Iterable and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Iterable, it typically processes email address, salutation, name, sign-up data and email interaction data – and, where the corresponding snippet is embedded, also website behaviour data – in order to send newsletters, lifecycle emails and cross-channel campaigns, segment recipient groups and measure campaign performance. These processing activities are typically based on the recipients' consent under Art. 6 para. 1 lit. a GDPR, complemented by legitimate interests in legal defence for record-keeping data. The following article summarises what Iterable does according to the publicly available information from the provider, and which mandatory disclosures belong in the website's privacy policy.

A. Iterable: Purpose and Functionality

Iterable is a cross-channel marketing platform that allows companies to orchestrate email, SMS, push, in-app and web campaigns. Website operators typically use Iterable to send newsletters and lifecycle campaigns, to run automated workflows ("journeys"), to segment recipients based on profile and behavioural data, and to measure the performance of the email channel.

The platform also offers further functions such as SMS, mobile push, in-app messaging and an AI-driven personalisation module (Iterable AI). This page focuses on the integration function typical for website operators: embedding an email sign-up form (e.g. via the Iterable API or a custom front-end with an Iterable back-end) and sending emails through Iterable, optionally combined with a web-tracking snippet that links website behaviour to recipient profiles. Other functions (in particular SMS, push or in-app modules) are not within the scope of this article and must be examined separately by the website operator.

B. Mandatory Disclosures on Iterable in the Privacy Policy

The GDPR requires a privacy policy to set out, in addition to general information about the website operator, the rights of data subjects and the competent supervisory authority, also tool-specific minimum content. With respect to the use of Iterable, this includes in particular the purposes of the processing (Art. 13 para. 1 lit. c GDPR), the legal bases (Art. 13 para. 1 lit. c GDPR), where based on legitimate interests the specific interests pursued (Art. 13 para. 1 lit. d GDPR), the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR), information on third-country transfers (Art. 13 para. 1 lit. f GDPR), the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR) and – where data is not collected directly from the data subject – the categories of personal data (Art. 14 para. 1 lit. d GDPR).

These mandatory disclosures are broken down for Iterable in the sections that follow. Important: it is not necessary to list every single tool such as Iterable with its own boilerplate text in the privacy policy. While this practice has become widespread, it leads to long, repetitive texts that can hardly be maintained and tend to run counter to the transparency requirement of Art. 12 para. 1 GDPR.

A topic-oriented approach is more appropriate: processing activities are described across topics (server operations, newsletter, tracking, sales, etc.), and the specific service providers used – including Iterable – are listed in an annex of recipients.

C. Provider of Iterable

According to the provider's publicly available information, the contracting party for German website operators is generally Iterable, Inc., based in San Francisco, California, USA. Which entity and address are decisive for the contractual relationship in any individual case (in particular whether a European subsidiary is contracted with) follows from the order documents and must be verified by the website operator.

According to the publicly available information, Iterable, Inc. is certified under the EU-US Data Privacy Framework (DPF); the status can be checked at https://www.dataprivacyframework.gov/s/participant-search. For data transfers outside the scope of the DPF, the provider stipulates the use of EU Standard Contractual Clauses.

Iterable's privacy policy is available at https://iterable.com/legal/privacy-policy/. Information on the data processing agreement and subprocessors is provided by Iterable via the trust/compliance centre at https://iterable.com/trust/gdpr-commitment/.

D. Iterable: Data Processing Step by Step

E. Data Collected by Iterable

When using Iterable, the data processed includes in particular email address, salutation, name, further form fields, IP address and timestamp at the time of sign-up, the double opt-in confirmation, and opens and link clicks in the emails sent. If a web-tracking or event snippet is embedded, click paths, device information, browser information, coarse location data and conversion events (e.g. purchases, sign-ups) can also be captured and linked to the profile.

The data can be classified into the following standardised data categories:

• Web server log data: data the web server receives with each request, e.g. IP address of the internet connection, date, time, URL of the requested content, referrer, browser, operating system and device information and additional technical metadata.
• Click paths: pages visited, links and buttons clicked with date and time, e.g. links visited, buttons clicked and forms accessed.
• Device data: information about the device, e.g. device type, operating system, screen resolution.
• Browser information: browser name, version and any installed extensions.
• Coarse location data: location derived from the IP address at city or municipality level.
• User profiles: interests, preferences, segment assignments, usage histories and metrics derived therefrom – determined by the website operator for a recipient.
• Conversion events: user interactions defined as relevant by the website operator, e.g. newsletter sign-up, product purchase, visit to a thank-you page or download of a guide.
• Interaction data: behaviour within emails (e.g. opens, link clicks) and – where web tracking is embedded – within the website.

Special-category data within the meaning of Art. 9 GDPR is typically not collected in standard usage.

