Salesforce Pardot and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Salesforce Pardot, it typically processes website behaviour data, form entries and contact details from visitors and leads for the purposes of B2B lead generation, lead nurturing and marketing automation, on the basis of consent under Art. 6 para. 1 lit. a GDPR and complementary legitimate interests. This page provides website operators in Germany with a compact overview of what data Salesforce Pardot processes and which mandatory disclosures should appear in a website's privacy policy.

A. Purpose and Functionality of Salesforce Pardot

Salesforce Pardot – marketed as Marketing Cloud Account Engagement since 2022 – is a B2B marketing automation platform from the Salesforce group. The tool is used to capture, qualify and nurture business contacts (leads), to control automated email and campaign journeys, and to integrate with the Salesforce CRM.

Website operators typically embed two functions that are particularly relevant for the privacy policy: the Pardot tracking script (also known as the "Pardot Tracking Code" or "piAId/piCId code") and Pardot forms and landing pages. The tracking script sets a cookie (today commonly as a first-party cookie via a tracked subdomain) and logs visited pages, time spent and interactions. As soon as a previously anonymous visitor submits a Pardot form, the prior anonymous browsing history is linked to the lead profile created during that submission. Further functions such as email sending, Engagement Studio, lead scoring and Salesforce integration take place on the server side and are only touched on here.

B. Mandatory Disclosures in the Privacy Policy when Using Salesforce Pardot

The GDPR requires website operators to include certain mandatory disclosures in their privacy policy in addition to general information about the operator, the rights of data subjects and the supervisory authority – also with respect to specific tools such as Salesforce Pardot. These include in particular:

• the purposes of the processing (Art. 13 para. 1 lit. c GDPR),
• the legal bases for the processing (Art. 13 para. 1 lit. c GDPR),
• where processing is based on a balancing of interests (Art. 6 para. 1 lit. f GDPR), additionally the specific legitimate interests pursued (Art. 13 para. 1 lit. d GDPR),
• the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR),
• whether data is transferred to an insecure third country and on what basis (Art. 13 para. 1 lit. f GDPR),
• the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR),
• where data is not collected directly from the data subject, additionally the categories of personal data processed (Art. 14 para. 1 lit. d GDPR).

These mandatory disclosures are broken down for Salesforce Pardot in the sections that follow.

In practice, it is not necessary to list every single tool – including Salesforce Pardot – with its own dedicated text block in the privacy policy, even though that practice has become widespread. The "one boilerplate per tool" approach has become poor practice: it leads to long, lawyer-drafted texts with repetitive content, makes the privacy policy hard to maintain and runs counter to the transparency requirement of Art. 12 para. 1 GDPR. A topic-oriented approach is more appropriate: it describes processing across topics (tracking, newsletter, marketing automation, etc.) and lists specific service providers – including Salesforce Pardot – only in an annex of recipients. This is exactly the methodology that the matterius generator follows.

C. Provider of Salesforce Pardot

According to the publicly available information from the provider, the contracting party for customers in the EEA and Germany is typically the EU entity of the Salesforce group – generally SFDC Ireland Limited, Salesforce Tower, 60 North Dock, Dublin 1, D01 W2Y3, Ireland. The corporate parent company is Salesforce, Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA. Which group entity is the contracting party in any given case must be verified by the website operator on the basis of its contractual documents.

According to the entries in the DPF list, Salesforce, Inc. is EU-US Data Privacy Framework (DPF) certified (see participant entry in the DPF directory). EU Standard Contractual Clauses (SCCs) and Binding Corporate Rules are used as additional safeguards.

The provider's privacy notice is available at https://www.salesforce.com/company/privacy/. The Data Processing Addendum (DPA) is available at https://www.salesforce.com/company/legal/agreements/.

D. Data Processing by Salesforce Pardot – Step by Step

E. Data Collected by Salesforce Pardot

In connection with the use of Salesforce Pardot, according to the provider's information the tool typically processes a pseudonymous cookie ID (tracking cookie), the IP address, timestamps, URLs visited and referrers, click and form events, the data entered by the visitor into Pardot forms (name, business email, telephone number, company, position, other form fields), and the linking of earlier anonymous browsing histories to the resulting lead record.

The data can be classified into the following standardised data categories:

• Web server log data: IP address, timestamp, URL, referrer, user-agent, status code when calling the tracking endpoints and Pardot landing pages.
• Click paths: pages visited, clicks on buttons, calls to Pardot forms and landing pages, clicks in Pardot marketing emails.
• Device data: device type, operating system, screen resolution where derivable from the user-agent.
• Browser information: browser name and version.
• Coarse location data: location derived from the IP address at city or municipality level.
• User profiles: score and grade values determined by the website operator for a lead, segment assignments, engagement histories.
• Conversion events: visits to defined target pages, form submissions, sign-ups for webinars or whitepaper downloads, clicks on specific links in emails.
• Interaction data: scrolling, time spent on a page, opening of emails, clicks on links and buttons.

