Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Kit (formerly ConvertKit) is a US based email marketing and creator platform founded in 2013 and headquartered in Boise, Idaho. It is widely used by bloggers, podcasters, authors and online creators for newsletter signup forms, landing pages, automations and paid newsletters via Kit Commerce. For European audiences, Kit involves cross border transfers to AWS US infrastructure and tracking of opens and clicks, which require consent and clear disclosure.
Kit, originally founded in 2013 as ConvertKit by Nathan Barry, is an email marketing and creator platform headquartered in Boise, Idaho. The company rebranded from ConvertKit to Kit in 2024. It targets bloggers, podcasters, authors, course creators and content creators with tools for newsletter signup forms, landing pages, automations, paid newsletters (Kit Commerce) and a Creator Network for referrals.
Kit collects subscriber email, name, tags, custom fields, sign up source, IP, opens and clicks. The embedded form widget can set first party cookies on the customer domain (ck_subscriber_id, ck_session) for analytics and form attribution. Email opens are tracked via a 1x1 pixel and clicks via link wrapping through ck.kit.com (formerly convertkit.com).
Kit is a data processor under Art. 28 GDPR for the newsletter content and an independent controller for some platform analytics. The subscribe widget cookies trigger Art. 5(3) ePrivacy. Email and SMS direct marketing under Art. 13 ePrivacy require consent in B2C. The Creator Network referral feature shares subscriber data between creators and requires explicit, granular consent under GDPR. Tags and automations can build a profile that should be disclosed.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Subscribing is the user''s explicit opt in for the newsletter. Open tracking and click tracking should be disclosed. The Creator Network requires distinct consent because it shares subscriber data with other creators. Embedded form cookies should load after consent or in a cookie free mode if available. Kit Commerce payment processing goes through Stripe, which has its own consent and disclosure requirements.
Kit runs on AWS US infrastructure, no EU data centre is offered. EU subscriber data is transferred to the US under SCCs and the EU US Data Privacy Framework. Sub processors include AWS, SendGrid for email and Stripe for billing, each with their own transfer chain.
Sign Kit''s Data Processing Agreement, complete a Transfer Impact Assessment for the US transfers, disable the Creator Network or require explicit additional consent, load embedded forms after consent, disclose open and click tracking, document AWS, SendGrid and Stripe sub processors, and ensure one click unsubscribe on every email.
Websites using Kit must obtain user consent under GDPR regulations.
DPIA considerations
Kit processes subscriber email, name, tags, opens, clicks, sign up source, IP and custom fields on US AWS infrastructure. Key DPIA considerations: (1) the embedded subscribe widget can set first party cookies before consent if loaded eagerly; (2) open pixels and link wrapping process personal data and need a lawful basis; (3) US transfers rely on SCCs and the EU US Data Privacy Framework; (4) Kit Creator Network referrals share subscriber data between creators and need explicit consent; (5) automations and tags can produce profiling that should be documented; (6) Kit Commerce processes payment data through Stripe with its own transfer chain.
Sample consent text
We use Kit (formerly ConvertKit) to manage and send our newsletter. With your consent, Kit processes your email, name, opens and clicks to deliver content and measure interest. Kit is hosted in the United States, your data is transferred under Standard Contractual Clauses and the EU US Data Privacy Framework. You can unsubscribe at any time from any email.
Third-party domains contacted
kit.comconvertkit.comck.kit.comapp.kit.commedia.kit.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ck_subscriber_id | Marketing | 5 years | Persistent first party identifier set by the Kit embedded form to link page views to a known subscriber after the visitor clicks a tracked email link. |
| ck_session | Functional | Session | Session cookie used by Kit landing pages and embedded forms to maintain state during a visit. |
| ck_visitor_id | Marketing | 1 year | Anonymous visitor identifier used by Kit to attribute future subscriptions and engagement to the same browser. |
Kit places tracking cookies for advertising — comply with GDPR using FlowConsent.
Kit can set first party cookies on the customer domain via its embedded subscribe widget, including ck_subscriber_id (links pageviews to a known subscriber) and ck_session. Email opens use a 1x1 pixel, clicks use link wrapping via ck.kit.com without storing browser state.
Yes for any non essential cookies set by the embedded form widget and for direct email marketing in B2C. The subscription itself is the user's opt in for the newsletter. The Creator Network referral feature needs a separate explicit consent.
Consent (Art. 6(1)(a) GDPR) for newsletter subscription, email marketing in B2C and tracking pixels/cookies. Contract (Art. 6(1)(b) GDPR) for delivering the newsletter once subscribed. Legitimate interest (Art. 6(1)(f) GDPR) only for very narrow B2B promotional cases with an opt out.
Kit processes data on AWS US infrastructure, with no EU data centre. EU subscriber data is transferred under SCCs and the EU US Data Privacy Framework where applicable. Sub processors include AWS, SendGrid for email delivery and Stripe for billing.
A DPIA is recommended for large lists, paid newsletters via Kit Commerce or use of the Creator Network for referrals. The DPIA should cover open/click tracking, the Creator Network data sharing, US sub processors and retention of engagement history.
Sign Kit's Data Processing Agreement, complete a TIA, disable the Creator Network or require explicit consent, load the embedded form after cookie consent, disclose pixels and link wrapping, document AWS, SendGrid and Stripe and provide one click unsubscription.
EU based newsletter platforms include Brevo (France), Mailerlite (Lithuania), GetResponse (Poland), CleverReach (Germany) and Newsletter2Go/Sendinblue. For paid newsletters specifically, Ghost (open source, UK foundation), Substack (US) or Buttondown (US) can be considered, with self hosting being the strongest privacy choice.
Disclose Kit (formerly ConvertKit) as a sub processor, name AWS, SendGrid and Stripe as sub processors, describe the cookies set by embedded forms and their duration, document open and click tracking, declare the Creator Network as an optional sharing requiring separate consent and link Kit's privacy notice.