Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Brevo (formerly Sendinblue) is a French marketing platform providing email campaigns, transactional email, SMS marketing, WhatsApp campaigns, marketing automation, CRM, landing pages, and web push notifications. As a French company with EU infrastructure, Brevo is one of the most GDPR-compliant marketing platforms available — no US data transfers, direct CNIL oversight, and EU data processing as the default. Brevo is the leading European alternative to US platforms like Mailchimp, Klaviyo, and HubSpot.
Brevo (formerly Sendinblue) is a French marketing technology company founded in Paris. It provides email campaigns, transactional email (SMTP API), SMS marketing, WhatsApp marketing, marketing automation, a CRM, landing pages, web push notifications, and Facebook ads integration. Brevo serves over 500,000 businesses globally and is the leading European alternative to US-based marketing platforms like Mailchimp, Klaviyo, and HubSpot. As a French company, Brevo is subject to GDPR and CNIL oversight directly.
Brevo''s most significant GDPR advantage is its EU infrastructure. All email, contact, and campaign data is processed and stored within the EU. No Standard Contractual Clauses are required. No Transfer Impact Assessments are needed for the primary data flows. This makes Brevo significantly simpler to use compliantly than US-based alternatives, particularly for organisations with strict data residency requirements.
Despite being EU-based, Brevo email marketing still requires valid GDPR consent for marketing emails to EU contacts. Being EU-hosted does not change the consent requirement for placing emails in inboxes — it only eliminates the transfer complexity. Implement double opt-in, use explicit consent checkboxes, and record consent timestamps. Brevo provides GDPR-compliant signup form features and double opt-in confirmation flows.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Transactional emails sent via Brevo (password resets, order confirmations, account notifications) can rely on legitimate interest or contract performance without separate marketing consent. The key distinction is purpose: emails triggered by user actions to fulfil the service are transactional; emails sent to promote products or re-engage users are marketing and require consent.
Sign the Brevo DPA. Implement double opt-in for marketing lists. Use GDPR-compliant subscription forms with explicit consent checkboxes. Distinguish transactional from marketing emails in your Brevo account. Configure unsubscribe handling and honour opt-outs promptly. Use Brevo''s contact deletion API for erasure requests. Add Brevo to your privacy policy as an EU-based processor.
Websites using Brevo must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard Brevo email marketing deployments. It may become relevant for large-scale multi-channel marketing automation combining email, SMS, and WhatsApp data across many EU contacts.
Sample consent text
I agree to receive marketing communications from [Brand] via email and SMS. I understand I can unsubscribe at any time. My data is processed by Brevo, a French company, in accordance with our privacy policy.
Third-party domains contacted
brevo.comsibautomation.comsendinblue.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sib_cuid | persistent | 13 months | Brevo visitor identifier for website analytics and contact identification via the Tracker feature |
Brevo places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes for marketing emails, SMS, and WhatsApp campaigns. EU infrastructure does not exempt Brevo from consent requirements for marketing communications. Implement double opt-in and use explicit consent checkboxes. Transactional emails may rely on legitimate interest or contract performance.
Yes. Brevo is a French company under CNIL jurisdiction with EU infrastructure. It provides a GDPR-compliant DPA, processes all data within the EU, and does not require SCCs for standard deployments. It is one of the most GDPR-friendly marketing platforms available.
No for standard deployments. All Brevo email, SMS, and contact data is processed and stored within the EU. No Standard Contractual Clauses are required. This is Brevo's primary GDPR advantage over US-based alternatives.
Consent for marketing emails, SMS, WhatsApp campaigns, and push notifications. Legitimate interest for transactional emails triggered by user actions. Contract performance for service-essential communications. The EU infrastructure simplifies compliance but does not change the fundamental consent requirement for marketing.
Create a subscription form in Brevo, enable double opt-in in the form settings, and configure the confirmation email template. Brevo sends a confirmation email; only contacts who click the confirmation link are added to the active list. Brevo records the confirmation timestamp automatically.
Brevo's Tracker feature (for website analytics and contact identification) sets first-party cookies. If enabled, this requires consent under the ePrivacy Directive. Transactional email delivery itself does not require cookies.
Delete the contact in the Brevo contacts database. This removes their email address, attributes, and subscription history. For erasure from transactional email logs, use the Brevo API. Respond to requests within 30 days and document all deletions.
Brevo's EU infrastructure eliminates SCCs, Transfer Impact Assessments, and US transfer disclosure requirements that apply to Mailchimp. Both require consent for marketing emails, but Brevo's French jurisdiction means CNIL guidance applies directly, providing clearer regulatory clarity for French and EU organisations.