Mautic and data protection – what to include in your privacy policy

When a website operator uses Mautic, they typically process contacts' email addresses, profile and behavioural data for newsletter delivery, marketing automation, lead scoring and possibly website tracking on the basis of consent under Art. 6(1)(a) GDPR. This page explains what data Mautic processes, which mandatory information must therefore appear in the privacy policy, and how to present those statements in a maintainable way. The information is based on publicly available statements by the provider and the Mautic community as well as other publicly researchable sources and does not replace a case-by-case review.

A. Purpose and how Mautic works

Mautic is an open-source marketing automation platform. Website operators can run Mautic in two variants: as self-hosted software on their own or rented infrastructure (the open-source distribution by the Mautic Community) or as Mautic Cloud / hosted variants offered by commercial providers (e.g. Acquia Campaign Studio based on Mautic). The platform offers contact and list management, newsletter and mail delivery, multi-step campaigns, lead scoring, forms, landing pages and website tracking.

Operators typically integrate Mautic via sign-up forms, a JavaScript tracking script (often mtc.js) that records clicks and page views, and an API for sending lead data. This page focuses on the newsletter, automation and tracking features; further capabilities such as SMS dispatch or social monitoring are not covered in detail.

B. Mandatory information about Mautic in the privacy policy

In addition to general information about the website operator, the data subject's rights and the supervisory authority, the GDPR requires specific information for the use of tools such as Mautic. This includes the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), where processing is based on a balancing test, the specific legitimate interests pursued (Art. 13(1)(d) GDPR) as well as the recipients or categories of recipients (Art. 13(1)(e) GDPR).

Further required information includes whether data are transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR), the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR) and – where data are not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR). The following sections break these down for Mautic; the deployment variant (self-hosting vs. cloud) mainly affects the recipient circle and third-country transfers.

It is not necessary to list Mautic with its own pre-formulated text block in the privacy policy. While this „one-block-per-tool" practice is widespread, it leads to long, repetitive and barely maintainable privacy policies. A topic-oriented approach is more appropriate: describe the processing operations across the board (newsletters, marketing automation, tracking) and only list concrete recipients in an appendix – this is exactly the methodology of the matterius generator.

C. Provider of Mautic

Mautic is an open-source project of the Mautic Community (governed under the umbrella of Acquia Inc., among others). Who acts as the contracting party towards the website operator depends on the deployment variant:

• Self-hosting: there is no external contracting party for the software itself. The website operator is the controller and the technically operating entity; data processing relationships may exist with the hoster and with any email delivery service (SMTP provider, transactional mail API).
• Mautic Cloud / commercial provider: the contracting party is the respective commercial host of the Mautic cloud variant. The provider's location and any third-country transfers must be checked by the website operator and disclosed in the privacy policy.

For US-based cloud providers, DPF status should be checked at https://www.dataprivacyframework.gov/s/participant-search. The Mautic project's privacy notice is available at https://www.mautic.org/privacy-policy/; information on data processing in Mautic cloud services is provided by the respective cloud provider.

D. Data processing through Mautic – step by step

E. Data collected by Mautic

When using Mautic, sign-up typically captures the email address, optionally name, salutation and additional profile fields, the IP address and timestamps for sign-up and confirmation. During operation, opens and click data, bounces, tags, segment assignments, lead-scoring values and – where the tracking script is active – page views and conversions on the website are added.

These data fall into the following standardised data categories:

• Web server log data: IP address, date, time, URL of the requested resource, referrer and technical metadata when retrieving tracking pixels in mails as well as during website tracking.
• Click paths: pages of the operator's website visited where website tracking is active, plus links clicked in mailings, with date and time.
• Device data: device type, operating system and similar information where derivable from mail retrieval or website tracking.
• Browser information: browser name and version when clicking on mail links and during website tracking.
• Coarse location data: city- or municipality-level location derived from the IP address.
• User account data: contacts' email addresses and additional profile fields; Mautic backend users' login history.
• User profiles: interests, tags, segment assignments and lead-scoring values determined by the operator.
• Conversion events: sign-up, double opt-in confirmation, click on an action link, view of a thank-you page, form submit or purchase where website tracking is active.
• Interaction data: email opens and clicks on buttons or links within a mailing.
• Technical telemetry data: bounce rates, delivery times, error messages from the delivery process.

