Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
emBlue is a Latin American marketing automation and customer engagement platform headquartered in Buenos Aires, Argentina, with offices across Mexico, Colombia, Chile, Peru and Brazil. It offers email marketing, SMS, push notifications, automation flows and embedded forms. For European customers, emBlue benefits from Argentina's GDPR adequacy decision but still relies on Standard Contractual Clauses for the AWS US infrastructure.
emBlue is a Latin American marketing automation and customer engagement platform headquartered in Buenos Aires, Argentina, with regional offices in Mexico, Colombia, Chile, Peru and Brazil. It offers email marketing, SMS, push notifications, automation flows, contact segmentation, dynamic content and integrations with e-commerce, CRM and customer support. The product is positioned for B2C marketers across LATAM.
emBlue processes subscriber email, name, phone, IP, country, device data and custom attributes pushed by the customer (purchases, demographics). Email opens are tracked via 1x1 pixel, clicks via link wrapping (em3.io and emblue.com domains). Embedded forms can set first party cookies on the customer domain. SMS and push channels also process device identifiers and phone numbers.
emBlue is a data processor under Art. 28 GDPR for newsletter delivery and is independent controller for its own platform analytics. Embedded form cookies trigger Art. 5(3) ePrivacy. Email, SMS and push marketing under Art. 13 ePrivacy require prior consent for B2C contacts. Argentina has Art. 45 adequacy, which simplifies the transfer story for the part of processing carried out by emBlue staff in Argentina; AWS US infrastructure still needs SCCs and a TIA.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Subscription is the user''s explicit opt in. SMS and push notifications need an additional, specific consent because they are direct marketing on different channels. Embedded form cookies need cookie consent if they load before the user submits the form. Behavioural automations (browse retargeting, abandoned cart) require disclosure and a clear opt out.
emBlue processing happens both within emBlue offices (Argentina has GDPR adequacy) and on AWS US and Brazil infrastructure. AWS US transfers require Standard Contractual Clauses and the EU US Data Privacy Framework where applicable. Brazil has the LGPD but no formal GDPR adequacy, so SCCs apply too. Document both transfer destinations.
Sign emBlue''s Data Processing Agreement, complete a Transfer Impact Assessment for the AWS US infrastructure, capture separate consents for email, SMS and push, load embedded forms after consent or in cookie free mode, set retention policies for engagement history, document Argentina adequacy and AWS sub processor flows in your privacy notice and offer easy opt out from each channel.
Websites using emBlue must obtain user consent under GDPR regulations.
DPIA considerations
emBlue processes subscriber email, name, phone, IP, device data, opens, clicks, custom attributes, automation events and SMS/push interactions. Key DPIA considerations: (1) the embedded form widget can set first party cookies before consent if loaded eagerly; (2) open tracking pixels and link wrapping process personal data and need a lawful basis; (3) Argentina has GDPR adequacy under Art. 45 but AWS US infrastructure still triggers SCCs; (4) SMS and push channels under Art. 13 ePrivacy require prior consent in B2C; (5) automation flows can produce profiling that should be documented; (6) integrations with social ads (Meta, TikTok) for retargeting add their own data transfers.
Sample consent text
With your consent, we use emBlue to send our newsletter and personalised marketing (email, SMS, push notifications). emBlue is headquartered in Argentina, an adequate third country under GDPR, with infrastructure on AWS in the United States and Brazil. Your data is transferred under Argentina's adequacy decision and Standard Contractual Clauses where applicable.
Third-party domains contacted
emblue.comem3.ioapi.emblue.comcdn.emblue.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| em_session | Functional | Session | Session cookie used by the emBlue embedded form widget to maintain context during a visit. |
| em_visitor_id | Marketing | 1 year | Persistent visitor identifier used to attribute newsletter signups and engagement to a returning visitor. |
| em_utm | Marketing | 30 days | Stores UTM parameters captured at form submission to attribute the subscription to a marketing campaign. |
emBlue places tracking cookies for advertising — comply with GDPR using FlowConsent.
emBlue can set first party cookies on the customer domain through its embedded subscribe form widget (em_session, em_visitor_id). Email opens use a 1x1 pixel and clicks use link wrapping via em3.io and emblue.com without storing browser state.
Yes for direct marketing on each channel (email, SMS, push) and for any non essential cookies from the embedded form widget. The subscription itself is the user's opt in for the newsletter, but SMS and push need separate explicit consent.
Consent (Art. 6(1)(a) GDPR) for newsletter, SMS and push marketing in B2C. Contract (Art. 6(1)(b) GDPR) for transactional emails the user has requested. Legitimate interest (Art. 6(1)(f) GDPR) may apply for limited B2B promotional emails with an opt out.
emBlue staff in Argentina rely on the Argentina adequacy decision under Art. 45 GDPR. Production infrastructure runs on AWS US and Brazil, which require Standard Contractual Clauses for transfers from the EEA. Both transfer destinations should be documented.
A DPIA is recommended if you use SMS and push at scale, run sophisticated behavioural automations, or process special category data. The DPIA should cover the AWS US transfers, the Argentina adequacy, the channel mix and the retention of engagement history.
Sign the Data Processing Agreement, document SCCs for the AWS US infrastructure, capture explicit and separate consents for email, SMS and push, configure the form widget to load after consent, set retention rules, document Argentina adequacy and AWS sub processors and offer easy unsubscription on each channel.
EU based marketing automation alternatives include Brevo (France), Mailerlite (Lithuania), GetResponse (Poland), CleverReach (Germany) and SALESmanago (Poland). Each offers EU data centres and a strong DPA, simplifying compliance for European audiences.
Disclose emBlue as a processor and name the data flows (Argentina under adequacy, AWS US and Brazil under SCCs), explain each marketing channel (email, SMS, push) with its consent basis, describe open and click tracking, document automation logic and link the emBlue privacy notice and DPA.