign-up and double opt-in records: the legitimate interest in legal defence and compliance under Art. 6 para. 1 lit. f GDPR in conjunction with Art. 7 para. 1 GDPR.
• For transactional emails in the context of an existing contract: contract performance under Art. 6 para. 1 lit. b GDPR.
• For web tracking and profile enrichment: typically consent under Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG.
• For direct marketing to existing customers for the operator's own similar goods or services: additionally the legitimate interest in advertising under Art. 6 para. 1 lit. f GDPR in conjunction with § 7 para. 3 UWG.

The applicable legal basis depends on the circumstances of the individual case and must be examined by the website operator.

H. Particularities and Notes on Customer.io

• DPA: Customer.io provides a Data Processing Agreement; concluding it is generally required.
• EU region: Customer.io offers an EU region for data processing, which from a GDPR perspective is generally the preferred choice; the region must be selected during account setup.
• Third-country transfer / DPF: If the US region is selected, processing takes place in the USA. According to the publicly available information, Customer.io is certified under the EU-US Data Privacy Framework; EU Standard Contractual Clauses are used as additional safeguards.
• Subprocessors: An overview of subprocessors is provided in the trust area of the provider's website.
• Opt-out: Every email contains an unsubscribe link; recipients can withdraw their consent at any time with effect for the future.
• Settings for the website operator: Recommended are double opt-in, careful configuration of the track JS depending on consent status, deliberate maintenance of recipient lists and selection of the EU region where possible.
• Source note: The information is based on the provider's publicly available publications and does not replace a case-by-case assessment.

I. Frequently Asked Questions on Customer.io and Data Protection

J. Conclusion on Customer.io

When using Customer.io, website operators process recipient data for the purposes of cross-channel communication, lifecycle campaigns and – where the track JS is enabled – personalisation based on website behaviour. The contracting party is the US group entity, which is certified under the EU-US Data Privacy Framework according to the publicly available information; alternatively, an EU region is available. Key obligations are concluding a DPA, robust consent documentation and – where web tracking is used – control via the consent management.

It is generally not advisable for the website operator to include a dedicated boilerplate text for Customer.io in the privacy policy. A structured, topic-oriented approach is recommended that explains tools across topical blocks (newsletter, tracking, etc.) and only names individual service providers such as Customer.io in an annex of recipients. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com