Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Lemlist (by French company Lempire) is a cold email outreach platform used by sales teams to send personalised email sequences, automate follow-ups, and track opens and clicks. Headquartered in Paris with EU primary infrastructure, Lemlist is one of the more privacy-friendly options in its category. However, cold outreach itself raises significant GDPR and ePrivacy concerns: lawful basis for unsolicited B2B contact, tracking pixel cookies, and the documentation of sources for prospect data.
Lemlist is a cold email outreach platform built by Lempire, a French software company. It lets sales teams import prospect lists, design personalised email sequences with dynamic placeholders and images, schedule automated follow-ups based on opens/clicks/replies, and integrate with CRMs. Lemlist hosts its primary infrastructure in the EU.
Each email sent via Lemlist can include a 1x1 tracking pixel and rewritten click-tracking URLs. When opened, the pixel logs IP, User-Agent and timestamp; when clicked, the link records the destination URL. Lemlist landing pages also use cookies for visitor identification.
For B2B prospects in most EU countries, legitimate interest (Art. 6(1)(f)) is the usual basis, provided a balancing test is documented and an easy opt-out is offered. For B2C contacts and in countries like Germany and Austria, prior opt-in is generally required (TKG, UWG). The source of the email list must be transparent and lawful (no scraping without notice). Always honour right to object immediately.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Lempire processes data primarily on European infrastructure (AWS eu-west-3 Paris). Some sub-processors for email delivery, support and analytics may be in the US; their use is covered by SCCs in the Lemlist DPA. The EU-first architecture is a major compliance advantage over US competitors like Outreach or Salesloft.
1. Sign Lemlist DPA. 2. Document email list sources and lawful basis per source. 3. Run a balancing test for legitimate interest and store it. 4. Include opt-out in every email and honour replies. 5. Maintain a suppression list. 6. Consider disabling open tracking in DE/AT to reduce risk. 7. Map sub-processors. 8. For prospects in non-EU countries, check national anti-spam rules.
1. Source verified. 2. Balancing test documented. 3. Opt-out in every email. 4. Suppression list active. 5. Right to object handled within 30 days. 6. Lemlist DPA signed. 7. Privacy notice updated with Lemlist disclosure. 8. National rules checked per recipient country.
Websites using Lemlist must obtain user consent under GDPR regulations.
DPIA considerations
Lemlist processes prospect contact data (name, email, company, role), email content, open/click events (with IP and User-Agent), reply tracking and engagement scoring. Key DPIA considerations: (1) the lawfulness of cold prospecting depends on whether contacts are B2B or B2C and on national variations; (2) Lemlist's open and click tracking pixels are non-essential and require lawful basis; (3) source documentation: from where did the email addresses come (LinkedIn scraping, lead lists, opt-in forms)? Each source has different lawfulness; (4) right to object and right to erasure must be honoured promptly; (5) ePrivacy national law in DE/AT often requires opt-in for any commercial email, even B2B.
Sample consent text
We use Lemlist (Lempire, France) to send our business communications. We process your name, professional email and role on the basis of our legitimate interest in B2B prospecting; you can object at any time by replying to the email or via privacy@<company>.com. Our emails may include tracking pixels to measure engagement; you can disable image loading in your email client to block them.
Third-party domains contacted
tracking.lemlist.comlemlist.comapp.lemlist.comclick.lemlist.comtrack.lemlist.comimages.lemlist.comcdn.lemlist.comapi.lemlist.comapp.lemlist.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| lemlist tracking pixel | Tracking pixel (1x1 image) | No persistent storage | Invisible image inserted in outbound emails; loaded from a lemlist domain when the recipient opens the email, used to record open events and approximate geolocation from the request IP. |
| lem_session | Functional | Session | Maintains the visitor session on Lemlist-hosted landing pages. |
| lemlist link redirect | URL redirection | No persistent storage | Outbound links rewritten through a lemlist redirect domain to attribute click events to the campaign and recipient. |
| lem_visitor | Marketing | 1 year | Persistent visitor identifier used to recognise returning prospects and attribute conversions. |
| tracking_pixel (in emails) | Marketing | N/A | A 1x1 image embedded in each outbound email which signals open events when the recipient loads images. |
Lemlist places tracking cookies for advertising — comply with GDPR using FlowConsent.
lemlist does not place cookies on your website by default. Inside outreach emails it adds a tracking pixel and rewrites outbound links through a lemlist redirect domain to measure opens and clicks. These behaviours fall under Art. 5(3) ePrivacy in most EU member states.
On landing pages: lem_session, lem_visitor. Emails include a 1x1 tracking pixel. All non-essential beyond essential session cookies.
For B2C contacts, prior opt in consent is required under Art. 13 ePrivacy. For B2B prospecting in Europe, several authorities (CNIL in France, ICO in the UK, AEPD in Spain) accept legitimate interest under strict conditions: professional purpose, role relevance, easy opt out, and lawful data source. In Germany, the UWG is stricter and typically requires soft opt in.
For B2B in most EU countries, legitimate interest is the basis. For B2C and DE/AT, opt-in is generally required.
Consent (Art. 6(1)(a) GDPR) for B2C. Legitimate interest (Art. 6(1)(f) GDPR) is possible for B2B subject to a Legitimate Interest Assessment. The Art. 14 GDPR notice must be sent within one month of collecting the contact.
Legitimate interest with documented balancing for B2B; consent for B2C and stricter jurisdictions.
Not for the lemlist core product, which is hosted on AWS Frankfurt and Dublin. Limited transfers may occur via sub processors (for example Stripe for payments). Where transfers happen, Standard Contractual Clauses are in place.
Primary processing in France (EU). Some sub-processors in the US, covered by SCCs in the Lemlist DPA.
A formal DPIA under Art. 35 GDPR is generally not mandatory for small to medium outreach databases, but it is recommended when prospecting at scale, when enriching data from third parties, or when combining outreach with behavioural scoring.
Streamlined DPIA recommended, particularly when list size is large or sources are mixed.
Source contacts lawfully, document the legitimate interest assessment, send the Art. 14 GDPR notice in the first message, include a one click unsubscribe in every email, respect short retention (around 3 years after last activity), sign the lemlist DPA, and keep an audit trail of contact origin.
Document sources, balancing test, opt-out in every email, suppression list, honour right to object within 30 days, DPA signed.
EU-friendly: Woodpecker (Poland), Reply.io (Ukraine, EU options), Mailshake (US, EU options). Lemlist remains the strongest EU-native choice.
European alternatives include La Growth Machine (France), Woodpecker (Poland), MailReach and Smartlead. US alternatives include Outreach, Salesloft, Apollo.io, Reply.io and Instantly.
lemlist does not require website cookie disclosure by default. Update your privacy policy and prospecting notice to mention lemlist as a processor, the EU hosting, the data categories, the retention period, the legal basis and the right to object.
Disclose Lemlist as processor (France), describe lawful basis and tracking pixels, link to right to object.