Inxmail Professional and Data Protection – What Website Operators Need to Know

If a website operator uses Inxmail Professional for newsletter sending, it integrates registration forms and tracking pixels on its website and processes email addresses, user profiles and interaction data for the purpose of email marketing on the basis of express consent under Art. 6(1)(a) GDPR in conjunction with § 7(2) UWG. Inxmail acts as a processor with data storage in Germany and is ISO 27001 certified. This information is based on provider information and publicly available sources.

A. Purpose and Function of Inxmail Professional

Inxmail is email marketing software – a cloud-based platform for managing contact lists, sending newsletters and analyzing email campaign performance. The platform is used by operators to maintain newsletter subscribers and regularly provide them with content.

Integration function: The operator typically integrates:

1. Newsletter registration form: HTML form on the website to collect the email address and optional data (name, segmentation)
2. Tracking pixel: Invisible 1x1 pixel image embedded in emails which records open rates and click-through rates
3. Link tracking: URL rewriting in emails for recording clicks on links
4. Double opt-in confirmation (recommended): Sending a confirmation email which users must click

These components enable GDPR- and UWG-compliant collection and management of newsletter subscriptions.

B. Mandatory Disclosures in the Privacy Policy regarding Inxmail

Under the GDPR and UWG, the operator must disclose the following information about Inxmail:

• Purpose (Art. 13(1)(c)): Newsletter sending, tracking of email interactions, contact management
• Legal basis (Art. 13(1)(a) + (d)): Express consent (Art. 6(1)(a)), legitimate interests for proof of consent (Art. 6(1)(f))
• Recipients (Art. 13(1)(e)): Inxmail GmbH as processor
• Third-country transfer (Art. 13(1)(f)): None; data storage exclusively in Germany (EEA)
• Retention period (Art. 13(2)(a)): As long as an active newsletter subscription exists; erasure after unsubscription

Note: Tool-specific text blocks are problematic. Better: topic-oriented structure (chapter "Newsletter and email marketing") with clear presentation: consent required, data recipients, storage location, unsubscription.

C. Provider of Inxmail: Inxmail GmbH

• Legal name: Inxmail GmbH
• Registered office: Wentzingerstraße 17, 79106 Freiburg im Breisgau, Germany
• Country of registered office: Germany (European Economic Area)
• Privacy Policy: https://www.inxmail.de/datenschutz
• DPF status: Not required (registered office in EEA)
• DPA: Available; ISO 27001 certified (TÜV Rheinland Standard ISO/IEC 27001:2022)
• Certifications: ISO 27001, ePrivacy seal
• Data storage: Exclusively on German/EU servers (no third-country transfer to USA)

D. Data Processing by Inxmail – Process

E. Data Collected when Using Inxmail

Inxmail collects various categories of user data for newsletter marketing:

• User account data: Email address, first name, last name (if collected), registration date, unsubscription date
• Segmentation data: Customer type, industry, region, interest categories (defined by the operator)
• Interaction data: Email opens (timestamps), link clicks (which link, when), download events, conversion events
• Device information: For email opens: device type (desktop/mobile), email client (Outlook, Gmail, Apple Mail, etc.), operating system
• Behavioral data: Click path in the email (which links in which order), dwell times per link
• IP addresses: IP address on email open (can be used for location analysis; optional anonymisation)
• Consent data: Double opt-in status, consent date, unsubscription date, unsubscription reason (if collected)

F. Purposes of Use when Using Inxmail

The data is processed for the following purposes:

• Functional provision: Sending newsletters to subscribers
• General product improvement: Optimization of subject lines, send times, layout based on aggregated open/click rates
• General marketing: Reach analysis, performance reporting of campaigns
• User-individual product improvement: Personalized campaigns based on segment and click behavior
• User profile creation: Segmentation based on opening and click behavior for targeted sends
• Security and abuse protection: Spam and bouncing detection, fraud detection
• Communication: Newsletter sending itself, transaction emails (welcome email, unsubscription confirmation)
• Compliance: Documentation of consents and unsubscriptions for legal compliance

G. Legal Bases for Inxmail

Step 1 – Categorization: Inxmail is an email marketing platform for direct user communication.

Step 2 – Legal bases:

• For newsletter sending: Express consent under Art. 6(1)(a) GDPR in conjunction with § 7(2) UWG (requirement of express consent before sending). Double opt-in is recommended, but is not strictly required (single opt-in is legally sufficient).
• For proof of consent: Legitimate interests under Art. 6(1)(f) GDPR (operator must be able to document consents)
• For tracking of opens/clicks: Legitimate interests under Art. 6(1)(f) GDPR (improvement of campaign performance)

Note: § 25(1) TDDDG (cookies in emails) is not applicable, as emails do not contain cookies as browser cookies. However: tracking pixels and URL rewriting are relevant from a data protection perspective and should be mentioned in the consent and privacy policy.

H. Special Features and Notes regarding Inxmail

• Processor relationship required: The operator MUST conclude a DPA with Inxmail. Inxmail provides DPA templates.
• Data storage in Germany: Major compliance advantage – Inxmail stores exclusively in Germany/EU, no third-country transfers to USA.
• Opt-out function mandatory: Every newsletter email must contain a working unsubscribe link (GDPR Art. 7(3), UWG § 7(3)). Inxmail offers automatic unsubscribe links.
• Double opt-in recommended: Although not mandatory, double opt-in is best practice and reduces abuse risks. Inxmail supports double opt-in workflows.
• Tracking pixel documentation: The use of tracking pixels (open tracking) should be explicitly mentioned in the privacy policy.
• Segmentation data: If users are segmented (e.g. by customer type), the segmentation criteria must be documented.
• ISO 27001 certification: Inxmail is ISO 27001 certified, which demonstrates security standards.
• Accountability: The operator should document that a DPA exists and that consents have been obtained correctly.

I. FAQ regarding Inxmail

J. Conclusion and Recommendation regarding Inxmail

Summary: Inxmail is a privacy-friendly email marketing solution with storage in Germany and no third-country transfer to the USA. The main compliance point is consent: it must be expressly given, obtained before newsletter sending and documented.

Common mistake: Operators use Inxmail without explicitly documenting consent or without concluding a DPA. This leads to GDPR violations. Better: take consent management seriously, consider double opt-in, document regularly.

Best practice:

1. Consent form with clear information ("I accept newsletters")
2. Send double opt-in email and obtain confirmation
3. Conclude and maintain DPA with Inxmail
4. Unsubscribe link in every email (is Inxmail standard)
5. Transparently report on newsletter in the privacy policy