Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Flodesk is a US email marketing platform known for visually rich newsletters, automated workflows and embed forms for capturing subscribers.
Flodesk is a US email service provider popular with small businesses, creators and online stores. It positions itself around visually rich newsletter design, simple automations and a fixed flat price. Subscribers are captured through hosted forms, inline embeds, popup forms or sales pages, and the platform sends emails on your behalf with engagement tracking.
The Flodesk embed form script writes cookies for form display state, A/B variant and conversion tracking, plus localStorage entries. Subscriber records on the Flodesk side include email address, name, custom fields, the source URL, IP address, user agent and engagement data (opens, clicks, link tracking). Click tracking redirects pass through fld.click and similar Flodesk domains.
Loading the embed form script writes to the user device, so Article 5(3) ePrivacy applies. The newsletter subscription itself is governed by Art. 6(1)(a) GDPR consent and by national rules on commercial electronic communications. Open and click tracking pixels embedded in emails require a transparent disclosure in the privacy policy and the option to disable tracking for users who request it.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Use double opt in on Flodesk subscribe forms; this is mandatory in Germany under TTDSG and strongly recommended in France and Spain. Tie the consent to a specific privacy notice version. For B2B sender soft opt in under the ePrivacy Directive can apply but conditions are narrow. Profiling based on opens and clicks requires its own consent.
Flodesk runs on AWS US regions and routes click tracking through US servers. Transfers from the EU are covered by the EU US Data Privacy Framework certification (verify the current status on the DPF list) and by Standard Contractual Clauses in the Flodesk DPA. EU residency is not advertised; document the transfer in your records of processing activities.
Enable double opt in on every Flodesk form. Block embed scripts until consent. Clearly disclose Flodesk and the US transfer in your privacy policy. Honour unsubscribe links promptly and remove the contact from any segment. Audit Flodesk integrations and disable any that you do not actually use.
Websites using Flodesk must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Flodesk segments subscribers by sensitive interests, when minors can subscribe, when click and open data feeds profiling, or when integrations push subscriber data to other platforms.
Sample consent text
We use Flodesk to send our newsletter and to embed subscription forms. Flodesk writes cookies on your device, processes your email and IP address, and shares them with Flodesk Inc. in the United States under the EU US Data Privacy Framework. We only embed the Flodesk form if you accept.
Third-party domains contacted
flodesk.comflodesk-universal.comfld.clickassets.flodesk.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| flodesk_form_session | third_party | session | Identifies the current form session to avoid duplicate displays |
| flodesk_ab | third_party | 1 year | Stores the A/B variant assigned to the visitor for a given form |
| flodesk_conv | third_party | 1 year | Records the successful conversion to attribute later visits |
Flodesk places tracking cookies for advertising — comply with GDPR using FlowConsent.
Flodesk embed forms typically write a flodesk_form_session cookie, an A/B variant cookie and a conversion tracking cookie. Click tracking redirects from emails set transient cookies on the Flodesk domain.
Loading the embed form requires consent under Article 5(3) ePrivacy. The newsletter subscription itself needs Art. 6(1)(a) GDPR consent and complies with national rules on commercial electronic communications.
Consent for the subscription and the form cookies. Legitimate interest for fraud prevention and minimal security analytics. Soft opt in for existing customers exists in B2B but with narrow conditions.
Yes. Flodesk runs on AWS US regions. Transfers rely on the EU US Data Privacy Framework and Standard Contractual Clauses in the Flodesk data processing addendum.
Recommended when Flodesk segments subscribers by sensitive interests, when minors can subscribe, when click and open data feeds profiling, or when integrations push subscriber data to other platforms.
Enable double opt in, block embed scripts until consent, document the US transfer in your privacy policy, honour unsubscribes immediately, set short retention and audit integrations.
EU based alternatives include Brevo (France), GetResponse (Poland), Sarbacane (France), CleverReach (Germany), MailerLite EU and self hosted Mautic or Listmonk.
List the Flodesk form cookies (session, A/B variant, conversion tracking) plus the click redirect cookies, with purpose and lifetime. Mention Flodesk as a sub processor with the EU US Data Privacy Framework basis.