Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SendGrid (owned by Twilio) is a US-based cloud email delivery service used for transactional and marketing emails. Developers use SendGrid's API or SMTP relay to send password resets, order confirmations, newsletters, and automated campaigns at scale. For GDPR compliance, the key distinctions are: transactional emails may rely on legitimate interest or contract performance, while marketing emails require consent. All data is processed in the US requiring SCCs.
SendGrid (owned by Twilio since 2019) is a cloud-based email delivery service providing an API and SMTP relay for sending transactional and marketing emails at scale. It is one of the most widely used email infrastructure platforms, processing billions of emails monthly for developers, SaaS products, e-commerce platforms, and enterprise marketing teams. SendGrid provides email analytics (opens, clicks, bounces, spam reports), email validation, and marketing campaign tools.
SendGrid is used for both transactional emails (password resets, order confirmations, account alerts) and marketing emails (newsletters, promotional campaigns). The GDPR legal basis differs: transactional emails may rely on contract performance or legitimate interest, while marketing emails require explicit consent from EU recipients. Configure your SendGrid integration to ensure marketing and transactional emails are clearly separated and routed through appropriate verification flows.
SendGrid''s open tracking (1x1 pixel image) and click tracking (link wrapping through SendGrid''s servers) constitute personal data processing by linking engagement to individual email addresses. For marketing emails, this tracking is justified by the same consent as the email itself. For transactional emails, tracking should be disclosed in your privacy policy. Consider disabling open tracking for privacy-conscious implementations — it is increasingly blocked by email clients anyway.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All SendGrid data is processed in the US. SCCs are required. Sign the Twilio/SendGrid Data Processing Addendum available from the Twilio Trust Hub. Note that as a Twilio company, the DPA covers SendGrid under the broader Twilio DPA framework.
Sign the Twilio DPA covering SendGrid. Separate transactional and marketing email streams. Obtain and record valid consent for marketing email recipients before adding to SendGrid. Disclose email tracking in your privacy policy. Implement unsubscribe handling with list unsubscribe headers. Use SendGrid''s suppression list management to honour opt-outs. Process erasure requests by removing contacts from SendGrid''s contact database.
Websites using SendGrid must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard SendGrid transactional email use. It may become relevant for large-scale email marketing programmes combining SendGrid with extensive behavioural tracking and personalisation at individual level.
Sample consent text
Emails from this service are delivered via SendGrid (Twilio), a US email delivery platform. Transactional emails (account notifications, order confirmations) are sent based on your service relationship. Marketing emails are sent only with your consent. See our privacy policy for details.
Third-party domains contacted
sendgrid.comsendgrid.netapi.sendgrid.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __sg_ | persistent | 1 year | SendGrid email engagement tracking cookie linking email clicks to recipient identities for campaign analytics |
SendGrid places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. Marketing emails sent via SendGrid to EU contacts require valid consent: freely given, specific, informed, unambiguous. Ensure recipients opted in through a GDPR-compliant process before adding them to SendGrid marketing lists.
Generally no. Transactional emails triggered by user actions (password resets, order confirmations, account alerts) may rely on contract performance or legitimate interest. Disclose SendGrid in your privacy policy as the email delivery processor.
Yes. All SendGrid processing occurs on US infrastructure. SCCs are required. Sign the Twilio Data Processing Addendum covering SendGrid, available from the Twilio Trust Hub at twilio.com/en-us/legal/privacy/gdpr.
Open tracking (pixel image) and click tracking (link wrapping) for marketing emails are covered by the marketing consent. For transactional emails, tracking should be disclosed in your privacy policy. Consider disabling open tracking as it is increasingly blocked by email clients.
Use SendGrid's Unsubscribe Group feature to manage subscription preferences. Include a List-Unsubscribe header in all marketing emails. Process unsubscribe requests from SendGrid webhooks and update your contact database to honour opt-outs within 10 business days.
Contract performance for transactional emails. Legitimate interest for service notifications. Consent for marketing emails and newsletters. The legal basis follows the purpose of the email, not the delivery platform.
Delete the contact from SendGrid Marketing Campaigns contact lists. Add the email address to SendGrid's global suppression list to prevent future emails. For transactional email logs, use the SendGrid API to delete email activity records. Respond within 30 days.
Brevo (formerly Sendinblue, France) provides transactional email API and marketing email with EU data residency. Mailjet (France) provides a comparable transactional and marketing email API with EU infrastructure. Both are strong GDPR-compliant SendGrid alternatives.