Does your website use third-party services? Get GDPR compliant in minutes.

MailerLite

What does MailerLite do?

MailerLite is a Lithuanian and Irish email marketing platform widely used in Europe by SMEs, content creators and small e-commerce stores. The infrastructure runs on EU regions of AWS and Hetzner. Newsletter subscriptions, behavioural tracking pixels and embedded MailerLite forms require prior consent; transactional emails tied to a service can rely on contract performance.

What is MailerLite?

MailerLite is an email marketing platform founded in 2010 in Vilnius, Lithuania, with European operations led by MailerLite Limited in Dublin. It offers list management, drag and drop email design, automation, landing pages, embedded forms and pop ups, and basic analytics. It is widely used in Europe by SMEs, creators and small e commerce stores as an alternative to Mailchimp and Brevo.

Cookies and data collected

On the merchant website, MailerLite forms and pop ups set first party cookies (ml_visitor_*, ml_subscriber) used to remember dismissed pop ups and to attribute new sign ups. In emails, the platform inserts a 1x1 tracking pixel and rewrites links through a tracking domain (eg. ml.mailersend.net) so opens and clicks can be measured. Subscriber data includes email address, optional first and last name, custom fields and the engagement history.

GDPR and ePrivacy implications

Newsletter subscriptions and behavioural tracking require freely given consent (Art. 6(1)(a) GDPR). Use double opt in to evidence consent. Embedded MailerLite forms set non strictly necessary cookies and require Art. 5(3) ePrivacy consent before they load. Open and click tracking pixels are non essential and should also be disclosed. Transactional emails strictly necessary to deliver a service the user requested can rely on contract performance (Art. 6(1)(b)).

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers and hosting

MailerLite hosts its primary infrastructure in EU regions of AWS and Hetzner. Some sub processors (eg. Cloudflare CDN, observability platforms) may operate outside the EEA; transfers in those cases rely on Standard Contractual Clauses included in the MailerLite DPA. The full list of sub processors is published on the MailerLite website and updated regularly.

Practical compliance steps

Sign the MailerLite DPA from your account settings. Enable double opt in for new subscribers. Block embedded forms and pop ups behind your CMP until consent is granted. Disclose MailerLite as a processor in your privacy notice with the EU hosting and the SCC reference for non EEA sub processors. Configure data retention for inactive subscribers. Provide an unsubscribe link in every campaign and a way to request data export or deletion.

GDPR consent category

Analytics

Websites using MailerLite must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR) for newsletter subscriptions, behavioural tracking (open and click tracking pixels) and any embedded MailerLite form on the website. Contract performance (Art. 6(1)(b)) for transactional emails (account, order) related to a service the recipient has requested.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive 2002/58/EC, CAN-SPAM, CASL, Lithuanian / Irish data protection laws

DPIA considerations

A DPIA is generally not required for standard newsletter use of MailerLite. It may become relevant for very large lists combined with behavioural automation, scoring, or marketing to special category audiences.

Sample consent text

We use MailerLite (MailerLite Limited, Ireland; UAB MailerLite, Lithuania) to send our newsletter and to track open and click events. By subscribing you agree to receive marketing emails and to the processing of your data by MailerLite as described in our privacy policy.

Technical details

Tracking methodSaaS email marketing platform with embeddable JavaScript snippet for forms, popups and tracking pixels in transactional and campaign emails

Server locationEuropean Union (MailerLite Limited, Dublin, Ireland; primary processing on AWS EU and Hetzner EU)

Third-party domains contacted

www.mailerlite.comstatic.mailerlite.comassets.mailerlite.comml.mailersend.net

Cookies placed

Name	Type	Duration	Purpose
ml_visitor_*	first_party	1 year	Identifies a website visitor across MailerLite forms and pop ups so dismissed pop ups stay closed and conversions are attributed.
ml_subscriber	first_party	1 year	Set after a successful sign up; ties the visitor to the new subscriber record for behavioural automation.
ml_recently_shown_form	first_party	7 days	Stores which MailerLite forms or pop ups have been displayed recently so they are not shown repeatedly.

MailerLite collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

What cookies and identifiers does MailerLite set?

MailerLite forms and pop ups set first party cookies (ml_visitor_*, ml_subscriber, ml_recently_shown_form) used to identify visitors, attribute conversions and avoid showing the same pop up too often. In emails, MailerLite inserts a 1x1 tracking pixel and rewrites links through a tracking domain to measure opens and clicks.

Do I need consent to use MailerLite on my website?

Yes for the embedded forms, pop ups and behavioural tracking. The MailerLite snippet sets non strictly necessary cookies and must be blocked behind your CMP until consent is granted. Subscribing to the newsletter is itself a consent action and should use double opt in to evidence it.

What is the legal basis for MailerLite?

Newsletter subscriptions and behavioural tracking rely on consent (Art. 6(1)(a) GDPR) and the embedded form cookies on Art. 5(3) ePrivacy. Transactional emails strictly necessary to deliver a service rely on contract performance (Art. 6(1)(b)). Suppression lists used to honour unsubscribes rely on legal obligation (Art. 6(1)(c)).

Does MailerLite transfer data to third countries?

Primary processing happens in EU regions of AWS and Hetzner. Some sub processors (Cloudflare CDN, observability) may operate outside the EEA; transfers in those cases rely on Standard Contractual Clauses included in the MailerLite DPA. The current sub processor list is published on the MailerLite website.

Do I need a DPIA for MailerLite?

A standard newsletter use of MailerLite does not normally require a DPIA. A DPIA is recommended for very large lists combined with extensive automation, scoring or marketing to special category audiences.

How do I implement MailerLite compliantly?

Sign the MailerLite DPA. Enable double opt in. Block embedded forms and pop ups behind your CMP. Add MailerLite as a processor in your privacy notice with EU hosting and the SCC reference for non EEA sub processors. Configure inactive subscriber retention. Provide an unsubscribe link in every campaign and a way to request export or deletion.

Are there alternatives to MailerLite for EU email marketing?

EU based alternatives include Brevo (France), GetResponse (Poland), Mailjet (France) and Sendinblue (now Brevo). For privacy first newsletters, Buttondown and Beehiiv (with EU hosting setup) and self hosted Mautic are options. The privacy outcome depends on hosting and sub processor choices.

How should I update my privacy policy for MailerLite?

State that MailerLite (MailerLite Limited, Ireland; UAB MailerLite, Lithuania) is a processor for newsletter delivery and engagement tracking. List the cookies set by embedded forms and pop ups, the email tracking pixel and link rewriting, the EU hosting and the SCC reference for non EEA sub processors. Include the retention period for subscriber records.

Get compliant — Try FlowConsent free

Free plan · 10-min setup