Mailjet and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Mailjet, they typically process email addresses, salutation and name details, plus sign-up and dispatch data for the purpose of sending newsletters and email marketing on the basis of recipient consent. This article summarises which data processing is typically associated with Mailjet and what should be included in a website's privacy notice.

A. Mailjet – Purpose and Functionality

Mailjet is an email service provider based in France, part of the Sinch group, addressed at website operators, online shops and SaaS providers. Website operators use Mailjet to manage recipient lists (so-called contact lists), to send newsletters, campaigns and marketing automation flows, and to dispatch transactional email via the send API or SMTP interface.

Functionally, Mailjet bundles several building blocks: sign-up forms (subscription widgets or embed forms), list and segment management, campaign editor, automation, reporting (open and click tracking), transactional email and additional features such as inbox preview or SMS. The focus of this page is the integration feature that a German website operator typically uses: a newsletter sign-up form on the website and dispatch of email campaigns through Mailjet. The pure SMTP/API dispatch of transactional emails (e.g. confirmation emails from a shop) is covered on a separate page.

According to publicly available information, the provider is Mailjet SAS (now Sinch Email), based in France. Processing therefore primarily takes place in the EU/EEA; depending on the configuration and sub-processors involved, data flows to third countries may be added.

B. Mailjet – Mandatory Information in the Privacy Policy

The GDPR requires the privacy policy to contain not only general information about the website operator, the rights of the data subject and the supervisory authority, but also – with regard to the use of specific tools such as Mailjet – a series of specific mandatory items. They serve the transparency principle of Art. 12(1) GDPR and allow data subjects to understand the processing.

In particular, the following items must be included:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of the personal data (Art. 13(1)(e) GDPR),
• whether the data is transferred to an unsafe third country outside the EU/EEA, and on what basis (Art. 13(1)(f) GDPR),
• the storage period or – if not possible – the criteria for determining the storage period (Art. 13(2)(a) GDPR),
• and – where the data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory items are broken down for Mailjet below.

In practice, it has become common to give every individual tool its own template clause in the privacy policy. This "template-per-tool" practice has established itself as poor style: it leads to long, lawyer-drafted texts that repeat each other in substance, making the entire privacy policy hard to maintain and barely readable for users. A topic-oriented approach is more appropriate: it describes processing operations across themes (server operation, newsletter, tracking, sales …) and merely names specific service providers – such as Mailjet – in a recipients list in the appendix. This is exactly the methodology used by the matterius privacy policy generator.

C. Mailjet Provider

According to publicly available information, the contractual partner for Mailjet is Mailjet SAS (operating as Sinch Email), based at 4 rue Jules Lefebvre, 75009 Paris, France.

Since the provider is based in France (EU), processing primarily takes place in the EEA. Mailjet may, however, use sub-processors in third countries (e.g. for technical infrastructure or anti-spam filtering); to that extent, Standard Contractual Clauses (SCC) apply or – where the USA is involved – the DPF, where the relevant sub-processor is certified (to be verified by the website operator).

Mailjet's privacy notice is available at https://www.mailjet.com/security-privacy/. The provider offers its data processing agreement (DPA) at https://www.mailjet.com/legal/dpa/.

D. Mailjet – Data Processing Step by Step

1. Collection: When a user submits the Mailjet sign-up form embedded in the website or is added as a contact via API integration, the entries (typically email address, optionally name, salutation, fields of interest), the IP address and a timestamp are transmitted to Mailjet.
2. Storage: Data is stored in the Mailjet infrastructure, primarily in the EU according to provider information.
3. Use: Mailjet dispatches the newsletters on behalf of the website operator and – where activated – measures open and click events. Bounces, spam complaints and unsubscribes are documented.
4. Disclosure: Disclosure occurs to sub-processors (in particular hosting, anti-spam, reputation services). The provider publishes a list via the DPA or the trust centre.
5. Deletion: The website operator can remove recipients from lists or delete entire lists at any time. Storage limitation must be configured via list and retention settings.

E. Which Data Does Mailjet Process?

When sending newsletters via Mailjet, the following personal data is typically processed: email address, salutation, first and last name, optionally further fields collected by the website (e.g. language, industry, interests), the IP address at the time of sign-up, timestamps of the sign-up and the confirmation in the double opt-in process, send time of the individual emails, delivery status, open and click events, and unsubscribes.

This data falls into the following standardised data categories:

• Web server log data: in particular the IP address and technical metadata when calling the sign-up form and when retrieving embedded tracking pixels and click links in sent emails.
• Click paths: clicks on links in the emails sent by Mailjet, each with date and time.
• Device data: information about the device opening the email, e.g. device type and operating system.
• Browser information: browser or email client used to open the email.
• Coarse location data: coarse location of the recipient at city or municipal level, derived from the IP address.
• User account data: data identifying the recipient in the list, in particular the email address as the key identifier.
• User profiles: interests, segment assignments and derived metrics (e.g. engagement score) determined by the website operator for a recipient.
• Conversion events: where tracking is enabled, e.g. clicks on a call-to-action or visits to specific pages following a click in a newsletter.
• Interaction data: opening an email, clicks on individual links or buttons.
• Technical telemetry data: technical send and delivery metadata, bounce codes, loading times of tracking pixels.

