Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SendPulse is a multichannel marketing platform offering email, SMS, push notifications, chatbots, landing pages and a free CRM.
SendPulse is a multichannel marketing platform that bundles email, SMS, web push, mobile push, chatbots (Facebook Messenger, WhatsApp, Instagram, Telegram), landing pages and a free CRM under one tool. It is popular with small and mid sized businesses thanks to a generous free tier.
SendPulse embed forms write cookies (sp_session, sp_visitor, sp_form_state) on your domain. The chatbot widget adds session and identity cookies. SendPulse receives subscriber email, phone, IP, user agent, source URL and engagement data (opens, clicks, button presses in chatbots). Web push tokens are stored to allow re engagement.
Loading SendPulse scripts writes to the user device, so Article 5(3) ePrivacy consent is required. Web push notifications require an explicit browser opt in. Email and SMS marketing are governed by Article 6(1)(a) GDPR consent and national newsletter laws; soft opt in for existing customers exists in B2B with narrow conditions.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Use double opt in everywhere (mandatory in Germany under TTDSG, recommended in France and Spain). Get a fresh consent for each channel: subscribing to email does not automatically allow web push or SMS. Document the consent log with timestamp, source page and version of the notice.
SendPulse Inc. is registered in Limassol, Cyprus, which is an EU jurisdiction. The US affiliate SendPulse LLC (Delaware) shares the same infrastructure and may access subscriber data from the US. Transfers rely on Standard Contractual Clauses in the SendPulse DPA; the US affiliate is also typically registered under the EU US Data Privacy Framework. Verify the current status.
Configure the Cyprus account (eu region) for EU subscribers when offered. Enable double opt in on every form. Block the embed scripts until consent. Mask any sensitive content collected via chatbots, and provide a clear unsubscribe link in every email and SMS. Sign the SendPulse DPA and document the cross border flows.
Websites using SendPulse must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when SendPulse is used to send transactional notifications combined with marketing, when SMS to minors may be sent, when sensitive segments are profiled, or when chatbots collect free text health or financial data.
Sample consent text
We use SendPulse to deliver our newsletters, push notifications and chatbots. SendPulse writes cookies on your device, processes your email and IP and shares them with SendPulse Inc. (Cyprus) and SendPulse LLC (United States). We only load SendPulse if you accept.
Third-party domains contacted
sendpulse.comlogin.sendpulse.comcdn.sendpulse.comweb.sendpulse.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sp_session | third_party | session | Identifies the active form session for the SendPulse widget |
| sp_visitor | third_party | 1 year | Persistent visitor identifier used by the SendPulse forms |
| sp_form_state | third_party | 1 year | Stores the display state of a SendPulse form (already shown, dismissed) |
SendPulse places tracking cookies for advertising — comply with GDPR using FlowConsent.
SendPulse embed forms write sp_session, sp_visitor and sp_form_state on your domain. The chatbot widget adds session and identity cookies. Web push uses browser permissions instead of cookies.
Yes for the embed form scripts and the chatbot widget on public pages. Web push notifications require an explicit browser opt in. Email and SMS marketing always need a documented Art. 6(1)(a) GDPR consent.
Consent for marketing communications and embed cookies. Legitimate interest for delivery security and fraud prevention. Contract performance for transactional notifications closely tied to a paid service.
SendPulse Inc. is in Cyprus (EU) but SendPulse LLC (Delaware) shares the infrastructure and may access data from the US. Cover the flow with Standard Contractual Clauses in the SendPulse DPA and the EU US Data Privacy Framework certification of the US affiliate.
Recommended when SendPulse mixes transactional and marketing flows, when SMS may reach minors, when chatbots collect free text health or financial data, or when sensitive segments are profiled.
Use the Cyprus region for EU subscribers, enable double opt in, block scripts behind consent, secure unsubscribe links, mask sensitive content in chatbot transcripts and sign the SendPulse DPA.
EU based options include Brevo (France), GetResponse (Poland), CleverReach (Germany), MailerLite EU, Sarbacane (France), and self hosted Mautic or Listmonk.
List sp_session, sp_visitor and sp_form_state and the chatbot cookies with purpose and duration. Disclose SendPulse Inc. (Cyprus) and SendPulse LLC (United States) and the transfer mechanism.