Last update: October 1st 2025
Table of contents
- Introduction
- WHO IS THE DATA CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA?
- WHAT IS THE SCOPE OF THIS POLICY?
- FOR WHAT PURPOSES IS YOUR PERSONAL DATA COLLECTED AND PROCESSED?
- SOURCE OF COLLECTION
- WHICH PERSONAL DATA CAN YOU PROVIDE WITHIN FREE TEXT/DATA SLOTS?
- TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?
- DOES BREVO TRANSFER YOUR PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA?
- WHAT ARE YOUR RIGHTS WITH RESPECT TO THE PROCESSING OF YOUR PERSONAL DATA?
- HOW TO CONTACT OUR DATA PROTECTION OFFICER ?
- CHILDREN’S PRIVACY
- USA SPECIFIC NOTICE
- CONSENT TO DATA TRANSFERS
- DATA SECURITY
- ADDITIONAL TERMS REGARDING THE USE OF THE INBOX FEATURE
- THIRD PARTY WEBSITES
- CHANGES TO THIS PRIVACY POLICY
- DEFINITIONS
Introduction
The protection of your privacy and your personal data is a priority for Brevo and all of the entities within the group (“Brevo” or “we” or “our” or “us”). The terms with capital letters that are not defined in this Policy shall have the meaning assigned to them in the Brevo Terms.
Brevo only collects, uses, retains, and shares Personal Data as is adequate and relevant to the specific, express purposes described below or as reasonably necessary and proportionate to (i) provide the Services or for (ii) other purposes that we disclose to you. We work to ensure that our privacy practices are compatible with the context of how we collected your Personal Data in the first place.
The types of Personal Data we collect and how it is used depends on how you interact with us, such as a Website visitor, a Brevo customer using the Services or representative of a customer or as a Customer’s contact or recipient. Therefore, this privacy policy (the “Policy”) applies to:
- All users and representatives of Brevo’s Customers (the “Customers”);
- The contacts (recipients of electronic communications, contacts of sales opportunities, registered clients etc.) uploaded on the Software by Brevo’s Customers and/or collected via the Software by Brevo’s Customers (the “Contacts”) when their data are not processed by Brevo on behalf of its Customers;
- All visitors of Brevo’s website (“Website Users”), i.e. https://fr.Brevo.com (the “Website”).
(together also referred to as “you” or “your”).
This Policy aims to inform you in a clear and comprehensive manner of the processing of your personal data carried out in accordance with the privacy laws that apply to us, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”) and any applicable domestic privacy legislations.
This Policy may be updated at any time as a result of, among others, legal, technical or commercial changes. In such cases, Brevo will take appropriate measures to inform you of such changes, where they are significant. We recommend that you refer to this Policy regularly to ensure that you are aware of the latest version. Brevo Customers may use the information contained in this Policy to provide necessary information to the Contacts. You accept this Privacy Policy and consent to Brevo’s collection, use, and disclosure of your information as described below by accepting this Privacy Policy where given the opportunity or by using or accessing our Services in any manner. If you do not agree with this Privacy Policy, do not use our Services.
To know more about the concepts of “personal data”, “data subjects”, “controller”, processor”, “processing”, “purpose”, “GDPR” and more, please read the section “Definitions” at the end of this Policy.
WHO IS THE DATA CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA?
The entity of the Brevo group acting as a data controller for the processing of your personal data (i.e., determining the purposes and means of the processing of your personal data) for the processing described in Section 3 of this Policy is the Brevo entity with which you have a contract and in case you have subscribed to a paying plan, the company which is invoicing your organization. Depending on your location, the data controller may be Sendinblue France (SAS), Sendinblue North-America (Inc.) or Sendinblue Germany (GmbH).
The parent company of the Brevo group Sendinblue,a French société par actions simplifiée, whose registered office is located at 17 rue Salneuve, 75017 Paris, France, registered in the Paris Trade and Companies Register under number 498 019 298. Sendinblue is doing business as Brevo.
WHAT IS THE SCOPE OF THIS POLICY?
