Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
beehiiv is a US based newsletter platform founded in 2021 by former Morning Brew employees and headquartered in New York. It hosts newsletters, subscribe forms and publication websites, with built in monetisation and audience analytics. For European publishers, beehiiv involves transferring subscriber data to the United States and tracking email opens and link clicks, which require consent and a clear privacy notice.
beehiiv is a US based newsletter platform founded in 2021 by former Morning Brew operators and headquartered in New York. It bundles email delivery, hosted publication websites, subscribe forms, monetisation (Boost referral network and ad network), and audience analytics in a single SaaS product. beehiiv runs on AWS US East infrastructure, with Cloudflare in front and SendGrid as the email delivery sub processor.
beehiiv collects subscriber email address, name, IP, opt in source, opens, clicks, browser, country and referral attribution. The embedded subscribe form and hosted publication pages set first party cookies (beehiiv_session, _beehiiv_referrer) for analytics and Boost attribution. Email opens are tracked via a 1x1 pixel and clicks via link wrapping through track.beehiiv.com.
beehiiv is a data processor for newsletter content and a controller for some platform functions (the Boost referral network, internal analytics). The embedded subscribe widget triggers Art. 5(3) ePrivacy because of the first party cookies it sets, so consent or appropriate UI deferral is needed. Subscribing itself is the user''s active opt in. The Boost referral network is a sharing of subscriber data with other publishers and needs an additional, distinct consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Subscription itself relies on the user''s explicit action (entering email, clicking subscribe), so contract or consent applies depending on positioning. Open and click tracking should be disclosed. The Boost network requires explicit consent because it shares the subscriber address with other publishers. Subscribe widget cookies should ideally load only after a generic cookie consent or be configured to use no persistent identifiers.
beehiiv operates exclusively on US infrastructure with no announced EU data centre. Transfers rely on Standard Contractual Clauses, the EU US Data Privacy Framework if beehiiv is certified, and a documented Transfer Impact Assessment. Sub processors (AWS, Cloudflare, SendGrid) add their own data flows.
Sign beehiiv''s Data Processing Agreement, complete a Transfer Impact Assessment, disable the Boost referral network or require explicit additional consent for it, configure the embedded subscribe widget to load after consent, disclose open and click tracking in the privacy notice and the subscribe confirmation, document sub processors (AWS, Cloudflare, SendGrid) and review beehiiv''s sub processor list at least annually.
Websites using beehiiv must obtain user consent under GDPR regulations.
DPIA considerations
beehiiv processes subscriber email, name, IP, opens, clicks and referral data on US infrastructure. Key DPIA considerations: (1) the embedded subscribe widget may set first party cookies before consent if loaded eagerly, beehiiv supports a lazy or post consent load; (2) open tracking pixels and link wrapping process personal data and require a lawful basis; (3) US transfers rely on SCCs and EU US Data Privacy Framework if certified; (4) sub processors include AWS, SendGrid and Cloudflare; (5) the beehiiv Boost referral network may share subscriber data with other publishers, this needs an explicit, granular consent; (6) automation and segmentation rules can produce profiling that should be documented.
Sample consent text
We use beehiiv to publish and send our newsletter. With your consent, beehiiv processes your email address, IP and engagement data (opens, clicks) to deliver the newsletter and measure interest. beehiiv is hosted in the United States, data is transferred under Standard Contractual Clauses and the EU US Data Privacy Framework. You can unsubscribe at any time from any email we send.
Third-party domains contacted
beehiiv.combeehiiv.nettrack.beehiiv.commedia.beehiiv.commail.beehiiv.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| beehiiv_session | Functional | Session | Session cookie used on beehiiv hosted publication pages and the embedded subscribe widget to keep state during a visit. |
| _beehiiv_referrer | Marketing | 30 days | Stores the referrer information used by beehiiv Boost and internal attribution analytics. |
| _beehiiv_subscribed | Functional | 1 year | Stores a flag indicating that the visitor has already subscribed, to avoid showing the subscribe popup again. |
| __beehiiv_analytics | Analytics | 13 months | First party analytics cookie used to measure page views and engagement on beehiiv hosted publication pages. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
beehiiv sets first party cookies on its publication pages and on the embedded subscribe widget, including beehiiv_session (session), _beehiiv_referrer (referral attribution) and an analytics cookie for internal metrics. Email open tracking uses a pixel image, not cookies. Click tracking uses link wrapping through track.beehiiv.com without storing browser state.
The subscribe form is the user's explicit action, but if it loads first party cookies on page load, you need a cookie consent for those non essential identifiers. Configure the widget to load only after consent or use the lightweight variant without analytics cookies. Subscribing itself constitutes the lawful basis for the newsletter.
Consent (Art. 6(1)(a) GDPR) for sending the newsletter to B2C subscribers and for any tracking pixels and cookies. Contract (Art. 6(1)(b) GDPR) for the delivery of the newsletter once the user has subscribed. Legitimate interest (Art. 6(1)(f) GDPR) may apply for very limited B2B promotional emails with a clear opt out.
beehiiv processes data on AWS US East infrastructure in the United States, with no announced EU data centre. EU subscriber data is transferred to the US under Standard Contractual Clauses and the EU US Data Privacy Framework where applicable. Sub processors include AWS, SendGrid for email delivery and Cloudflare for edge.
A DPIA is recommended if you operate a large list, monetise with beehiiv Boost or run highly personalised automations. The DPIA should cover open and click tracking, Boost data sharing with third party publishers, sub processor flows in the US and retention of subscriber engagement history.
Sign the Data Processing Agreement, complete a Transfer Impact Assessment, disable Boost or require explicit additional consent, load the subscribe widget after consent or in a cookie free mode, disclose open and click tracking, document AWS, SendGrid and Cloudflare as sub processors and provide one click unsubscribe.
EU based newsletter platforms include Brevo (France), Mailerlite (Lithuania), CleverReach (Germany), GetResponse (Poland), Newsletter2Go/Sendinblue group and Buttondown (US but minimalist) for technical writers. For full self hosting, Listmonk or Mailtrain remove the cross border transfer issue.
List beehiiv as a sub processor for newsletter sending, name SendGrid for email delivery and AWS/Cloudflare for infrastructure, describe open and click tracking with retention periods, disclose Boost as an optional data sharing requiring separate consent, mention US transfers under SCCs and the EU US Data Privacy Framework, and link beehiiv's privacy notice.