F. Purposes of using Mautic

The website operator typically uses Mautic to deliver newsletters and transactional mails, to run multi-step campaign workflows, to segment contacts by interest, to perform lead scoring and – where enabled – to measure contacts' interactions on the website.

These purposes can be classified into the following standardised categories:

• Service provision: providing sign-up forms and landing pages; processing sign-ups; delivering confirmation and follow-up mails; running multi-step workflows; error handling.
• Communication: addressing contacts with editorial and promotional content as well as automated responses.
• Security and abuse prevention: protection against bot sign-ups and spam entries, verification via double opt-in.
• General product improvement: analysing open and click rates to optimise mail content overall.
• General marketing: assessing the effectiveness of mail and automation campaigns.
• User profile creation: assigning tags, segmentation and computing lead scores based on recipient interaction.
• User-individual product improvement: tailoring content to past click and open behaviour.
• User-individual marketing: sending interest-based content, dynamic content blocks and automated follow-up sequences.
• Legal enforcement: providing evidence of consent in case of disputes.

G. Legal bases for using Mautic

Mautic falls primarily into the newsletter and marketing automation categories; website tracking belongs to the marketing tracking category. Depending on the specific processing, the following legal bases may apply:

• Art. 6(1)(a) GDPR (consent) for sending promotional mails, lead scoring, user-individual profiling and website tracking; where cookies are used, additionally Section 25(1) of the German TDDDG.
• Art. 6(1)(f) GDPR in conjunction with Section 7(3) UWG for direct marketing of the operator's own similar goods or services to existing customers, where the statutory requirements are met. Legitimate interest: marketing.
• Art. 6(1)(f) GDPR in conjunction with Art. 7(1), Art. 24(1) GDPR and Section 7(2) No. 2 UWG for storing sign-up metadata as evidence. Legitimate interest: legal enforcement and compliance.

Which legal basis applies in the specific case depends on the circumstances and must be assessed by the website operator.

H. Notable features and notes on Mautic

• Self-hosting vs. cloud: with self-hosting, no external data processing relationship for the software itself exists; the website operator carries full technical and organisational responsibility. With the cloud variant, a DPA under Art. 28 GDPR with the cloud provider is generally required.
• Opt-out: recipients can unsubscribe at any time via the unsubscribe link in every mailing. With correct configuration, Mautic adds this link automatically.
• Double opt-in: Mautic supports double opt-in via dedicated workflows. Operators should activate this for promotional lists.
• Website tracking: where the tracking script is embedded, consent via the consent banner is generally required. The tracking script can be deactivated in Mautic.
• Third-country transfer: with self-hosting on EU servers, typically no third-country transfer by Mautic itself; the choice of SMTP/delivery provider is relevant. With cloud variants, transfers depend on the cloud provider.
• Operator settings: tracking script, lead-scoring thresholds, tags, IP storage and workflow logic are configurable in detail. Privacy-friendly defaults should be set actively (e.g. anonymisation, retention periods).

I. FAQ on Mautic and data protection

J. Conclusion and call to action for Mautic

Mautic is a flexible open-source platform for marketing automation that can be self-hosted or run as a cloud variant. When used on the website, the operator typically processes contacts' email addresses, profile and behavioural data; with the tracking script active, also website interactions. The applicable legal basis is typically consent; sign-up evidence can be based on legitimate interests. With self-hosting, no external data processing relationship for the software exists, but the operator carries full technical responsibility; with cloud variants a DPA is generally required.

It is generally not useful to include Mautic with its own text block in the privacy policy. Tool-specific blocks make the privacy policy long, confusing and hard to maintain – and conflict with the transparency principle of Art. 12(1) GDPR. A structured, topic-oriented approach is preferable: it explains newsletters and marketing automation in general terms and lists Mautic only in the recipient appendix (where the cloud variant is used) or embeds it as self-operated software.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com