Pipedrive LeadBooster and Privacy – What Belongs in Your Privacy Policy

If a website operator embeds Pipedrive LeadBooster (Chatbot, Web Forms, Live Chat) on their website, they will – according to the publicly available information from the provider – process in particular web server log data, click paths, device and browser information, coarse location data, and the content entered by visitors into forms or chats – primarily for lead capture, pre-contractual communication, and customer dialogue. This article describes the data processing typically associated with embedding Pipedrive LeadBooster on a website and the mandatory information that belongs in the privacy policy.

A. Purpose and How Pipedrive LeadBooster Works

Pipedrive is a cloud-based CRM (Customer Relationship Management) system for sales and lead processes. LeadBooster is a paid add-on to the Pipedrive CRM that bundles four lead generation building blocks: a Chatbot with predefined dialogues, Live Chat with human agents, Web Forms for lead capture, and Prospector for external contact research.

Relevant for website operators is the website embedding of three of these building blocks: Chatbot, Live Chat, and Web Forms are integrated into the operator's own website via a JavaScript snippet (leadbooster-chat.pipedrive.com) or an embed code. The visitor's browser establishes a direct connection to Pipedrive's servers. Inputs (form fields, chat messages) and technical metadata flow directly to Pipedrive and are assigned there to the website operator's CRM account.

This page focuses on the embedded functions named above (Chatbot, Live Chat, Web Forms). Internal use of the Pipedrive CRM (data maintenance, pipeline management, reporting by the website operator's staff) is not the subject of this page, nor is the Prospector service, which operates outside the visitor-facing website.

B. Mandatory Privacy Policy Disclosures

The GDPR requires the following specific disclosures in a privacy policy in connection with tools such as Pipedrive LeadBooster – in addition to general information about the controller, data subject rights, and the supervisory authority:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases for processing (Art. 13(1)(c) GDPR),
• if relying on a balancing of interests (Art. 6(1)(f) GDPR), the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data is transferred to an insecure third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR),
• where data is not collected directly from the data subject, additionally the categories of data processed (Art. 14(1)(d) GDPR).

These mandatory disclosures are broken down for Pipedrive LeadBooster below.

It is not necessary to list every single tool – including Pipedrive LeadBooster – with its own boilerplate text in the privacy policy. While this "boilerplate-per-tool" approach is widely practised, it leads to long, repetitive texts that are hard to maintain and that tend to undermine, rather than fulfil, the transparency principle in Art. 12(1) GDPR. A more appropriate approach is topic-oriented: processing activities are described holistically (chat, lead forms, CRM, tracking), and the specific service providers actually used – including Pipedrive – are listed in an Appendix: Recipients. The matterius generator follows exactly this methodology.

C. Provider of Pipedrive LeadBooster

According to the provider's information, the contracting party for customers established in the EU/EEA is Pipedrive OÜ, an Estonian limited company (Osaühing) based in Tallinn, Estonia. The exact address should be verified by the website operator in the relevant contract or in Pipedrive's Terms (Section 14.1); public sources cite Mustamäe tee 3a, 10615 Tallinn (registered address) and Paldiski mnt 80, 10617 Tallinn (European headquarters).

The corporate parent is Pipedrive Inc. based in New York, USA. According to the provider, Pipedrive Inc. is certified under the EU-US Data Privacy Framework (DPF); the status should be verified via the DPF list (dataprivacyframework.gov). As Pipedrive Inc. is named in the DPA as a "Recipient of Personal Data in the United States", a third-country transfer to the USA can regularly arise – even where the contractual relationship is with the EU subsidiary.

Sources:

• Pipedrive Privacy Notice: pipedrive.com/en/privacy
• Pipedrive Data Processing Addendum: pipedrive.com/en/privacy/dpa
• Pipedrive Sub-Processors: pipedrive.com/en/subprocessors
• LeadBooster Cookies Knowledge Base: support.pipedrive.com/en/article/leadbooster-cookies
• Pipedrive & GDPR: support.pipedrive.com/en/article/pipedrive-and-gdpr

D. Data Processing in Pipedrive LeadBooster – Step by Step

E. Data Collected by Pipedrive LeadBooster

When the embedded LeadBooster functions are used, the following are typically processed according to the provider: the visitor's IP address, user agent (browser and operating system), the URL of the page on which the widget is loaded, date and time of access, the chatbot or web form ID, the type of interaction (view, interaction, submit), and the content entered by the visitor in the form or chat (e.g. name, email, phone number, request text, possibly file uploads). In addition, cookies such as __cf_bm (Cloudflare) and – with spam protection enabled – _GRECAPTCHA (Google) are set.

These data fall into the following standardised data category classes:

• Web server log data: in particular IP address, date/time, requested URL, referrer, transferred data volume, and status code of the connection to the Pipedrive server.
• Click paths: pages visited that include the LeadBooster widget, clicks on chatbot buttons, and the opening and submission of forms, each with timestamp.
• Device data: device type, operating system, possibly screen resolution, touch support.
• Browser information: browser name and version (user agent).
• Coarse location data: approximate visitor location derived from the IP address.
• User content: content entered by the visitor in chat or web form, e.g. name, email address, phone number, message text, choices in chatbot dialogues, uploaded files.
• Conversion events: relevant interactions such as form completion, chat opening, lead submission.
• Cookies: __cf_bm (Cloudflare bot protection), and with spam protection _GRECAPTCHA (Google reCAPTCHA).