If you are a Contact, please note that Brevo is acting as data controller only for the specific purposes described in the Section 3 of this Policy. For all other processing that involve your personal data (storage of content, sending of emails, creation of statistics on behalf of Customers, etc.), Brevo does not act as a data controller meaning that it has no influence and does not decide on such processing of your personal data (please be reminded in this regard that Brevo does not send electronic communications on its own behalf but only on behalf and under the instructions of its Customers, except where detailed in Section 3) and, therefore, this Policy may not apply. Brevo will act for these other processing as a data processor and our Customers are acting as data controllers and are the sole entities that can ensure the proper exercise of your rights described in Section 8 (11 for the US) of this Policy (deletion, access, limitation etc.). To learn more about how our Customers process your personal data as data controllers and how you can exercise your rights with them, please see their own privacy policy. If you want to know about how we process personal data as a data processor, please refer to our Data Processing Agreement.
Brevo proposes optional specific apps/features through its Software (WhatsApp Messages, Facebook Ad, Google Fonts & Google ReCAPTCHA, Cloudflare Turnstile, OpenAI…) the list of which can be found in our Terms and Conditions. These apps/features are provided by third-party providers that Brevo does not control and towards which it does not provide any specific warranty. Therefore, for processing carried out for the provision and in the context of such apps/features, Brevo is not liable and the third-party providers act in accordance with the qualification that their policies / terms and conditions provide. If you wish to use those features, we strongly recommend you to read to the relevant privacy policy of each third-party provider to know more about the processing of your personal data.
If you have any questions, please do not hesitate to contact us through the contact details indicated in Section 9 of this Policy (11 for the US). We will do our best to help you and answer any question you may have.
FOR WHAT PURPOSES IS YOUR PERSONAL DATA COLLECTED AND PROCESSED?
Brevo collects and processes personal data that is relevant, adequate, not excessive and strictly necessary for the purposes pursued.
You will find below a table listing the relevant information related to the processing of personal data, where Brevo acts as a data controller, and in particular:
- The different purposes of the processing operations;
- The categories of personal data collected;
- The legal basis on which we rely to carry out the processing;
- How long we keep your personal data.
In addition to the purposes specified here above, Brevo may use your Personal Data to:
- Monitor your compliance with any of your agreements with us;
- Protect your privacy and enforce this Privacy Policy;
- If we believe it is necessary, to identify, contact, or bring legal action against persons or entities who may be causing injury to you, to us, or to others;
- Comply with a law, regulation, legal process, or court order;
- Fulfill any other purpose to which you consent.
SOURCE OF COLLECTION
We collect Personal Data from the following sources and use that information as described below:
- Directly from you when you contact us or place an order. If you contact us via the Site or by email, phone, or other means to request information or support, we will collect your name, contact information, and employment-related information as needed to respond to your inquiry. If you place an order with us, we will use a PCI-compliant payment processor to collect and process your payment information. You may opt-in to save your payment information for future orders, but this is not required. We collect this information with your consent, and we use it to respond to your inquiries, communicate with you about your order status, or for the purposes stated at the time of collection.
- Directly from you when you create a Customer account. If you create a Customer account, we will collect your name, email address, company name, and require you to choose a password to login. We collect this information with your consent, and we use it to provide the Services, identify and administer your account, and communicate with you about the Services. You have the right to opt-out of communications from us, but you cannot opt out of communications that we send you regarding your account.
- From our Customers about their Contacts. Brevo Services enables Customers to promote their brands through email, SMS, chat, and other types of marketing communications. Customers may choose to input their Contacts’ Personal Data into the Services to send them marketing communications. We collect Contacts’ Personal Data to fulfill our contractual obligations as a service provider to the Customer. A Customer’s processing of Contacts’ Personal Data via the Services is subject to the Customer’s privacy practices, not ours. Brevo is not responsible for any Customer’s compliance with applicable privacy laws, or a Customer’s obligations related to their Contacts’ privacy rights.
