Does your website use third-party services? Get GDPR compliant in minutes.

MageMail

What does MageMail do?

Behavioural email automation service for Magento storefronts that triggers abandoned cart, browse abandonment and post purchase emails based on visitor activity.

What MageMail is

MageMail is a behavioural email automation tool built around the Magento ecommerce platform. Now part of Springbot, it ties together a JavaScript tracker installed on the storefront, an extension that exposes Magento order and cart events, and a campaign engine that sends abandoned cart, browse abandonment, win back and post purchase emails.

Cookies and data

The tracker writes a first party visitor cookie (mm_visitor) and a session cookie (mm_session). Cart and product events sent to the MageMail API include the email address (when available), browsing events, product identifiers, cart contents, IP and user agent.

GDPR and ePrivacy posture

Setting MageMail cookies and shipping behavioural events trigger Article 5(3) ePrivacy: consent must be obtained before the pixel loads. Marketing emails sent based on the captured behaviour rely on Article 6(1)(a) consent and on Article 7 of the European ePrivacy Directive 2002/58/EC for the soft opt in to existing customers.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Transfers and contracts

Springbot operates from the United States. EU controllers must sign Standard Contractual Clauses, run a Transfer Impact Assessment and document the transfer in their RoPA. Confirm whether an EU data residency option is available before signing.

Implementation steps

Block the MageMail pixel until consent, configure double opt in for the email list, sign the DPA and SCCs, document the cookies, restrict retention of cart events to the minimum, and surface a clear unsubscribe and right of access mechanism.

GDPR consent category

Analytics

Websites using MageMail must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for the MageMail tracking cookies, the cart and behavioural event capture and the cross channel marketing emails. Legitimate interest (Art. 6(1)(f)) may apply to transactional emails sent under contract performance.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, UK GDPR, CCPA, CAN,SPAM

DPIA considerations

A DPIA is recommended because MageMail combines behavioural ecommerce tracking with cross channel email targeting and a US transfer through Springbot.

Sample consent text

We use MageMail to send personalised marketing emails based on your browsing and cart activity. With your consent, the MageMail pixel stores a visitor identifier and shares activity with Springbot in the United States.

Technical details

Tracking methodJavaScript pixel and tracking script for Magento storefronts that captures cart events, browse events, email link clicks and visitor identity, plus first party cookies for visitor stitching and a server side ingestion API.

Server locationUnited States (Springbot, Atlanta)

Data transferred outside the EUMageMail is operated by Springbot Inc. on US infrastructure. Standard Contractual Clauses are required and a Transfer Impact Assessment must be documented for European deployments.

Third-party domains contacted

magemail.comspringbot.comcdn.springbot.com

Cookies placed

Name	Type	Duration	Purpose
mm_visitor	first_party	1 year	Persistent visitor identifier used by the MageMail tracker to attribute browsing and cart events to a single shopper.
mm_session	first_party	Session	Session identifier used to group cart and browsing events from the same visit.
mm_email_id	first_party	6 months	Hashed email reference used to stitch the visitor with the email subscriber identity once the user has identified themselves.

MageMail collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

What cookies does MageMail set?

mm_visitor (long lived visitor identifier) and mm_session (session). Optional cookies appear if Springbot cross domain stitching is activated.

Is consent required to load MageMail?

Yes. Cookies and behavioural events trigger Article 5(3) ePrivacy. Consent must be obtained before the pixel loads.

What is the legal basis for MageMail processing?

Consent (Art. 6(1)(a) GDPR) for the pixel and marketing emails. Contract performance (Art. 6(1)(b)) for transactional order emails. Soft opt in is possible for existing customers under Article 13 of the ePrivacy Directive.

Does MageMail transfer data to the United States?

Yes. Springbot processes events on US infrastructure. Sign SCCs, complete a TIA and document the transfer in your RoPA.

Do I need a DPIA for MageMail?

Recommended given the combination of behavioural ecommerce tracking, identifiable email targeting and a US transfer.

How do I implement MageMail compliantly?

Gate the pixel behind the CMP, configure double opt in, sign the DPA and SCCs, document cookies, set short retention for cart events, surface clear unsubscribe and access rights.

What are the alternatives to MageMail?

EU based alternatives include Klaviyo (with EU data residency on Enterprise), Brevo (formerly Sendinblue, France), ActiveCampaign (with EU options), Omnisend (Lithuania) and Mailjet (France).

How do I update my cookie policy when adding MageMail?

List mm_visitor and mm_session with name, purpose, retention and processor (Springbot Inc., US). Mention the SCCs and the right to withdraw consent in your privacy notice.

Get compliant — Try FlowConsent free

Free plan · 10-min setup