Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sendinblue is a French email marketing, SMS, automation and CRM platform that rebranded as Brevo in 2023. The company is headquartered in Paris with data centres in France and Germany. Sendinblue covers transactional emails, newsletters, marketing automation, landing pages, web tracking and live chat, with a strong focus on GDPR compliance for European customers.
Sendinblue, rebranded as Brevo in 2023, is a French email marketing and CRM platform founded in 2012 and headquartered in Paris. The product covers newsletter campaigns, transactional emails (SMTP and API), SMS and WhatsApp marketing, marketing automation, landing pages, signup forms, web tracking and live chat (Brevo Conversations). On a public website, Sendinblue appears as embedded signup forms, the tracker script and optionally the Conversations widget.
The Sendinblue tracker sets first party cookies (sib_cuid, sib_session) to link page views to a contact record, allowing automation flows like abandoned cart, score updates or behavioural newsletters. The platform stores contact data (email, name, custom attributes, double opt in proof), email engagement events (opens, clicks, bounces) and transactional metadata. Brevo Conversations chat sets its own cookies to maintain a live conversation across pages.
Web tracking cookies set by sib_tracking.js fall outside strict necessity and require consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive before loading. Transactional emails sent to authenticated customers (order confirmations, password resets) rely on performance of a contract under Article 6(1)(b) GDPR. Newsletter subscriptions remain consent based and Sendinblue stores proof of opt in to satisfy GDPR accountability.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sendinblue SAS (Brevo SA) is headquartered in Paris and stores customer data on EU infrastructure: OVHcloud data centres in France and AWS Frankfurt in Germany. Email delivery flows stay within the European Union. Some support tools and operational sub processors can be located outside the EU; transfers, when they occur, rely on the Brevo Data Processing Addendum and the EU Standard Contractual Clauses under Article 46(2)(c) GDPR.
Sign the Brevo Data Processing Addendum, use double opt in for every newsletter list, store opt in proofs in the contact record, configure the tracker to load only after consent through a consent management platform, set retention rules for inactive contacts and bounced emails, and document Brevo as a processor in your record of processing activities. Mention the EU data centres and the consent based legal basis in the privacy notice.
Websites using Sendinblue (Brevo) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Sendinblue stores large volumes of contact data with sensitive segments (health, finance, religion, political opinions), when it powers automated campaigns based on detailed behavioural profiling, or when SMS and WhatsApp channels target EU minors.
Sample consent text
We use Sendinblue (Brevo), an email marketing platform operated by Sendinblue SAS in Paris, France. The Sendinblue tracker on this site sets cookies (sib_cuid, sib_session) and links your interactions on the website to your contact record. Sendinblue stores your data on EU servers (France and Germany). By accepting, you allow this tracking and the related processing under GDPR Article 6(1)(a).
Third-party domains contacted
sendinblue.comsendinblue.comsendinblue.combrevo.comsibautomation.combrevo.combrevo.comt.sendinblue.comsibautomation.comr.sendinblue.comapp.brevo.comsibforms.comsibautomation.comsibforms.comr.sib2.comymlp.comsibforms.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sib_cuid | Marketing | 13 months | Sendinblue persistent customer identifier set on the publisher domain to track a contact across sessions. |
| sib_cuid | First party (Sendinblue / Brevo tracking) | 1 year | Anonymous visitor identifier used by the Sendinblue tracking JavaScript and the marketing automation events |
| sib_cuid | Analytics (Sendinblue tracker) | 1 year | First party cookie set by sib_tracking.js to assign a unique visitor identifier. Used to link page views to a Brevo contact record for automation and segmentation. |
| sib_evt | First party (Sendinblue / Brevo tracking) | Session | Session level event tracking cookie used by the marketing automation flows |
| sib_lid | Marketing | 13 months | Sendinblue lead identifier created when a contact submits a form or is recognised in marketing automation workflows. |
| sib_session | Analytics (Sendinblue tracker) | Session | First party session cookie set by sib_tracking.js to group page views into a coherent visit for behavioural triggers. |
| sib_chat_session | First party (Brevo Conversations chat widget) | Session | Stores the current chat conversation when the Brevo Conversations widget is embedded |
| PHPSESSID | Functional | Session | PHP session cookie used by the Sendinblue tracker to maintain server side state during a session. |
| __sib_user | Functional (Conversations) | 6 months | Used by Brevo Conversations to remember the visitor between chat sessions and resume the conversation history. |
| sib_tracker_enabled | Marketing | 13 months | Flag set when the Sendinblue tracker is initialised, indicating that web events are being collected. |
| sib_form_submitted | First party (Brevo subscription form) | 30 days | Avoids displaying the same subscription popup form to a visitor who already submitted it |
| _brevo_visitor_id | Marketing | 13 months | Brevo visitor identifier used when the legacy Sendinblue tracker is replaced by the newer Brevo tracker. |
Sendinblue (Brevo) places tracking cookies for advertising — comply with GDPR using FlowConsent.
The tracker drops first party cookies on the publisher domain: sib_cuid (Sendinblue customer ID), sib_lid (lead ID) and PHPSESSID. Brevo also sets sib_tracker_enabled when the tracker is loaded. The tracker uses localStorage to queue offline events.
The Sendinblue (Brevo) tracker sets first party cookies named sib_cuid (visitor identifier) and sib_session (session identifier). Brevo Conversations chat sets its own session cookies for live chat continuity. Embedded forms set strictly necessary cookies during submission.