- Automatically from you when you visit the Website. When you visit our Website or use our Software, we automatically collect data about your internet activity such as your IP address, internet service provider description, information about the type of device used to access our Site, and browser information. Like most online services, the Site and Software use cookies as described in our Cookie List: https://www.brevo.com/legal/cookies/. We collect this information to achieve our legitimate interest of facilitating online communication or when it is strictly necessary to provide an online Service. We use this information to help diagnose problems with and secure our servers, to administer the proper functioning and legitimate use of our Site, generate analytics and statistics. With your prior consent, we also use that information to improve the nature and marketing of the Services. The Customer warrants that it will provide all necessary information to the relevant natural persons, and obtain all necessary consents from them, as required by applicable data protection and electronic communication laws, in order to allow Brevo to lawfully deploy cookies and similar tracking technologies and to lawfully collect data from the devices of Contacts and Service Users. These tracers might include pixels and web beacons. The exact list of cookies and tracking devices is available https://www.brevo.com/legal/cookies/.
Brevo will update this Privacy Policy or otherwise notify you before we collect additional categories of Personal Data from consumers or use such Personal Data for purposes that are incompatible with the purpose stated at the time of collection.
WHICH PERSONAL DATA CAN YOU PROVIDE WITHIN FREE TEXT/DATA SLOTS?
Brevo collects and processes only relevant, adequate, not excessive and strictly necessary personal data for the purposes listed in Section 3 of this Policy. In order for Brevo to provides this guarantee, please be careful to only provide relevant personal data within the free text/data slots which are on Brevo’s Website or Software (i.e., factual data, relating to Brevo’s services and having a direct link to the object/purpose of the free text slot concerned). This recommendation extends to the upload feature that allows Customers to upload any data on the Software.
Whether or not the provision of your personal data is mandatory will be indicated to you at the time of collection of such personal data, (for example, where fields are marked with an asterisk). Where you do not provide personal data that is identified as mandatory, Brevo may not be able to reply to your request and/or to provide you with its services.
TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?
Brevo will only share your personal data in certain circumstances and in accordance with the provisions of the applicable regulations. Brevo discloses your personal data only to identified and authorized recipients, as described below. All recipients processing your personal data are subject to confidentiality obligations.
Brevo discloses your personal data to:
- Internal authorized employees who need to process your personal data for the purposes specified in Section 3 of this Policy, i.e.:
- Customer support department.
- Commercial/marketing department.
- Data and deliverability department.
- Accounting department.
- Human resources department (for job applicants)
- External recipients:
- Government Agencies: Occasionally Brevo may be required by law enforcement or judicial authorities to provide Personal Data to governmental authorities. We fully cooperate with law enforcement agencies in identifying those who use our Services for illegal activities. Brevo reserves the right to disclose Personal Data to law enforcement and other governmental agencies, at our sole discretion in connection with an investigation of any matter that is illegal or that could expose Brevo or our affiliates to liability.
- In some cases, we may allow specific cooperating entities to use cookies or similar technologies to collect non-personal data from your browser or device for measurement purposes. Receipt and use of such information are subject to each cookie information recipient’s Privacy Policy.
- Affiliates and Third Parties: We may disclose the Personal Data we collect about you to our affiliates like a parent company or subsidiaries. For example, we share Personal Data for Customer support purposes, marketing, or technical operations. Under specific circumstances, we may disclose Personal Data to certain third parties as permitted by applicable law, for example: if we go through a business transition (e.g., merger, acquisition, or asset sale); to comply with a legal requirement or a court order; when we believe it is appropriate to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.
- Service Providers: Brevo uses a variety of service providers such as data hosting companies, analytics services, email hosting services, and payment processors. may have access to Personal Data as needed to perform their contractual obligations to us. We prohibit our service providers from selling or disclosing the Personal Data we provide, and we require all service providers to maintain confidentiality standards and appropriate technical and organizational measures to ensure the security of your Personal Data. Examples of service providers :
- Service providers editing and managing our ticketing and support tool;
- Hosting service and infrastructure providers for the Website and the Software ;
- Service providers for outsourced services (for instance, SMS sending);
- Service providers for security and fraud detection in order to avoid fraud/phishing/spamming;
- Third-party providers performing the optional third-party features available on the Software (Google Fonts & reCAPTCHA, Cloudflare Turnstile, WhatsApp Messages, OpenAI etc.);
- Service providers monitoring Customer’s experience to improve the Software;
- Service providers used to run the Expert Program and the attribution of commissions.
