0 added
0 removed
Original
2026-01-01
Modified
2026-03-10
1
<p>Learn how Klaviyo meets its obligations under the GDPR, how we enable our customers to comply with the GDPR, the measures we take to protect customer data, and how we support the lawful transfer and processing of data in the US.</p>
1
<p>Learn how Klaviyo meets its obligations under the GDPR, how we enable our customers to comply with the GDPR, the measures we take to protect customer data, and how we support the lawful transfer and processing of data in the US.</p>
2
<h5>Note: The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers - and all ecommerce merchants - to seek legal advice on how they specifically should comply with GDPR.</h5>
2
<h5>Note: The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers - and all ecommerce merchants - to seek legal advice on how they specifically should comply with GDPR.</h5>
3
<h3>Does GDPR apply to companies outside of the EU?</h3>
3
<h3>Does GDPR apply to companies outside of the EU?</h3>
4
<p>Yes. The GDPR can apply to any company, regardless of where it’s located, if it handles the personal data of people in the EU, or offers goods or services to individuals in the EU.</p>
4
<p>Yes. The GDPR can apply to any company, regardless of where it’s located, if it handles the personal data of people in the EU, or offers goods or services to individuals in the EU.</p>
5
<p>That means even if your business is based in the U.S., Canada, Australia, or anywhere else, you might be required to comply with GDPR when marketing to or tracking individuals in the EU.</p>
5
<p>That means even if your business is based in the U.S., Canada, Australia, or anywhere else, you might be required to comply with GDPR when marketing to or tracking individuals in the EU.</p>
6
<h3>Does GDPR apply in the United Kingdom after Brexit?</h3>
6
<h3>Does GDPR apply in the United Kingdom after Brexit?</h3>
7
<p>Following Brexit, the GDPR has been retained in UK law as the UK GDPR. This version continues to be read alongside the UK Data Protection Act 2018, which sets out the framework for data protection in the UK. The UK GDPR is largely aligned with the EU GDPR, meaning that the same principles and individual rights apply.</p>
7
<p>Following Brexit, the GDPR has been retained in UK law as the UK GDPR. This version continues to be read alongside the UK Data Protection Act 2018, which sets out the framework for data protection in the UK. The UK GDPR is largely aligned with the EU GDPR, meaning that the same principles and individual rights apply.</p>
8
<p>Klaviyo is also certified under the UK Extension to the EU-U.S. Data Privacy Framework, which supports lawful transfers of UK personal data to the U.S.</p>
8
<p>Klaviyo is also certified under the UK Extension to the EU-U.S. Data Privacy Framework, which supports lawful transfers of UK personal data to the U.S.</p>
9
<h3><b>Consent management tools</b></h3>
9
<h3><b>Consent management tools</b></h3>
10
<p><b></b>Klaviyo’s<a>signup forms</a>are designed with GDPR compliance in mind - you can:</p>
10
<p><b></b>Klaviyo’s<a>signup forms</a>are designed with GDPR compliance in mind - you can:</p>
11
<p>- Add granular consent checkboxes, </p>
11
<p>- Add granular consent checkboxes, </p>
12
<p>- Customise messaging, and </p>
12
<p>- Customise messaging, and </p>
13
<p>- Use geo-targeting to only show forms to EU and UK visitors. </p>
13
<p>- Use geo-targeting to only show forms to EU and UK visitors. </p>
14
<p>Each form submission is automatically logged with a<a>timestamp and version,</a>giving you a record of consent.</p>
14
<p>Each form submission is automatically logged with a<a>timestamp and version,</a>giving you a record of consent.</p>
15
<p>It’s important to keep in mind that as the data controller, you’re responsible for configuring your forms correctly.</p>
15
<p>It’s important to keep in mind that as the data controller, you’re responsible for configuring your forms correctly.</p>
16
<h3><b>Handling of data requests</b></h3>
16
<h3><b>Handling of data requests</b></h3>
17
<p><b></b>Klaviyo includes built-in tools to help you respond to<a>common GDPR data rights requests</a>. You can easily:</p>
17
<p><b></b>Klaviyo includes built-in tools to help you respond to<a>common GDPR data rights requests</a>. You can easily:</p>
18
<p>- Export an individual’s data</p>
18
<p>- Export an individual’s data</p>
19
<p>-<a>Delete their profile</a></p>
19
<p>-<a>Delete their profile</a></p>
20
<p>Klaviyo also preserves a list of deleted profiles which provides a record that your business has complied with any deletion requests.<b> </b></p>
20
<p>Klaviyo also preserves a list of deleted profiles which provides a record that your business has complied with any deletion requests.<b> </b></p>
