Evalanche and data protection – what to include in your privacy policy

When a website operator uses Evalanche, they typically process contacts' email addresses, profile and behavioural data for newsletter delivery, marketing automation, lead scoring and possibly website tracking on the basis of consent under Art. 6(1)(a) GDPR. This page explains what data Evalanche processes, which mandatory information must therefore appear in the privacy policy, and how to present those statements in a maintainable way. The information is based on the provider's publicly available statements and other publicly researchable sources and does not replace a case-by-case review.

A. Purpose and how Evalanche works

Evalanche is a marketing automation and email marketing platform developed in Germany by SC-Networks GmbH. The platform mainly targets B2B users and agencies and offers contact management, multi-step lead nurturing campaigns, lead scoring, newsletter delivery, forms, landing pages and website tracking.

Website operators typically integrate Evalanche via sign-up forms, embedded landing pages, a JavaScript tracking script that records page views and via the Evalanche API. This page focuses on the newsletter, automation and tracking features; further capabilities such as print mailings or academy modules are not covered in detail.

B. Mandatory information about Evalanche in the privacy policy

In addition to general information about the website operator, the data subject's rights and the supervisory authority, the GDPR requires specific information for the use of tools such as Evalanche. This includes the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), where processing is based on a balancing test, the specific legitimate interests pursued (Art. 13(1)(d) GDPR) as well as the recipients or categories of recipients (Art. 13(1)(e) GDPR).

Further required information includes whether data are transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR), the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR) and – where data are not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR). The following sections break these down for Evalanche.

It is not necessary to list Evalanche with its own pre-formulated text block in the privacy policy. While this „one-block-per-tool" practice is widespread, it leads to long, repetitive and barely maintainable privacy policies. A topic-oriented approach is more appropriate: describe the processing operations across the board (newsletters, marketing automation, tracking) and only list concrete recipients in an appendix – this is exactly the methodology of the matterius generator.

C. Provider of Evalanche

According to the provider's publicly available information, the contracting party for website operators in Germany is

• SC-Networks GmbH
• Würmstraße 4, 82319 Starnberg
• Germany

Because the provider is based in Germany, a third-country transfer by the main service can typically be ruled out. According to the provider, the data are hosted in certified German data centres. Whether subprocessors are involved must be assessed by the website operator on a case-by-case basis. The provider's privacy notice is available at https://www.sc-networks.de/datenschutz/.

D. Data processing through Evalanche – step by step

E. Data collected by Evalanche

When using Evalanche, sign-up typically captures the email address, optionally name, salutation, company and additional profile fields, the IP address and timestamps. During operation, opens and click data, bounces, tags, segment assignments, lead-scoring values and – where website tracking is active – page views and conversions on the website are added.

These data fall into the following standardised data categories:

• Web server log data: IP address, date, time, URL of the requested resource, referrer and technical metadata when retrieving tracking pixels in mails as well as during website tracking.
• Click paths: pages of the operator's website visited where website tracking is active, plus links clicked in mailings, with date and time.
• Device data: device type, operating system and similar information about the recipient where derivable from mail retrieval or website tracking.
• Browser information: browser name and version when clicking on mail links and during website tracking.
• Coarse location data: city- or municipality-level location derived from the IP address.
• User account data: email address, name and additional profile fields of the contact; the website operator's login history within the Evalanche backend.
• User profiles: interests, tags, segment assignments and lead-scoring values determined by the operator.
• Conversion events: sign-up, double opt-in confirmation, click on an action link, view of a thank-you page, white-paper download or form submit.
• Interaction data: email opens and clicks on buttons or links within a mailing.
• Technical telemetry data: bounce rates, delivery times, error messages from the delivery process.

F. Purposes of using Evalanche

The website operator typically uses Evalanche to deliver newsletters and mailings, to run multi-step lead-nurturing campaigns, to segment contacts by interest and lead status, to perform lead scoring and – where enabled – to measure contacts' interactions on the website.

These purposes can be classified into the following standardised categories:

• Service provision: providing sign-up forms and landing pages; processing sign-ups; delivering confirmation and follow-up mails; running multi-step lead-nurturing workflows; error handling.
• Communication: addressing contacts with editorial and promotional content as well as automated responses.
• Security and abuse prevention: protection against bot sign-ups and spam entries, verification via double opt-in.
• General product improvement: analysing open and click rates to optimise mail content overall.
• General marketing: assessing the effectiveness of mail and automation campaigns.
• User profile creation: assigning tags, segmentation and computing lead scores based on recipient interaction.
• User-individual product improvement: tailoring content to past click and open behaviour.
• User-individual marketing: sending interest-based content, dynamic content blocks and automated nurturing sequences.
• Legal enforcement: providing evidence of consent in case of disputes.

G. Legal bases for using Evalanche

Evalanche falls primarily into the newsletter and marketing automation categories; the optional website tracking belongs to the marketing tracking category. Depending on the specific processing, the following legal bases may apply:

• Art. 6(1)(a) GDPR (consent) for sending promotional mails, lead scoring, user-individual profiling and website tracking; where cookies are used, additionally Section 25(1) of the German TDDDG.
• Art. 6(1)(f) GDPR in conjunction with Section 7(3) UWG for direct marketing of the operator's own similar goods or services to existing customers, where the statutory requirements are met. Legitimate interest: marketing.
• Art. 6(1)(f) GDPR in conjunction with Art. 7(1), Art. 24(1) GDPR and Section 7(2) No. 2 UWG for storing sign-up metadata as evidence. Legitimate interest: legal enforcement and compliance.

Which legal basis applies in the specific case depends on the circumstances and must be assessed by the website operator.

H. Notable features and notes on Evalanche

• Opt-out: recipients can unsubscribe at any time via the unsubscribe link in every mailing. Evalanche integrates this link by default.
• Double opt-in: Evalanche supports double opt-in. Operators should activate it for promotional lists.
• DPA: because Evalanche processes recipient data on instructions, a data processing agreement under Art. 28 GDPR is typically required. The provider offers such an agreement.
• Third-country transfer: according to the provider, the data are hosted in German data centres. The current subprocessor list is available from the provider.
• Certifications: the provider lists certifications on its website (e.g. ISO 27001 and specific marketing-automation trust seals). Currency should be checked on a case-by-case basis.
• Website tracking: where the tracking script is embedded, consent via the consent banner is generally required.
• Operator settings: tracking script, lead-scoring thresholds, tags, workflow rules and retention periods are configurable in detail.

I. FAQ on Evalanche and data protection

J. Conclusion and call to action for Evalanche

Evalanche is an established German marketing automation platform with a focus on B2B lead nurturing. When used on the website, the operator typically processes contacts' email addresses, profile and behavioural data; with the tracking script active, also website interactions. The applicable legal basis is typically consent; sign-up evidence can be based on legitimate interests. A data processing agreement is typically required.

It is generally not useful to include Evalanche with its own text block in the privacy policy. Tool-specific blocks make the privacy policy long, confusing and hard to maintain – and conflict with the transparency principle of Art. 12(1) GDPR. A structured, topic-oriented approach is preferable: it explains newsletters and marketing automation in general terms and lists Evalanche only in the recipient appendix.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com