GetResponse and data protection – what to include in your privacy policy

When a website operator uses GetResponse, they typically process recipients' email addresses, profile and behavioural data for newsletter delivery, marketing automation and lead scoring on the basis of consent under Art. 6(1)(a) GDPR. This page explains what data GetResponse processes, which mandatory information must therefore appear in the privacy policy, and how to present those statements in a maintainable way. The information is based on the provider's publicly available statements and other publicly researchable sources and does not replace a case-by-case review.

A. Purpose and how GetResponse works

GetResponse is an email marketing and marketing automation platform offered by Polish provider GetResponse S.A. The platform offers list and contact management, newsletter delivery, autoresponders, multi-step marketing automation workflows, landing pages, webinars and lead scoring.

Website operators typically integrate GetResponse via sign-up forms, pop-ups, landing pages or the GetResponse API. In addition, an optional website tracking script can be deployed to measure visits and conversions on the website and attribute them to recipients in GetResponse. This page focuses on the newsletter, automation and website-tracking features; further features such as webinars or the integrated online shop module are not covered in detail.

B. Mandatory information about GetResponse in the privacy policy

In addition to general information about the website operator, the data subject's rights and the supervisory authority, the GDPR requires specific information for the use of tools such as GetResponse. This includes the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), where processing is based on a balancing test, the specific legitimate interests pursued (Art. 13(1)(d) GDPR) as well as the recipients or categories of recipients (Art. 13(1)(e) GDPR).

Further required information includes whether data are transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR), the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR) and – where data are not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR). The following sections break these down for GetResponse.

It is not necessary to list GetResponse with its own pre-formulated text block in the privacy policy. While this „one-block-per-tool" practice is widespread, it leads to long, repetitive and barely maintainable privacy policies. A topic-oriented approach is more appropriate: describe the processing operations across the board (newsletters, marketing automation, tracking) and only list concrete recipients in an appendix – this is exactly the methodology of the matterius generator.

C. Provider of GetResponse

According to the provider's publicly available information, the contracting party for website operators in Germany is

• GetResponse S.A.
• ul. Arkońska 6, A3, 80-387 Gdańsk
• Poland

Because the provider is based in Poland and therefore within the EU, a third-country transfer by the main service can typically be ruled out. Subprocessors located outside the EEA may be used depending on configuration; the current list is available from the provider. The provider's privacy notice is available at https://www.getresponse.com/legal/privacy.

D. Data processing through GetResponse – step by step

E. Data collected by GetResponse

When using GetResponse, sign-up typically captures the email address, optionally name, salutation and additional profile fields, the IP address and timestamps for sign-up and confirmation. During delivery and analysis, opens and click data, bounce information, tags, segment assignments, lead-scoring values and – where website tracking is enabled – page views and conversions on the website are added.

These data fall into the following standardised data categories:

• Web server log data: IP address, date, time, URL of the requested resource, referrer and technical metadata when retrieving tracking pixels in mails as well as during website tracking.
• Click paths: pages of the operator's website visited where website tracking is enabled, plus links clicked in mailings, with date and time.
• Device data: device type, operating system and similar information about the recipient where derivable from mail retrieval or website tracking.
• Browser information: browser name and version when clicking on mail links and during website tracking.
• Coarse location data: city- or municipality-level location derived from the IP address.
• User account data: email address, name and additional recipient profile fields; the website operator's login history within the GetResponse account.
• User profiles: interests, tags, segment assignments and lead-scoring values determined by the website operator.
• Conversion events: sign-up, double opt-in confirmation, click on an action link, view of a thank-you page, purchase or appointment booking where website tracking is active.
• Interaction data: email opens and clicks on buttons or links within a mailing.
• Technical telemetry data: bounce rates, delivery times, error messages from the delivery process.

F. Purposes of using GetResponse

The website operator typically uses GetResponse to deliver newsletters and transactional mails, to run multi-step marketing automations, to segment recipients by interest, to perform lead scoring and – if enabled – to measure recipients' visits to the website.

These purposes can be classified into the following standardised categories:

• Service provision: providing sign-up forms, landing pages and pop-ups; processing sign-ups; delivering confirmation and follow-up mails; running multi-step workflows; error handling.
• Communication: addressing recipients with editorial and promotional content as well as automated responses.
• Security and abuse prevention: protection against bot sign-ups and spam entries, verification via double opt-in.
• General product improvement: analysing open and click rates to optimise mail content overall.
• General marketing: assessing the effectiveness of mail and automation campaigns.
• User profile creation: assigning tags, segmentation and computing lead scores based on recipient interaction.
• User-individual product improvement: tailoring content to past click and open behaviour.
• User-individual marketing: sending interest-based content, dynamic content blocks and automated follow-up sequences.
• Legal enforcement: providing evidence of consent in case of disputes.

G. Legal bases for using GetResponse

GetResponse falls primarily into the newsletter and marketing automation categories; the optional website tracking belongs to the marketing tracking category. Depending on the specific processing, the following legal bases may apply:

• Art. 6(1)(a) GDPR (consent) for sending promotional mails, lead scoring, user-individual profiling and website tracking; where cookies are used, additionally Section 25(1) of the German TDDDG.
• Art. 6(1)(f) GDPR in conjunction with Section 7(3) UWG for direct marketing of the operator's own similar goods or services to existing customers, where the statutory requirements are met. Legitimate interest: marketing.
• Art. 6(1)(f) GDPR in conjunction with Art. 7(1), Art. 24(1) GDPR and Section 7(2) No. 2 UWG for storing sign-up metadata as evidence. Legitimate interest: legal enforcement and compliance.

Which legal basis applies in the specific case depends on the circumstances and must be assessed by the website operator.

H. Notable features and notes on GetResponse

• Opt-out: recipients can unsubscribe at any time via the unsubscribe link in every mailing.
• Double opt-in: according to the provider, GetResponse supports double opt-in. Operators should keep this setting active for promotional lists.
• DPA: because GetResponse processes recipient data on instructions, a data processing agreement under Art. 28 GDPR is typically required. The provider offers such an agreement.
• Third-country transfer: the provider is based in Poland; depending on subprocessors, transfers to third countries may occur, secured by standard contractual clauses (SCC) or an adequacy decision. The subprocessor list is available from the provider.
• Website tracking: where the website tracking script is embedded, consent via the consent banner is generally required.
• Operator settings: website tracking, lead-scoring thresholds, tags and automation rules are configurable in detail in the account.

I. FAQ on GetResponse and data protection

J. Conclusion and call to action for GetResponse

GetResponse is an established EU platform for email marketing and marketing automation. When used on the website, the operator typically processes recipients' email addresses, profile and behavioural data; with website tracking enabled, page views and conversions as well. The applicable legal basis is typically recipient consent; sign-up evidence can be based on legitimate interests. A data processing agreement is typically required.

It is generally not useful to include GetResponse with its own text block in the privacy policy. Tool-specific blocks make the privacy policy long, confusing and hard to maintain – and conflict with the transparency principle of Art. 12(1) GDPR. A structured, topic-oriented approach is preferable: it explains newsletters and marketing automation in general terms and lists GetResponse only in the recipient appendix.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com