Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mailgun is a transactional and marketing email API platform operated by Sinch Email Inc. (part of the Sinch group, Stockholm). Mailgun does not set cookies on website visitors. Open and click tracking in emails involve identifiers stored on the recipient device when images load, requiring consent for marketing emails.
Mailgun is a transactional and marketing email API platform founded in 2010. Today it is operated by Sinch Email Inc., part of the Sinch group based in Stockholm, Sweden. Customers send email by calling the Mailgun API server side or by SMTP relay. The platform also offers inbound routing, list management, address validation and analytics. Mailgun is widely used for password resets, order confirmations, abandoned cart emails and newsletters.
Mailgun does not place any cookie on a website visitor (the platform is an email sender, not a web widget). When the customer enables open tracking, Mailgun adds an invisible 1x1 pixel served from email.mg.mailgun.net to outgoing emails, the recipient browser fetches it when reading the email and Mailgun records the open. When click tracking is enabled, links in the email are rewritten through events.mailgun.net so each click is logged. These tracking mechanisms link an open or a click to a recipient email address, which qualifies as personal data.
For transactional emails, Article 6(1)(b) GDPR (performance of a contract) typically covers the message itself. For marketing emails, the legal basis is consent (Article 6(1)(a)) or the soft opt in for existing customers depending on national rules. Open and click tracking implies storing identifiers and reading information from the recipient terminal, so the CNIL and other EU regulators consider it a tracking practice requiring informed consent for marketing campaigns. Transactional tracking can sometimes rely on legitimate interest if the purpose is documented in the privacy notice.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Provision Mailgun in the EU region (api.eu.mailgun.net) to keep email content, recipient addresses and event logs inside the EEA. The US region (mailgun.net) triggers a transfer covered by Standard Contractual Clauses and the EU US Data Privacy Framework. The Sinch parent company is based in Sweden, fully under GDPR. Some support and billing tools include US providers. Document all of this in the record of processing activities.
Provision the project in the EU region. Sign the Mailgun DPA (under Sinch). Document Mailgun in your record of processing activities with region, retention and legal basis per campaign type. Disable open and click tracking for transactional emails when not strictly needed. For marketing emails, collect consent and provide an easy unsubscribe link. Include a privacy notice paragraph that explains the tracking pixel and the unsubscribe mechanism. Implement DSAR flows that can export and delete recipient data from Mailgun via the API.
Websites using Mailgun must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Mailgun is used for marketing email at scale or to send transactional messages with sensitive content (health, legal, financial). Document the EU region selection, the legal basis for each campaign, the retention period for events and logs (3 to 7 days for content, 30 to 90 days for events depending on plan), the opt out mechanism and the DSAR procedure.
Sample consent text
Our marketing emails are sent through Mailgun. When you open an email, Mailgun loads a small tracking pixel that informs us the email was opened. Links may be wrapped to track clicks. You can disable image loading in your email client to avoid the tracking pixel and unsubscribe at any time using the link at the bottom of each email.
Third-party domains contacted
mailgun.netapi.mailgun.netapi.eu.mailgun.netemail.mg.mailgun.netevents.mailgun.netapp.mailgun.comapp.eu.mailgun.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mg-session | first-party (app.mailgun.com / app.eu.mailgun.com) | Session | Authentication session cookie for the Mailgun control panel used by the customer. Strictly necessary, never set on the public website that the customer operates. |
| mg_csrf | first-party (Mailgun control panel) | Session | Anti CSRF token used by the Mailgun web application. Strictly necessary, only relevant for Mailgun account users. |
Mailgun collects user analytics data — you legally need a consent banner. Try FlowConsent free.
No. Mailgun is an email sending API and does not set cookies on a website. Tracking happens inside the email body via an invisible open pixel (email.mg.mailgun.net) and rewritten click links through events.mailgun.net. These artifacts only fire when a recipient opens an email or clicks a tracked link.
For transactional emails Article 6(1)(b) covers the message. For marketing emails consent is required under ePrivacy and national rules. Open and click tracking on marketing emails requires informed consent according to the EDPB and the CNIL.
Article 6(1)(b) GDPR (performance of a contract) for transactional emails. Article 6(1)(a) (consent) for marketing emails and for open/click tracking on marketing campaigns. Article 6(1)(f) (legitimate interest) is possible for transactional delivery monitoring when documented. The customer is the controller, Sinch Email Inc. is the processor.
Provision the project in the EU region (api.eu.mailgun.net) to keep email content, recipient addresses and events in the EEA. The US region (mailgun.net) triggers a transfer covered by SCCs and the EU US Data Privacy Framework. The Sinch parent company is in Sweden.
A DPIA is recommended for large scale marketing email programs or transactional flows with sensitive content. Document the EU region, the legal basis per campaign, the retention period, the tracking configuration and the DSAR procedure.
Pick the EU region at project creation, sign the Mailgun (Sinch) DPA, document the processor in your RoPA, collect consent for marketing emails, disable open and click tracking when not needed, include the tracking disclosure in your privacy notice and provide a clear unsubscribe link.
Other email API providers include SendGrid (Twilio, US), Postmark (US), Amazon SES, SparkPost (Bird), Brevo formerly Sendinblue (France), Mailjet (Sinch), Mailtrap, Resend, Tipimail (FR) and self hosted options like Postal or Haraka.
Mailgun does not need to appear in the website cookie banner because it does not set web cookies. Update the privacy notice to disclose the email tracking pixel (open) and link rewriting (click), with the EU region used and the retention period. Include the unsubscribe and DSAR procedures.