F. Purposes when Using Salesforce Pardot

Website operators typically use Salesforce Pardot to evaluate the behaviour of website visitors for B2B lead generation, to follow up on previously anonymous visitors as identified leads after a form submission, to nurture leads through automated customer journeys, to manage lead qualification via scoring and grading, and to hand over qualified leads to the sales team in the Salesforce CRM.

These purposes can be classified into the following standardised purpose categories:

• Provision of functionality: rendering of Pardot forms and landing pages, sending of confirmation and follow-up emails.
• Security and abuse prevention: bot and spam defence on forms.
• General product improvement: evaluation of aggregated metrics (conversion rates, engagement trends) to optimise content and campaigns.
• General marketing: reach and campaign analysis.
• User profile creation: creation of lead profiles, score/grade calculation, segmentation by company, industry, function.
• User-individual product improvement: personalisation of content in subsequent communication journeys.
• User-individual marketing: personalised marketing emails, trigger journeys, account-based marketing measures.
• Contract performance: processing of form entries to respond to specific sales inquiries.
• Communication: handling enquiries, providing requested content (e.g. whitepapers).

G. Legal Bases when Using Salesforce Pardot

In a first step, it must be determined which tool category Salesforce Pardot primarily falls into. In the use described here, it is mainly a tool from the Tracking (Marketing) category, complemented by functions in the Newsletter category and – when transmitting lead enquiries – by functions in the Contact form category.

In a second step, the relevant legal bases must be considered:

• For the setting and reading of the tracking cookie and the subsequent profile building, consent under § 25 para. 1 TDDDG and marketing consent under Art. 6 para. 1 lit. a GDPR are typically required.
• For the processing of form entries to respond to a sales enquiry, contract performance or pre-contractual measures under Art. 6 para. 1 lit. b GDPR and legitimate interests in efficiency under Art. 6 para. 1 lit. f GDPR may be relevant.
• For subsequent advertising email communications, consent under Art. 6 para. 1 lit. a GDPR is typically required; in an existing-customer context, this may be supplemented by § 7 para. 3 UWG together with legitimate interests in advertising.
• For the storage of sign-up and consent records, a legal obligation under Art. 6 para. 1 lit. c GDPR in conjunction with § 7 para. 2 no. 2 UWG and a legitimate interest in legal defence may apply.

Which legal basis is specifically applicable depends on the circumstances of the individual case (integration in the consent banner, existing-customer relationship, cookie lifetime) and must be examined by the website operator on a case-by-case basis.

H. Particularities and Notes on Salesforce Pardot

• Data processing agreement: According to the publicly available information, Salesforce provides a Data Processing Addendum (DPA) for Pardot/Marketing Cloud Account Engagement; concluding a DPA under Art. 28 GDPR is mandatory when used by website operators in Germany.
• First-party instead of third-party tracking: Pardot supports delivery of the tracking script via a subdomain controlled by the website operator (first-party mode). This configuration may be appropriate in light of browser anti-tracking measures and data quality; it does not, however, change the obligation to obtain prior consent under § 25 para. 1 TDDDG.
• Tracking opt-in / consent mode: Pardot provides a "Tracking & Consent JavaScript API" that allows cookie setting and tracking to be controlled based on the visitor's consent. Connecting it to the website operator's consent management is recommended by the provider.
• Cookie lifetime: According to the provider, the default lifetime of the Pardot tracking cookie is 3650 days. Reducing it to an appropriate period should generally be considered.
• Third-country transfer / DPF: Where data is transferred to the USA, the DPF certification of Salesforce, Inc. may serve as a transfer mechanism; EU Standard Contractual Clauses and Binding Corporate Rules are used as additional safeguards.
• Subprocessors: A current list of subprocessors is available via the Salesforce Compliance Portal (https://compliance.salesforce.com).
• Source note: The above information is based on the provider's publicly available publications and does not replace a case-by-case assessment.

I. Frequently Asked Questions on Salesforce Pardot and Data Protection

J. Conclusion on Salesforce Pardot

When using Salesforce Pardot, website operators process behavioural and contact data of visitors and leads for B2B lead generation, marketing automation and integration with the sales CRM. The contracting party is typically the EU group entity of the Salesforce group; the parent company Salesforce, Inc. is DPF certified. Key obligations are concluding a data processing agreement, linking the tracking script to effective consent management, and critically setting the cookie lifetime.

For the website operator, it is generally not advisable to include a dedicated boilerplate text for Salesforce Pardot in the privacy policy. This makes the privacy policy long, unwieldy, hard to maintain and runs counter to the transparency requirement of Art. 12 para. 1 GDPR. A structured, topic-oriented approach is recommended that explains tools across topical blocks (tracking, newsletter, contact form, etc.) and only names individual service providers such as Salesforce Pardot in an annex of recipients. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com