Does your website use third-party services? Get GDPR compliant in minutes.

ConvertKit

What does ConvertKit (now Kit) do?

ConvertKit, rebranded Kit in 2024, is the email marketing and creator monetisation platform built for newsletters, online courses, paid subscriptions and digital product sales.

What is ConvertKit (now Kit)?

ConvertKit, rebranded Kit in 2024, is the email marketing and creator economy platform launched by Nathan Barry in 2013. It targets bloggers, podcasters, YouTubers and other creators with broadcast newsletters, automation sequences, landing pages, signup forms, paid subscriptions and a Commerce module for selling digital products. ConvertKit LLC is based in Boise, Idaho and runs on Heroku and Cloudflare infrastructure in the United States.

What data and cookies does ConvertKit collect?

ConvertKit drops first party cookies on the publisher domain when forms are embedded (ck_subscriber_id, _ckid_*, _convertkit_subscribed), plus third party cookies on convertkitcdn.com and kit.com when assets are loaded from the CDN. The tracker captures form submissions, the subscriber email, the form ID, the referring URL and the user agent. Email open tracking uses a 1x1 pixel served by ConvertKit servers, while click tracking redirects through ck.click endpoints.

GDPR and ePrivacy implications

ConvertKit form cookies are not strictly necessary for the website to function. Article 5(3) of the ePrivacy Directive requires prior consent before they are stored. Newsletter sign ups require an article 6(1)(a) consent under the GDPR. Article 13 of the ePrivacy Directive imposes prior opt in consent for marketing emails to prospects. Soft opt in for existing customers is allowed for similar products with an easy opt out. ConvertKit and the creator are independent controllers for the subscriber relationship.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent management with ConvertKit

Block the ConvertKit form embed inside your CMP until consent is granted for the Marketing purpose. Use the GDPR setting in the ConvertKit form builder to require double opt in, capture consent proof (timestamp, IP, form version) and display an explicit consent checkbox separated from the submit button. Provide a one click unsubscribe and honour Subject Access and Erasure requests through the ConvertKit API.

Data transfers and US safeguards

ConvertKit (Kit) processes data in the United States on Heroku (Salesforce) and Cloudflare. EU subscriber data is therefore transferred outside the EEA. Transfers rely on the ConvertKit DPA, EU SCCs and the EU US Data Privacy Framework when ConvertKit LLC is certified. Document the transfer mechanism in your records of processing activities and inform subscribers in your privacy notice.

Practical compliance checklist

Sign the ConvertKit DPA with EU SCCs. Block the form embed behind your CMP. Use double opt in. Categorise ck_subscriber_id and _ckid as Marketing. Provide explicit consent text in your form. Maintain a clear unsubscribe link in every email. Honour Subject Access and Erasure via the ConvertKit API. Update your cookie policy and privacy notice to identify ConvertKit LLC as processor with the US transfer disclosure.

GDPR consent category

Marketing

Websites using ConvertKit (now Kit) must obtain user consent under GDPR regulations.

Legal basisConsent (article 6(1)(a) GDPR) for newsletter subscribers and behavioural tracking, combined with article 5(3) ePrivacy for the tracker cookie. Performance of a contract for transactional emails strictly necessary to the service.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, TTDSG, LOPDGDD, French Data Protection Act, UK GDPR and PECR, CAN-SPAM and CASL

DPIA considerations

A DPIA is recommended when ConvertKit is used for large scale behavioural automation, when subscriber lists exceed 50,000 contacts in Europe, when tagging enriches profiles with web tracking data, or when paid newsletters process credit card data via the Commerce feature.

Sample consent text

We use ConvertKit (Kit) to send our newsletter and creator emails. ConvertKit identifies you across sessions, tracks email opens and clicks and shares subscriber data with its US infrastructure. Without your consent, no tracking cookie is set and you only receive transactional emails.

Technical details

Tracking methodJavaScript form embed and tracking pixel with first party cookies, email open and click tracking, hosted on Heroku and Cloudflare

Server locationUnited States (ConvertKit LLC, Boise Idaho, AWS and Heroku)

Data transferred outside the EUConvertKit (now Kit) is operated by ConvertKit LLC, based in Boise, Idaho, with production infrastructure on Heroku (Salesforce, US) and Cloudflare. EU subscriber data is transferred to the United States under EU SCCs and the EU US Data Privacy Framework.

Third-party domains contacted

convertkit.comconvertkitcdn.comkit.comapp.kit.comf.convertkit.com

Cookies placed

Name	Type	Duration	Purpose
ck_subscriber_id	Marketing	5 years	Identifies a returning ConvertKit subscriber on the publisher site to prefill forms and avoid duplicate signups.
_ckid_*	Marketing	1 year	Persistent visitor identifier used by ConvertKit to attribute conversions and feed automation workflows.
_convertkit_subscribed	Marketing	5 years	Flag set when a visitor has subscribed to a ConvertKit form, used to hide signup forms on subsequent visits.
ckforms_visitor_uuid	Marketing	1 year	Unique visitor identifier set by ConvertKit forms for analytics and conversion attribution.

ConvertKit (now Kit) places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

What cookies does ConvertKit set?

ConvertKit drops first party cookies on the publisher domain when forms are embedded: ck_subscriber_id (subscriber identifier), _ckid_* (ConvertKit visitor identifier), _convertkit_subscribed. Third party cookies are set on convertkitcdn.com and kit.com when assets load from the CDN.

Is consent required for ConvertKit?

Yes. The form embed cookies are not strictly necessary and trigger article 5(3) ePrivacy. Newsletter signups require article 6(1)(a) GDPR consent. Marketing emails to prospects require prior opt in under article 13 ePrivacy.

What is the legal basis for ConvertKit?

Consent for prospects, with double opt in and proof storage. Soft opt in for existing customers receiving similar products. Performance of a contract for transactional emails strictly necessary to a paid service.

What about transfers to the United States?

ConvertKit data is processed on Heroku and Cloudflare in the US. Transfers rely on the ConvertKit DPA, EU SCCs and the EU US Data Privacy Framework when ConvertKit LLC is certified.

Do I need a DPIA for ConvertKit?

A DPIA is recommended for lists over 50,000 EU subscribers, when behavioural automation enriches profiles via web tracking, for sensitive sectors (health, finance) or when Commerce processes card data.

How do I implement ConvertKit compliantly?

Enable the GDPR form setting. Use double opt in. Block the form embed behind your CMP. Sign the ConvertKit DPA with EU SCCs. Provide a one click unsubscribe and honour Subject Access and Erasure via the ConvertKit API.

What are the alternatives to ConvertKit?

Beehiiv (US, creators), Substack (US, paid newsletters), Ghost (open source, EU friendly), MailerLite, Brevo (EU hosted), ActiveCampaign, Klaviyo and Mautic for self hosted needs.

How do I document ConvertKit in my cookie policy?

List ck_subscriber_id, _ckid and _convertkit_subscribed with domain, duration and purpose. Identify ConvertKit LLC as processor in the privacy notice. Describe the US transfers and safeguards. Link to the ConvertKit privacy notice and unsubscribe page.

Get compliant — Try FlowConsent free

Free plan · 10-min setup