Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Salesloft is a US sales engagement platform widely used by B2B sales teams to orchestrate email, call and LinkedIn cadences. It processes prospect contact data and tracks email opens, clicks and replies through pixels and link rewriting. Because it covers cross border prospecting and behavioural tracking, it raises GDPR, ePrivacy and German UWG obligations for European customers.
Salesloft is a sales engagement platform founded in Atlanta in 2011. It is one of the most widely adopted tools by B2B sales teams to orchestrate multistep cadences combining email, calls, LinkedIn touches, meetings and tasks. Salesloft also provides conversation intelligence (call and meeting recording with AI summaries), pipeline analytics and forecasting. In 2022 Salesloft was acquired by Vista Equity Partners.
Salesloft processes prospect personal data uploaded by the user or synced from a CRM (name, professional email, phone, company, job title, custom fields), the content of sent and received emails, call logs and recordings (when activated), meeting notes, behavioural signals (opens, clicks, replies) collected via email pixels and rewritten URLs, and the Salesloft user account information. It also integrates with CRMs (Salesforce, HubSpot), enrichment vendors and conversation intelligence platforms.
Cold outreach is regulated by the GDPR (any contact data is personal data) and by the ePrivacy Directive (electronic communications). For B2C, prior opt in consent is required. For B2B, several EU authorities accept legitimate interest under strict conditions, while the German UWG generally requires soft opt in or a clear business relationship. Email pixels and rewritten links fall under Art. 5(3) ePrivacy and call recording requires both party notice and a separate lawful basis.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Salesloft hosts production data on AWS in the United States by default. An EU data residency option is available for enterprise customers and should be activated for European deployments. Transfers to the United States are governed by Standard Contractual Clauses under Art. 46(2)(c) GDPR and require a Transfer Impact Assessment that takes FISA 702 into account.
Compliance checklist: assess the lawful basis country by country (UWG in Germany is stricter than CNIL in France); document the legitimate interest assessment; send the Art. 14 GDPR notice in the first message; include a one click unsubscribe in every email; configure email tracking off for sensitive recipients; activate EU residency when available; sign the Salesloft DPA and the SCCs; obtain explicit consent for call recording where required; run a DPIA for large scale outreach; update privacy policy and prospecting notice with Salesloft and the data processed.
Websites using Salesloft must obtain user consent under GDPR regulations.
DPIA considerations
Salesloft processes uploaded prospect data (name, email, phone, company, role, custom fields), interaction history (sent and received emails, call logs, recordings when activated, meeting outcomes), behavioural signals (opens, clicks, replies) collected via email pixels and rewritten links, and integration data from connected CRMs. Key DPIA points: (1) cold outreach raises ePrivacy obligations that differ by EU country (UWG in Germany requires soft opt in for unsolicited email); (2) email pixels and rewritten links fall under Art. 5(3) ePrivacy in most member states; (3) US hosting by default triggers SCCs and a Transfer Impact Assessment, EU residency is available for enterprise tiers; (4) call recording engages additional rules and requires both party notice; (5) lead scoring and automated cadence triggers may activate Art. 22 GDPR obligations when decisions have significant effects; a DPIA under Art. 35 GDPR is recommended for large scale outreach programs.
Sample consent text
We use Salesloft to manage our sales engagement with you, including emails, calls and meetings. Salesloft tracks whether you open or click on our emails and may record calls where law permits. Your professional contact data, our exchanges and behavioural signals are processed by Salesloft, Inc. on infrastructure located in the United States (or in the European Union if EU residency is enabled). You can object at any time by replying to the email or contacting us.
Third-party domains contacted
app.salesloft.comsdr.salesloft.comclick.salesloft.comopen.salesloft.comstatic.salesloft.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| Salesloft email tracking pixel | Tracking pixel (1x1 image) | No persistent storage | Invisible image inserted in outbound emails; loaded from a Salesloft domain when the recipient opens the email, used to record opens and infer geolocation from request IP. |
| Salesloft link redirect | URL redirection | No persistent storage | Outbound links rewritten through a Salesloft redirect domain to attribute click events to the campaign and prospect. |
| _salesloft_session | HTTP first party cookie | Session | Session cookie set on the Salesloft web application for authenticated users. |
Salesloft places tracking cookies for advertising — comply with GDPR using FlowConsent.
Salesloft uses email tracking pixels and link rewriting to record opens and clicks. The Salesloft web application sets first party session cookies for the authenticated user, and may use third party JavaScript for product analytics and support chat.
Yes for B2C; opt in is mandatory under Art. 13 ePrivacy. For B2B, legitimate interest may apply in France, Spain and the UK under conditions; in Germany the UWG generally requires soft opt in or an existing business relationship.
Consent (Art. 6(1)(a) GDPR) for B2C and recordings. Legitimate interest (Art. 6(1)(f) GDPR) is possible for B2B prospecting subject to a Legitimate Interest Assessment. Call recording usually requires explicit consent of both parties.
Yes by default. Salesloft hosts data on AWS in the United States. An EU residency option is available for enterprise tiers. SCCs and a Transfer Impact Assessment are required for US transfers.
Recommended in most B2B contexts and required for large scale outreach, automated lead scoring, or call recording. The DPIA must cover Art. 14 obligations, retention, third party transfers, and rights to object.
Activate EU residency where possible, sign the Salesloft DPA and SCCs, document the lawful basis country by country, send Art. 14 notices, allow one click unsubscribe, configure call recording with explicit consent, run a DPIA, and update the privacy notice.
Alternatives include Outreach, Apollo.io, Reply.io, Mixmax, Lemlist (France), La Growth Machine (France), Woodpecker (Poland). EU based vendors simplify the transfer analysis.
Add Salesloft as a processor, list the data categories, mention the US transfer or EU residency, the retention period, the legal basis (consent or legitimate interest), the right to object and the unsubscribe channel.