All Brevo Subprocessors are listed as part of the Data Processing Agreement.
In addition, your personal data may be shared with third parties in response to judicial or administrative proceedings of any kind or to law enforcement measures requested by the competent authorities.
DOES BREVO TRANSFER YOUR PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA?
IYour personal data may be transferred to countries which do not offer an adequate level of protection and have not been recognized as adequate country by an adequacy decision from the European Commission (list available here) and more precisely, in particular to the United States of America and India.
When your personal data is transferred to one of these countries, Brevo will ensure an adequate level of protection through appropriate safeguards and measures.
You may obtain a summary or excerpt of these warranties at any time: to do so, please contact Brevo as specified in Section 9 of this Policy (11 for the US).
WHAT ARE YOUR RIGHTS WITH RESPECT TO THE PROCESSING OF YOUR PERSONAL DATA?
In accordance with the applicable regulations, you have the following rights with respect to your personal data:
- If your personal data has been processed with your consent, you are entitled to withdraw your consent at any time without affecting the consent given prior to the withdrawal (see the table in Section 3 of this Policy to understand which processing are based on your consent).
- You have the right to access and obtain a copy of the personal data we hold about you (provided the request is not manifestly unfounded or excessive, particularly because of its repetitive nature).
- You may request to rectify your personal data if they are inaccurate, incomplete or not up to date (provided that the request is not manifestly unfounded or excessive, particularly because of its repetitive nature).
- You can request that your personal data be erased. However, this is not an absolute right, as we may be obliged to retain your personal data for legal or legitimate reasons. You may exercise your right to deletion in the following cases: if you have validly objected to the processing of your personal data or have withdrawn your consent, if the personal data is not or is no longer necessary for the purposes for which it was originally collected or processed, or if the personal data is unlawfully processed.
- You can request a restriction on processing. This right means that the processing of your personal data by us is restricted, so that we may retain the data, but we may not use or otherwise process it. This right applies in specific circumstances, namely (i) if you challenge the accuracy of your personal data: the processing is then restricted for a period of time to allow Brevo to verify the accuracy of the data; (ii) in cases where the processing is unlawful and you object to the erasure of your personal data and instead demand the restriction of their use; (iii) in cases where we no longer need the personal data for the purposes mentioned above in section 3, but they are still necessary for the establishment, exercise or defense of legal claims; and (iv) in cases where you have objected to the processing based on the legitimate interests pursued by Brevo, you may request that the processing be restricted for the period necessary to determine whether we can comply with your objection.
- You have the right to data portability, meaning to receive the personal data that you have provided to us and that we hold about you in a structured, commonly used and machine-readable format. This applies only where the processing is based on your consent or the execution of pre-contractual measures / performance of a contract and is carried out by automated means (see the table in Section 3 of this Policy to understand which processing rely on these legal basis).
- If you are a French citizen, you also have the right to give general and specific instructions to decide the fate of your personal data after your death.
Please note that you may object to the processing of your personal data.
Where we process your personal data on the basis of Brevo's legitimate interests (see the table in Section 3 of this Policy for data processing based on Brevo's legitimate interests), you may at any time object to the processing of your personal data on grounds relating to your particular situation, unless we have compelling legitimate grounds for processing such data which override your interests, rights and freedoms, or where such data is necessary for the establishment, exercise or defense of legal claims.
You may also, at any time, unsubscribe or oppose the receipt of commercial prospecting messages from Brevo (i.e., our newsletter). All you have to do is either (i) click on the link in the footer of the messages you receive from Brevo; or (iii) send a message to the contact details indicated in Section 11 of this Policy.