F. Purposes for the Website Operator

In typical practice, the website operator uses Pipedrive LeadBooster to engage visitors in direct dialogue, capture qualified leads, and transfer them seamlessly into the Pipedrive CRM. The focus is on pre-contractual communication, customer dialogue, and sales process efficiency; certain data items also serve security and abuse prevention (in particular bot protection).

The purposes can be classified into the following standardised purpose classes:

• Provision of functionality: providing the chat and form functionality, displaying the widget, adapting it to the device, error detection.
• Performance of contract: initiating and carrying out the contractual relationship requested between the website operator and the visitor (lead handling, quoting, advice).
• Security and abuse prevention: bot and spam defence (__cf_bm, possibly reCAPTCHA), detection of abusive inputs.
• General product improvement: analysis of anonymous view and interaction statistics to improve lead funnels and forms.
• General marketing: reach and effectiveness analysis of lead campaigns at aggregate level.
• Communication: handling enquiries, customer service, support.
• Legal enforcement: documenting enquiries and asserting or defending claims.

G. Legal Bases for Pipedrive LeadBooster

In its website embedding, Pipedrive LeadBooster falls primarily into the tool categories third-party content / chat / lead capture (CRM integration).

The following legal bases typically come into consideration:

• Consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG for loading the widget as third-party content and for non-essential cookies. Pipedrive expressly states that Chatbot and Web Forms do not evaluate CMP signals; the website operator is therefore responsible for blocking the loading of the scripts until consent is given.
• Pre-contractual measures / performance of contract under Art. 6(1)(b) GDPR for processing the content entered by the visitor in the form or chat, where this serves the initiation or performance of a contract between visitor and operator (e.g. consultation request, quote request).
• Legitimate interests under Art. 6(1)(f) GDPR in advertising (lead capture, especially in B2B contexts), efficiency (centralised, automated lead process), communication (direct channel to prospects), security and abuse prevention (bot defence), and legal enforcement (record of enquiries).

Which legal basis applies in the specific case depends on the configuration of the embedding (with/without consent banner, spam protection active, tracking components), the context (B2B / B2C), and the purpose of the specific collection, and must be assessed by the website operator on a case-by-case basis.

H. Specifics and Notes on Pipedrive LeadBooster

• DPA: Pipedrive provides a standard DPA (pipedrive.com/en/privacy/dpa), which according to the provider takes effect automatically upon acceptance of the Terms of Service. Under the DPA, Pipedrive acts as processor for the website operator.
• Sub-processors: Full, maintained list at pipedrive.com/en/subprocessors. Key entries: Amazon Web Services (hosting EU/USA), Cloudflare (CDN/security, USA), Rackspace (support, Switzerland), MessageBird (live chat), OpenAI Ireland (AI features). The list should be reviewed regularly by the website operator for changes.
• Third-country transfer: As Pipedrive Inc. (USA) is named in the DPA as the US-side recipient, and sub-processors such as AWS and Cloudflare have US ties, third-country transfers to the USA can arise. Pipedrive cites as safeguards the EU Standard Contractual Clauses (SCCs, Module 3) and the DPF certification of Pipedrive Inc. (to be verified in the DPF register).
• Cookies & spam protection: With spam protection enabled for Web Forms, Pipedrive embeds Google reCAPTCHA (_GRECAPTCHA). This is an additional third-party content and triggers a separate assessment as a third-party embedding.
• Engagement tracking: According to the provider, Pipedrive collects limited view/interaction data for feature dashboards (webformId, embedded, URL, interaction type). The provider states that personal identification is not intended; a residual probability via IP/user agent nevertheless remains typical.
• Web Visitors: If the Pipedrive Web Visitors feature (based on Dealfront technology) is also embedded, additional cookies (_lfa, _lfa_expiry, _lfa_consent) and a separate consent requirement apply. This feature is not the subject of this page.
• Settings for the website operator: enable/disable spam protection, configure custom domain, minimise data fields in Web Forms (data minimisation), include a GDPR checkbox or reference to the privacy policy in the form, set retention periods and deletion rules in the Pipedrive account.
• Note on sources: This description is based on the provider's information and publicly researchable sources (as of 2026-05-07) and does not replace a case-by-case assessment.

I. FAQ on Pipedrive LeadBooster and Privacy

J. Conclusion and Call to Action

With Chatbot, Live Chat, and Web Forms, Pipedrive LeadBooster brings powerful lead capture tools onto the website and pushes the data directly into the Pipedrive CRM. From a data protection perspective, the relevant aspects are above all: loading the widget as third-party content, setting cookies (in particular __cf_bm and possibly _GRECAPTCHA), processing the entered content for pre-contractual purposes, the involvement of sub-processors such as AWS and Cloudflare, and the potential third-country transfer to the USA via Pipedrive Inc.

All these aspects – purposes, legal bases, recipients, third-country transfer, retention period – must be presented transparently in the privacy policy. However, it is rarely sensible to add a separate boilerplate text just for Pipedrive LeadBooster. Doing so makes the privacy policy long, opaque, hard to maintain, and runs counter to the transparency principle in Art. 12(1) GDPR.

A more appropriate approach is a structured, topic-oriented one: processing activities are described holistically by topic (server operation, third-party content, chat, lead capture, CRM, tracking …), and in an Appendix: Recipients the specific service providers actually used – such as Pipedrive OÜ together with its sub-processors – are listed once. The matterius generator follows exactly this methodology.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com