Rapidmail and data protection – what to include in your privacy policy

When a website operator uses Rapidmail, they typically process email addresses, salutation, name, sign-up metadata as well as opening and click data for the purpose of newsletter delivery and performance measurement, on the basis of the recipient's consent under Art. 6(1)(a) GDPR. This page explains what data Rapidmail processes, which mandatory information must therefore appear in the privacy policy of the website, and how to present those statements in a maintainable way. The information is based on the provider's publicly available statements and other publicly researchable sources and does not replace a case-by-case review.

A. Purpose and how Rapidmail works

Rapidmail is a Germany-based email marketing service for the compliant delivery of newsletters, mailings and transactional emails. The service offers list management, an HTML mailing editor, a double opt-in process for sign-ups and reporting on delivery success (opens, clicks, bounces).

Website operators typically integrate Rapidmail via a sign-up form on the website – either as a JavaScript widget, an iFrame, or a custom form posting to the Rapidmail API. This page focuses on this integration: newsletter sign-up via the website and the subsequent delivery. Other features such as A/B testing, automations or transactional emails are not covered in detail here.

B. Mandatory information about Rapidmail in the privacy policy

In addition to general information about the website operator, the data subject's rights and the supervisory authority, the GDPR requires specific information for the use of tools such as Rapidmail. This includes the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), where processing is based on a balancing test, the specific legitimate interests pursued (Art. 13(1)(d) GDPR) as well as the recipients or categories of recipients (Art. 13(1)(e) GDPR).

Further required information includes whether data are transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR), the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR) and – where data are not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR). The following sections break these requirements down for Rapidmail.

It is not necessary to list Rapidmail with its own pre-formulated text block in the privacy policy. While this „one-block-per-tool" practice is widespread, it leads to long, repetitive and barely maintainable privacy policies. A topic-oriented approach is more appropriate: describe the processing operations across the board (server operations, newsletters, tracking, sales) and only list the concrete recipients in an appendix – this is exactly the methodology of the matterius generator.

C. Provider of Rapidmail

According to the provider's publicly available information, the contracting party for website operators in Germany is

• rapidmail GmbH
• Augustinerplatz 2, 79098 Freiburg im Breisgau
• Germany

Because the provider is based in Germany, a third-country transfer by the main service itself can typically be ruled out. Whether subprocessors are involved must be assessed by the website operator on a case-by-case basis. The provider's privacy notice is available at https://www.rapidmail.de/datenschutz.

D. Data processing through Rapidmail – step by step

E. Data collected by Rapidmail

When using Rapidmail, sign-up typically captures the email address, optionally salutation and name, the IP address at sign-up time and the timestamp of the double opt-in confirmation. During and after delivery, opens and click data, bounce information and recipient-specific identifiers for links and tracking pixels are added.

These data fall into the following standardised data categories:

• Web server log data: data the server receives with each request, in particular the IP address, date, time, the URL of the requested resource, browser and operating system information and other technical metadata.
• Click paths: links clicked in mailings together with date and time information.
• Device data: information about the recipient's device, such as device type and operating system, where derivable from the mail retrieval.
• Browser information: browser data submitted on link clicks, such as browser name and version.
• Coarse location data: city- or municipality-level location derived from the IP address.
• User account data: email address, salutation, name and any further recipient profile information; also the website operator's login history within the Rapidmail customer account.
• Conversion events: successful sign-up, double opt-in confirmation, click on an action link in a mailing.
• Interaction data: email opens and clicks on buttons or links within a mailing.
• Technical telemetry data: bounce rates, delivery times, error messages from the delivery process.

F. Purposes of using Rapidmail

The website operator typically uses Rapidmail to deliver newsletters and mailings in a compliant manner, to secure sign-ups via double opt-in, to measure delivery success and to maintain communication with existing customers and prospects.

These purposes can be classified into the following standardised categories:

• Service provision: providing the sign-up form, processing the registration, sending the confirmation email and the actual newsletter mailings, error detection and error handling in the delivery process.
• Communication: directly addressing recipients with editorial and promotional newsletter content.
• Security and abuse prevention: protection against bot sign-ups and spam entries, verification of recipients via double opt-in.
• General product improvement: analysing open and click rates to optimise newsletter content and timing in general.
• General marketing: assessing the effectiveness of newsletters as a communication channel.
• User profile creation: where recipient-level tracking is enabled, attributing opens and clicks to individual recipients and deriving interests.
• User-individual marketing: where recipient-level tracking is enabled, sending content tailored to past click behaviour.
• Legal enforcement: providing evidence of consent in case of disputes such as complaints or warnings.

G. Legal bases for using Rapidmail

Rapidmail falls primarily into the newsletter category. Depending on the specific processing, the following legal bases may apply:

• Art. 6(1)(a) GDPR (consent) for sending the newsletter; in addition for recipient-level open and click tracking, where recipients were informed about it at sign-up.
• Art. 6(1)(f) GDPR in conjunction with Section 7(3) of the German Act Against Unfair Competition (UWG) for direct marketing of the operator's own similar goods or services to existing customers, where the statutory requirements are met. Legitimate interest: marketing.
• Art. 6(1)(f) GDPR in conjunction with Art. 7(1), Art. 24(1) GDPR and Section 7(2) No. 2 UWG for storing sign-up metadata as evidence. Legitimate interest: legal enforcement and compliance.

Which legal basis applies in the specific case depends on the circumstances and must be assessed by the website operator.

H. Notable features and notes on Rapidmail

• Opt-out: recipients can unsubscribe at any time via the unsubscribe link included in every mailing. Rapidmail integrates this link by default.
• Double opt-in: according to the provider, Rapidmail supports double opt-in as the default procedure. Operators should keep this setting active.
• DPA: because Rapidmail processes recipient data on behalf of the website operator, a data processing agreement under Art. 28 GDPR is typically required. The provider offers such an agreement.
• Third-country transfer: according to the provider, the data are hosted in Germany. The current subprocessor list is available from the provider.
• Operator settings: delivery statistics, recipient-level tracking and integrations into ordering processes are configurable in the Rapidmail customer account.

I. FAQ on Rapidmail and data protection

J. Conclusion and call to action for Rapidmail

Rapidmail is an established German email marketing provider. When used on the website, the operator typically processes recipient email addresses, sign-up metadata and interaction data. The applicable legal basis is typically recipient consent; sign-up evidence can be based on legitimate interests. A data processing agreement is typically required.

It is generally not useful to include Rapidmail with its own text block in the privacy policy. Tool-specific blocks make the privacy policy long, confusing and hard to maintain – and conflict with the transparency principle of Art. 12(1) GDPR. A structured, topic-oriented approach is preferable: it explains newsletter delivery in general terms and lists Rapidmail only in the recipient appendix.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com