Please refer to Sections 2 and 3 of this Policy to ensure that Brevo is the data controller of the processing of your personal data and, therefore, is able to ensure the exercise of your rights.
Finally, you have the right to lodge a complaint before the relevant supervisory authority (in France, the Commission Nationale de l'Informatique et des Libertés: the “CNIL”). However, we invite you to contact Brevo at the address below before filing any complaint before any supervisory authority.
To exercise all these rights (when Brevo acts as a data controller), you can send a request:
- In writing to the following postal address: Sendinblue SAS, 17 rue Salneuve, 75017 Paris, France.
- By e-mail to the following address:[email protected]
If you are a Customer, you can also modify your data yourself at any time by logging onto the Software and clicking on "edit my profile".
HOW TO CONTACT OUR DATA PROTECTION OFFICER ?
If you have any questions, complaints or comments about this Policy or our personal data processing practices, please contact us:
- In writing to the following postal address: Sendinblue SAS, Data Protection Officer, 17 rue Salneuve, 75017 Paris, France.
- By e-mail to our Data Protection Officer (DPO) at the following address:[email protected]
For UK based data subjects, processors, controllers, and the ICO: The representative for the UK according to Article 27 of the UK GPDR can be reached by email: [email protected].
CHILDREN’S PRIVACY
Brevo does not knowingly collect Personal Data from children under 16. However, we cannot control the Personal Data our Customer’s collect. If a Customer chooses to input Personal Data of children under age 16 on the Services, that Customer does so under its own privacy practices, not ours. Brevo is not responsible for a Customer’s failure to comply with any law designed to protect children or any other law governing the Customer’s use of our Services. Please contact the Customer directly if you have questions about their privacy practices. As part of our commitment to your privacy, we encourage you to contact us at [email protected] if you believe we might have collected any information online from a child under 16, or if you are aware of any unauthorized submission of information to us. Brevo reserves the right to delete any information from our systems if we discover it was improperly collected.
USA SPECIFIC NOTICE
Collecting and Processing Personal Data
Brevo will only collect, use, retain, and disclose Personal Data as is adequate and relevant to the purposes described below or as reasonably necessary and proportionate to provide our Services, or for other purposes that we disclose to you and are compatible with the context of how we collected your Personal Data.
Brevo has collected the following categories of Personal Data in the past 12 months:
- Identifiers
- Education and employment information
- Commercial history
- Internet and similar activity
- Other Personal Data you voluntarily provide to Brevo
Our purposes and processing of this Personal Data are set out in Section 3 of this Privacy Policy.
We will not collect additional categories of Personal Data or use already collected Personal Data for purposes that are materially different, unrelated, or not reasonably necessary or compatible with the original purpose without notice and consent to you as required by law.
Retention Periods
Retention periods for each category of Personal Data are set out in Section 3 of this Privacy Policy.
Disclosure of Personal Data
In the preceding 12 months, Brevo has disclosed the Personal Data for our business purposes to the third parties listed in under External Recipients in Section 6 of this Privacy Policy. Brevo may also disclose Personal Data to other recipients with your permission or as required by law.
Privacy Controls
Brevo believes you should have the ability to control the Personal Data we collect and hold about you on your own. You can use the methods described below to control how we collect and use your Personal Data.
- Customer Accounts: Customers can change or delete the Personal Data in their accounts at any time by signing into the Software and editing information or changing settings. Brevo may offer instructions to guide Customers in making additional changes. A Customer can delete all of their Personal Data on Brevo by closing the account.
- Contact Information: Customers can change or delete their Contacts’ Personal Data at any time by signing into the Software and editing information or changing settings. Brevo may offer instructions to guide Customers in making additional changes. If a Contact submits a Consumer Privacy Request directly to Brevo, we will relay the request to the applicable Customer for further processing.
- Email Communications: If you are a Customer or Website visitor, we may send you marketing emails about the Services. Customers may also receive informational or support emails from us. If you do not wish to receive these emails, you may change your preferences via the links provided in the emails or by sending a request to [email protected] to be removed from our email list. Note that if you opt-out of marketing communications, we may still send you non-promotional communications, such as those about your account or our ongoing business relations.
