Klaviyo and Data Protection – What Belongs in Your Privacy Policy

When a website operator uses Klaviyo, it typically processes recipients' email addresses, salutations, names, sign-up data and interaction data relating to emails and website visits in order to send newsletters and transactional messages, segment recipient groups and measure campaign performance. These activities typically rely on the recipient's consent under Art. 6(1)(a) GDPR, supplemented by legitimate interests in the enforcement of legal claims for proof-of-consent records. The following article summarises what Klaviyo does according to the publicly available information from the provider and which mandatory disclosures must appear in the website's privacy policy.

A. Klaviyo: Purpose and Functionality

Klaviyo is a cloud platform for email and SMS marketing, marketing automation and cross-channel customer communication. Website operators – particularly in e-commerce – use Klaviyo primarily to send newsletters, run automated email flows (e.g. welcome series, abandoned-cart reminders), segment recipient lists, enrich profiles based on behavioural data and analyse delivery success.

The platform offers further functionality, such as SMS marketing, mobile push, reviews or an integrated customer-data hub with profile and segmentation logic. This page focuses on the integration scenario most relevant to website operators: embedding a Klaviyo newsletter sign-up form on the website and sending emails via Klaviyo, optionally combined with the Klaviyo web-tracking snippet that links website behaviour to recipient profiles. Other features (in particular SMS, push or reviews modules) are not covered here and must be assessed separately by the website operator.

B. Mandatory Disclosures Regarding Klaviyo

The GDPR requires that a privacy policy – in addition to general information about the website operator, data subject rights and the supervisory authority – contains specific tool-related minimum content. With regard to Klaviyo, this includes the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), the legitimate interests pursued where applicable (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), information on transfers to third countries (Art. 13(1)(f) GDPR), the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR), and – where data are not collected directly from the data subject – the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory disclosures are broken down for Klaviyo below. Importantly, it is not necessary to list every individual tool such as Klaviyo with its own dedicated boilerplate text. While that practice has become widespread, it tends to result in long, redundant texts that are hard to maintain and arguably conflict with the transparency requirement in Art. 12(1) GDPR.

A more sound approach is topic-oriented: processing activities are described across topics (server operation, newsletters, tracking, sales …) and the actual service providers – including Klaviyo – are listed as recipients in an annex.

C. Provider of Klaviyo

According to the provider's publicly available information, the contracting party for German website operators is typically Klaviyo, Inc., 125 Summer Street, Floor 6, Boston, MA 02110, USA. Klaviyo also operates a European subsidiary, Klaviyo Ireland Limited, based in Dublin, Ireland; which entity acts as contracting party in any individual case follows from the order documentation and is to be verified by the website operator.

According to the provider's publicly available information, Klaviyo, Inc. is certified under the EU-US Data Privacy Framework (DPF), the UK extension and the Swiss-US DPF; the status can be verified at https://www.dataprivacyframework.gov/s/participant-search. For data transfers outside the scope of the DPF, the provider relies on the EU Standard Contractual Clauses.

Klaviyo's privacy notice is available at https://www.klaviyo.com/legal/privacy/privacy-notice. The data processing agreement is provided at https://www.klaviyo.com/legal/data-processing-agreement, the list of subprocessors at https://www.klaviyo.com/legal/subprocessors.

D. Klaviyo: Data Processing Step by Step

E. Data Collected by Klaviyo

When using Klaviyo, the following are typically processed: email address, salutation, name, additional sign-up form fields, IP address and timestamp at the time of sign-up, double opt-in confirmation, and opens and link clicks in sent emails. If the Klaviyo web-tracking snippet is embedded, click paths on the website, device information, browser information, coarse location data and conversion events (e.g. purchases, sign-ups) can additionally be recorded and assigned to the profile.

These data fall into the following standardised data-type classes:

• Web server log data: data the web server receives with each request, e.g. IP address, date, time, URL of the requested resource, referrer, browser, operating system and device information as well as additional technical metadata.
• Click paths: visited pages, clicked links and buttons with date and time, e.g. links opened, buttons clicked and forms accessed.
• Device data: information about the device used, e.g. device type, operating system, screen resolution.
• Browser information: browser name, version and any installed extensions.
• Coarse location data: location at city or municipality level derived from the IP address.
• User profiles: interests, preferences, segment assignments and usage history determined by the website operator about a recipient.
• Conversion events: user interactions defined by the website operator as relevant, e.g. newsletter sign-up, product purchase, visit to a thank-you page or guide download.
• Interaction data: behaviour within emails (e.g. opens, link clicks) and – when web tracking is enabled – within the website.

Sensitive data within the meaning of Art. 9 GDPR are typically not collected during standard use.