The Sendinblue tracking JavaScript writes sib_cuid (1 year, anonymous visitor identifier), sib_evt (session, event tracking) and local storage entries for the chat widget. Email open tracking uses a 1x1 pixel from t.sendinblue.com (no cookie). Link tracking rewrites URLs via r.sendinblue.com.
Yes for the web tracker and behavioural automation. The sib_tracking.js script must load only after consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive. Transactional emails to authenticated customers do not require consent because they rely on the performance of the contract.
Yes for the website tracking JavaScript (sib_cuid cookie) and for email marketing. Transactional emails (order confirmations, password resets) do not require marketing consent under the contract basis. The CNIL recommends double opt in for the subscription form.
The tracker is not strictly necessary, so prior consent is required under article 5(3) ePrivacy. Marketing emails require consent under article 6(1)(a) GDPR and the ePrivacy Directive. Transactional emails strictly necessary to a service contract can rely on article 6(1)(b) GDPR.
Consent under Article 6(1)(a) GDPR for marketing newsletters, web tracking and SMS marketing. Performance of a contract under Article 6(1)(b) GDPR for transactional emails. Legitimate interest under Article 6(1)(f) GDPR for fraud prevention, bounce management and platform security.
Consent (article 6(1)(a) GDPR) for prospects, with double opt in and proof storage. Soft opt in is allowed for existing customers receiving similar products under PECR equivalent national laws.
Consent (GDPR art. 6(1)(a)) for marketing emails and the tracking pixel. Contract (art. 6(1)(b)) for transactional emails. Legitimate interest (art. 6(1)(f)) for B2B prospecting under the soft opt in or for the CRM contact records.
Production data stays in France and Germany. Some Brevo sub processors (Twilio for SMS, Amazon SES, analytics) may involve transfers under EU SCCs. Review the sub processor list and document the chain in your records.
No for the core customer data. Sendinblue hosts on AWS Frankfurt and Dublin. Limited transfers to support staff in India, Canada and the United States are covered by SCC 2021. The platform avoids US sub processors for the core flows.
Sendinblue stores customer data in OVHcloud data centres in France and AWS Frankfurt in Germany. Email delivery infrastructure operates within the EU. Sendinblue does not transfer customer data outside the EU as part of its core service, which makes the SCC requirement minimal for European publishers.
Recommended when the tracking pixel, marketing automation events or CRM scoring are activated. The DPIA should document EU hosting, the consent flow, the marketing automation retention and any third party integration.
A DPIA is recommended for large scale behavioural automation (over 100,000 profiles), enrichment with web tracking, sensitive sectors (health, finance) or when Brevo Lookalike Audiences sync with advertising platforms.
A DPIA is recommended for large EU contact databases with sensitive segments (health, finance, political opinions), for advanced behavioural automations and for SMS or WhatsApp campaigns aimed at minors or vulnerable audiences. For a small newsletter list of EU contacts a DPIA is generally not required.
Implement a double opt in subscription with a clear consent text mentioning Brevo, sign the Brevo DPA, gate the tracking JavaScript behind marketing consent, segment B2B and B2C lists, document the chain in your record of processing and route DSAR via the Brevo Privacy Center.
Use double opt in. Store consent proof. Block the tracker behind your CMP. Provide one click unsubscribe. Honour Subject Access and Erasure via the data subject API. Sign the Brevo DPA with EU SCCs for non EU sub processors.
Sign the Brevo Data Processing Addendum, use double opt in on every list, store opt in evidence in the contact record, load the web tracker only after consent through a consent management platform, set retention rules for inactive contacts and bounced emails, and document Brevo as a processor in your record of processing activities.
EU first alternatives: Mailjet (France, Mailgun group), Sarbacane (France), GetResponse (Poland), Cleverreach (Germany), Rapidmail (Germany), Mailerlite (Lithuania), ActiveTrail (Israel). US options with EU residency: HubSpot (US), Klaviyo (US), Mailchimp Intuit (US). Brevo, Mailjet and Cleverreach are the most EU centric.
Mailjet (Sinch group, French data centres), Sarbacane (French), Sendgrid (US), Mailchimp (US), Klaviyo (US), ActiveCampaign (US) or fully open source self hosted alternatives such as Listmonk, Mautic and Mautic Cloud. The EU based options reduce transfer risk.
European alternatives include Mailjet (France, Sinch group), Mailchimp with EU residency (US owned), Klaviyo (US), MailerLite (Lithuania), CleverReach (Germany), Newsletter2Go and Sarbacane (France). The right choice depends on volume, automation needs and the depth of CRM integration.
List the sib_cuid, sib_lid and PHPSESSID cookies with their domain, duration and purpose. Mention Brevo (Sendinblue SAS) as processor in the privacy notice. Describe the EU hosting and any sub processor transfers. Link to the Brevo privacy policy.
List Sendinblue SAS (Paris) as the processor, declare the sib_cuid and sib_evt cookies with retention, mention the email open and click tracking pixels, confirm the EU hosting, link to the Brevo Privacy Policy and provide a DSAR contact.
List Sendinblue SAS (Brevo SA) as a processor for email marketing, identify the tracking cookies (sib_cuid, sib_session), describe the conversation cookies if the chat is enabled, mention the EU data centres (France and Germany) and link to the Brevo Privacy Policy. SCCs are typically not needed for the core service.