F. Purposes when Using Iterable

The website operator typically uses Iterable to send newsletters, lifecycle emails and transactional emails, to maintain and segment recipient lists, to trigger automated workflows ("journeys"), to measure campaign performance and – where consent has been given – to tailor content and advertising to recipients' interests and behaviour.

The purposes can be classified into the following standardised purpose categories:

• Provision of functionality: provision of the newsletter and cross-channel functionality, including sign-up forms, sign-up confirmation (double opt-in), sending triggers, workflows, and error detection and correction.
• Security and abuse prevention: detecting and preventing improper sign-ups, spam and bot defence, authentication of recipients during double opt-in.
• General product improvement: evaluation of sending statistics (open rates, click-through rates, reach) to optimise content and send times across all recipients.
• General marketing: campaign performance measurement, reach analysis and assessment of the email channel and the cross-channel strategy as a whole.
• User profile creation: segment assignment and derivation of interests and preferences per recipient based on profile and interaction data.
• User-individual product improvement: tailoring content and suggestions to the interests of individual recipients.
• User-individual marketing: personalised direct marketing by email (and possibly other channels), targeted at the interests and behaviour of the individual recipient.
• Legal defence: documentation of sign-up and consent (in particular double opt-in records).
• Communication: handling enquiries received via emails or sign-up forms.

G. Legal Bases for Iterable

Iterable falls primarily into the Newsletter and email/cross-channel marketing tool category; if the web-tracking snippet is enabled, the Tracking (statistics or marketing) category may also apply.

The legal bases that typically come into consideration are:

• For sending newsletters and advertising emails: the recipient's consent under Art. 6 para. 1 lit. a GDPR in conjunction with § 7 para. 2 no. 3 UWG.
• For storing sign-up and double opt-in records as evidence: the legitimate interest in legal defence and compliance under Art. 6 para. 1 lit. f GDPR in conjunction with Art. 7 para. 1 GDPR.
• For transactional emails in the context of an existing contract (e.g. order confirmations): typically contract performance under Art. 6 para. 1 lit. b GDPR.
• For web tracking and the enrichment of profiles with behavioural data: typically consent under Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG, since information is stored on or read from end-user devices.
• For direct marketing to existing customers for the operator's own similar goods or services: additionally the legitimate interest in advertising under Art. 6 para. 1 lit. f GDPR in conjunction with § 7 para. 3 UWG.

The applicable legal basis depends on the circumstances of the individual case and must be examined by the website operator, in particular based on the specific configuration of the function and the channel used.

H. Iterable: Particularities and Notes

• DPA: According to the publicly available information, Iterable provides a data processing agreement; information is available in the GDPR/trust area at https://iterable.com/trust/gdpr-commitment/. Concluding it is generally required when processing personal data.
• Third-country transfer / DPF: According to the publicly available information, Iterable, Inc. is certified under the EU-US Data Privacy Framework. For transfers not covered by the DPF, the provider stipulates EU Standard Contractual Clauses. Status verifiable at https://www.dataprivacyframework.gov/s/participant-search.
• Subprocessors: An overview of subprocessors is provided in the trust section of the provider's website; cloud infrastructure providers and additional sending providers are typically listed there.
• Opt-out for recipients: Every email contains an unsubscribe link. Recipients can withdraw their consent at any time with effect for the future.
• Settings for the website operator: It is recommended to enable the double opt-in process, to carefully configure the web-tracking/event snippet depending on consent status, to handle profile enrichment deliberately, and to maintain recipient lists (bounce handling, inactive cleanup).
• Role: For the processing of recipient data uploaded by the website operator, according to the publicly available information Iterable typically acts as a processor; for its own purposes (e.g. platform operation, security), Iterable may at the same time act as a controller. The exact role allocation must be examined by the website operator on a case-by-case basis.

The above information is based on the publicly available information from the provider and does not replace a case-by-case assessment.

I. FAQ on Iterable and Data Protection

J. Conclusion on Iterable and Recommendation

Iterable is an established cross-channel marketing platform that processes recipients' personal data – in particular email address, profile and interaction data – in its own cloud infrastructure in the USA. Consent is typically the legal basis for sending advertising emails; the legitimate interest in legal defence applies for record-keeping data. Key obligations for the website operator are concluding a DPA, robust consent documentation (in particular double opt-in) and – where a web-tracking snippet is used – control via the consent management.

It is generally not advisable for the website operator to include Iterable with its own detailed boilerplate text in the privacy policy. Such boilerplates repeat themselves across tools, make the privacy policy long, unwieldy and hard to maintain – and thus tend to run counter to the transparency requirement of Art. 12 para. 1 GDPR.

A structured, topic-oriented approach is recommended: processing activities are described across topical blocks (server operations, newsletter, tracking, sales, etc.), and only in an annex of recipients are the specific tools used – such as Iterable – listed with provider, registered office, role and a link to the privacy notice. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com