F. Purposes When Using Klaviyo

The website operator typically uses Klaviyo to send newsletters and transactional emails, maintain and segment recipient lists, trigger automated email flows, measure the success of campaigns and – where consent has been given – tailor content and advertising to recipients' interests and behaviour.

These purposes fall into the following standardised categories:

• Provision of functionality: providing the newsletter and email functionality, including sign-up forms, double opt-in confirmation, dispatch triggering as well as error detection and handling.
• Security and abuse prevention: detecting and preventing unauthorised sign-ups, spam and bot defence, authentication of recipients during double opt-in.
• General product improvement: aggregate analysis of dispatch statistics (open rates, click rates, reach) to optimise content and timing across all recipients.
• General marketing: campaign-success measurement, reach analysis and channel evaluation for email overall.
• User profile creation: assignment to segments and derivation of interests and preferences per recipient based on profile and interaction data.
• User-individual product improvement: tailoring content and recommendations to individual recipients' interests.
• User-individual marketing: personalised direct marketing via email aligned with individual recipients' interests and behaviour.
• Enforcement of legal claims: proof of sign-up and consent (in particular double opt-in records).
• Communication: handling of enquiries received via emails or sign-up forms.

G. Legal Bases for Klaviyo

Klaviyo can primarily be assigned to the newsletter and email marketing category; with the web-tracking snippet enabled, the tracking (statistics or marketing) category applies in addition.

Legal bases that typically come into consideration:

• For sending newsletters and promotional emails: the recipient's consent under Art. 6(1)(a) GDPR in conjunction with § 7(2) No. 3 UWG.
• For storing sign-up and double opt-in records as proof: legitimate interests in enforcement of legal claims and compliance under Art. 6(1)(f) GDPR in conjunction with Art. 7(1) GDPR.
• For transactional emails based on a contract (e.g. order confirmations): regularly performance of a contract under Art. 6(1)(b) GDPR.
• For Klaviyo web tracking and the enrichment of profiles with behavioural data: regularly consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG, since information is stored on or read from end devices.
• For direct marketing to existing customers for the operator's own similar goods or services: additionally legitimate interests in advertising under Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG.

The applicable legal basis depends on the specific case and is to be assessed by the website operator, in particular depending on the configuration (with or without web tracking, double opt-in, transactional vs. promotional).

H. Klaviyo: Specific Notes

• DPA: Klaviyo provides a data processing agreement at https://www.klaviyo.com/legal/data-processing-agreement. Concluding it is regularly required where personal data are processed.
• Third-country transfers / DPF: According to the publicly available information, Klaviyo, Inc. is certified under the EU-US Data Privacy Framework. For transfers not covered by the DPF, the provider relies on EU Standard Contractual Clauses. Status verifiable at https://www.dataprivacyframework.gov/s/participant-search.
• Subprocessors: Klaviyo maintains a current subprocessor list at https://www.klaviyo.com/legal/subprocessors. It typically lists cloud infrastructure providers (in particular AWS) and further dispatch and tooling providers.
• Opt-out for recipients: Every email contains an unsubscribe link. Recipients can withdraw their consent at any time with effect for the future.
• Configuration for the website operator: It is advisable to enable the double opt-in procedure, carefully configure the web-tracking snippet depending on consent status, handle profile enrichment deliberately and maintain recipient lists (bounce handling, cleaning of inactive contacts).
• Role: According to the publicly available information, Klaviyo regularly acts as a processor with respect to the recipient data uploaded by the website operator; for its own purposes (e.g. platform operation, security) Klaviyo may simultaneously act as an independent controller. The exact role allocation is to be assessed by the website operator on a case-by-case basis.

The above is based on the provider's publicly available information and does not replace a case-by-case assessment.

I. FAQ on Klaviyo and Data Protection

J. Conclusion on Klaviyo and Recommendation

Klaviyo is an established platform for email and SMS marketing that processes recipients' personal data – in particular email addresses, profile and interaction data – on its own cloud infrastructure in the USA. For sending promotional emails, consent typically comes into consideration as the legal basis; for proof-of-consent records, additionally legitimate interests in enforcement of legal claims. Core obligations of the website operator are concluding a DPA, sound consent documentation (in particular double opt-in) and – where the web-tracking snippet is used – integration with the consent management.

It is usually not very useful to include Klaviyo with a dedicated boilerplate text in the privacy policy. Such boilerplates repeat across tools, make the policy long, hard to read and difficult to maintain – and are arguably at odds with the transparency requirement in Art. 12(1) GDPR.

A structured, topic-oriented approach is preferable: processing activities are explained across topic blocks (server operation, newsletter, tracking, sales …), and only in an annex of recipients are the actual tools – such as Klaviyo – listed with provider, location, role and link to the privacy notice. This is precisely the methodology the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com