F. Mailjet – Purposes of Use

The website operator typically uses Mailjet to inform subscribed recipients about its own content, products and offers, to document sign-up and consent in the double opt-in process, to ensure delivery quality and – where tracking is enabled – to measure the effectiveness of campaigns.

The purposes can be classified into the following standardised purpose categories:

• Provision of functionality: providing newsletter and email functionality, including sign-up form, double opt-in, dispatch of the requested emails as well as error detection and correction in the dispatch process.
• Security and abuse prevention: spam and bot prevention on the sign-up form, detection and prevention of list abuse (e.g. third-party sign-ups), reputation protection during dispatch.
• General product improvement: aggregated evaluation of open and click rates to improve newsletter content and frequency in line with demand.
• General marketing: success measurement of campaigns, reach analysis and overall assessment of the email channel.
• User profile creation: assignment to segments or target groups based on interests, click and open behaviour.
• User-individual marketing: tailoring newsletter content to the individual interests and behaviour of the recipient (segmentation, automation).
• Legal enforcement: assertion, exercise or defence of legal claims, in particular proof of recipient consent (sign-up IP, timestamp, double opt-in) vis-à-vis supervisory authorities, competitors or courts.
• Compliance: compliance with statutory requirements regarding consent records and advertising emails (Art. 7 GDPR, Sec. 7 UWG).

G. Legal Bases for Mailjet

For the use case covered here, Mailjet falls primarily into the tool category newsletter / email marketing.

The following legal bases typically come into consideration:

• Recipient consent (Art. 6(1)(a) GDPR in conjunction with Sec. 7(2) No. 3 UWG) for the dispatch of newsletters and – where activated – for open and click tracking.
• Legitimate interests (Art. 6(1)(f) GDPR) in legal enforcement and compliance for storing sign-up metadata (IP, timestamp, double opt-in confirmation) as proof of consent under Art. 7(1) GDPR and Sec. 7(2) No. 2 UWG.
• Legitimate interests in advertising within the scope of Sec. 7(3) UWG for direct advertising to existing customers for own similar goods or services, where the conditions are met.

Where open and click tracking is enabled, an explicit tracking consent of the recipient is typically required; if information is stored on or read from the device, Sec. 25(1) TDDDG must additionally be considered. The legal basis is to be assessed by the website operator on a case-by-case basis.

H. Mailjet – Special Notes

• Data Processing Agreement (DPA): The provider offers a DPA (https://www.mailjet.com/legal/dpa/); concluding it is regularly mandatory, as Mailjet processes data on behalf of the website operator.
• Place of business and third-country transfer: Mailjet (Sinch Email) is based in France; processing primarily takes place in the EEA. A third-country dimension may arise via sub-processors; SCC apply, or – where the USA is involved and the relevant entity is certified – the DPF (to be verified by the website operator).
• Sub-processors: Mailjet uses sub-processors; an up-to-date list is available via the DPA or the provider's trust centre.
• Double opt-in: Mailjet offers double opt-in via subscription widgets and API; the website operator should activate this setting in the relevant list and adapt the confirmation email accordingly.
• Consent record: Sign-up IP, timestamp and double opt-in confirmation should be retained permanently in order to provide evidence of consent under Art. 7(1) GDPR and Sec. 7(2) No. 2 UWG.
• Open and click tracking: These features can be enabled in Mailjet; they should only be used if tracking consent is obtained cleanly and described in the privacy policy.
• Opt-out: Every newsletter must contain a working unsubscribe link under Sec. 7(2) No. 4 UWG; Mailjet provides placeholders and tokens for this purpose.
• List hygiene: Inactive and no longer existing addresses should be removed regularly; storage should be aligned with the consent given.

The above presentation is based on publicly available provider information and supplementary publicly accessible sources. A case-by-case assessment by the website operator remains necessary.

I. Mailjet – FAQ

J. Mailjet – Conclusion and Call-to-Action

Mailjet is an EU-based provider for newsletter dispatch, marketing automation and transactional email. From a data protection perspective, particularly relevant topics are recipient consent, consent records via the double opt-in process, optional open and click tracking, and a possible third-country dimension via sub-processors. The DPA and privacy policy must cover the essential mandatory items (purposes, legal bases, recipient categories, storage period, third country).

For the website operator, it is mostly not particularly useful to include a separate template clause for every individual tool – including Mailjet – in the privacy policy. This makes the policy long, unclear, hard to understand and difficult to maintain – contrary to the transparency principle of Art. 12(1) GDPR.

A structured, topic-oriented approach is more appropriate: data processing operations are explained across topic blocks (server operation, newsletter, tracking, sales …); specific service providers such as Mailjet are simply listed in the recipients appendix. This is exactly the methodology of the matterius privacy policy generator.

K. Curator