21
<h3><b>Smart segmentation and suppression</b></h3>
21
<h3><b>Smart segmentation and suppression</b></h3>
22
<p><b></b>Klaviyo enables you to<a>segment</a>your contacts based on consent status, location, and other profile-based criteria. You can also<a>suppress profiles</a>that have not provided valid consent. </p>
22
<p><b></b>Klaviyo enables you to<a>segment</a>your contacts based on consent status, location, and other profile-based criteria. You can also<a>suppress profiles</a>that have not provided valid consent. </p>
23
<h3><b>Secure data transfers and agreements</b></h3>
23
<h3><b>Secure data transfers and agreements</b></h3>
24
<p><b></b>Klaviyo is certified under the EU-U.S. Data Privacy Framework (DPF) and also includes the Standard Contractual Clauses (SCCs) in our<a>Data Protection Addendum</a>(DPA) to support lawful global data transfers. Klaviyo maintains appropriate technical and organisational safeguards, as outlined in its DPA and<a>Trust Center</a>.</p>
24
<p><b></b>Klaviyo is certified under the EU-U.S. Data Privacy Framework (DPF) and also includes the Standard Contractual Clauses (SCCs) in our<a>Data Protection Addendum</a>(DPA) to support lawful global data transfers. Klaviyo maintains appropriate technical and organisational safeguards, as outlined in its DPA and<a>Trust Center</a>.</p>
25
<h3><b>Centralisation of data - via the Klaviyo’s Customer Data Platform</b></h3>
25
<h3><b>Centralisation of data - via the Klaviyo’s Customer Data Platform</b></h3>
26
<p><b></b>Klaviyo’s<a>Customer Data Platform (CDP)</a>brings together customer consent, engagement, and transactional data into unified profiles. This makes it easier for you to locate, export, or delete individual data as required. The CDP retains data for as long as you need to maintain it in your account, and then delete it when required, enabling consistent application of your data policies.</p>
26
<p><b></b>Klaviyo’s<a>Customer Data Platform (CDP)</a>brings together customer consent, engagement, and transactional data into unified profiles. This makes it easier for you to locate, export, or delete individual data as required. The CDP retains data for as long as you need to maintain it in your account, and then delete it when required, enabling consistent application of your data policies.</p>
27
<p>Klaviyo has implemented measures to meet its obligations as a Data Processor under the GDPR. We maintain a robust data protection framework that includes:</p>
27
<p>Klaviyo has implemented measures to meet its obligations as a Data Processor under the GDPR. We maintain a robust data protection framework that includes:</p>
28
<ul><li>Data Processing Agreement (DPA): Our DPA governs how we process Customer Personal Data in line with GDPR obligations.</li>
28
<ul><li>Data Processing Agreement (DPA): Our DPA governs how we process Customer Personal Data in line with GDPR obligations.</li>
29
<li>Security and Safeguards: We implement comprehensive technical and organisational measures (TOMs), along with supplementary protections, to ensure data security and integrity.</li>
29
<li>Security and Safeguards: We implement comprehensive technical and organisational measures (TOMs), along with supplementary protections, to ensure data security and integrity.</li>
30
<li>Data Subject Rights: Klaviyo provides tools to help customers manage GDPR data requests (DSARs).</li>
30
<li>Data Subject Rights: Klaviyo provides tools to help customers manage GDPR data requests (DSARs).</li>
31
<li>Sub-processors: Klaviyo requires all sub-processors to meet data protection standards equivalent to those in our Customer DPA.</li>
31
<li>Sub-processors: Klaviyo requires all sub-processors to meet data protection standards equivalent to those in our Customer DPA.</li>
32
<li>International Transfers: Klaviyo is certified under the EU-U.S. Data Privacy Framework (DPF) and also includes the Standard Contractual Clauses (SCCs) in our DPA to support lawful global data transfers.</li>
32
<li>International Transfers: Klaviyo is certified under the EU-U.S. Data Privacy Framework (DPF) and also includes the Standard Contractual Clauses (SCCs) in our DPA to support lawful global data transfers.</li>
33
</ul><p>We also continuously monitor global privacy regulations to ensure we stay compliant and keep your customers’ data protected.</p>
33
</ul><p>We also continuously monitor global privacy regulations to ensure we stay compliant and keep your customers’ data protected.</p>
34
<p>While Klaviyo meets its GDPR obligations as a Data Processor, each business is responsible for its own compliance as a Data Controller.</p>
34
<p>While Klaviyo meets its GDPR obligations as a Data Processor, each business is responsible for its own compliance as a Data Controller.</p>
35
35