- Texting Consent: If you provide us with your wireless phone number, you consent to Brevo sending you informational or service text messages. However, we will only send you marketing text messages if you opt-in to receive these notifications from us. For all Brevo text messages, the number of texts you receive will depend on the Services you use and the information you request from us. You can unsubscribe from Brevo text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
- Do Not Track: Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests. If this changes in the future, we will update this Privacy Policy.
United States Privacy Rights
U.S. laws approach privacy rights via federal privacy laws covering specific industries or data uses as well as individual state privacy laws providing with general consumer privacy rights. For example, the California Consumer Privacy Act (“CCPA”) as well as state laws of Colorado, Iowa, Montana, Nevada, Nebraska, Oregon, Texas, Utah, and several other states provide comprehensive consumer privacy laws applicable to residents of those states. If you reside in the United States, you may be entitled to some or all of the privacy rights listed below depending on the state laws applicable to you.
- You may have the right to request that we correct inaccurate Personal Data about you on our systems.
- You may have the right to request confirmation that we have collected Personal Data about you and that we provide you with access to that Personal Data. If you submit an access request, we will provide you with copies of the requested pieces of Personal Data in a portable and readily usable format. Please note that we may be prohibited by law from disclosing certain pieces of Personal Data, and we may be limited in the number or frequency of requests we must fulfill.
- You may have the right to request that we delete your Personal Data that we collected and retained, with certain exceptions. We may permanently delete, deidentify, or aggregate the Personal Data in response to a request for deletion.
- You may request that we disclose details to you about our collection and use of your Personal Data, such as: (a) the categories of Personal Data we have collected about you; (b) the categories of sources for the Personal Data we have collected about you; (c) our business purpose for collecting, using, processing, sharing or selling that Personal Data, as applicable; (d) the categories of third parties with whom we share that Personal Data; and (e) if we “sold” or “shared” your Personal Data under certain laws, two separate lists stating: (i) sales or sharing, identifying the Personal Data categories that each category of recipient purchased; and (ii) disclosures for a business purpose, identifying the Personal Data categories that each category of recipient obtained. Certain laws may limit the number or frequency of requests we must fulfill.
- Some states entitle consumers to opt-out of the sale or sharing of Personal Data or targeted advertising practices. Brevo does not sell Personal Data. If your state privacy laws entitles you to opt-out of sharing for targeted advertising, please request to opt-out by sending an email to [email protected].
- You may have the right to opt-out of automated profiling. To opt-out of processing of your Personal Data to evaluate, analyze, or predict your interests and preferences, send an email requesting to opt-out to [email protected].
- Some states provide a right to opt-out or limit a company’s use of sensitive Personal Data. Brevo does not seek to collect sensitive Personal Data about any individual, and in no case do we disclose any sensitive Personal Data for the purpose of inferring characteristics about you or otherwise use your sensitive Personal Data without your consent.
- Brevo will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (a) deny you goods or services; (b) charge you different prices or rates for goods or services; (c) provide you a different level or quality of goods or services; (d) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (e) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.
- California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Data sharing with affiliates and/or third parties for marketing purposes. If you are a California resident, you can request this information via email to [email protected].
A note for California residents: please be aware that the privacy rights listed above are not available with respect to data collected about you in a business-to-business context when you are acting as an employee to a Customer or potential Customer in the performance of your job duties.
Consumer Privacy Requests
If you wish to exercise your privacy rights beyond the methods available through the Software, or if you want to express concerns, lodge a complaint, or request information, please submit a verifiable Consumer Privacy Request using our online Consumer Privacy Request form or by sending an email to [email protected].
Note that if you are a Customer’s Contact, then we process your Personal Data as a service provider to the Customer and we cannot fulfill your request directly. In that case, we will relay your request to the appropriate Customer for further processing and fulfillment, provided that we have sufficient information to do so.
Brevo can only fulfill a Consumer Privacy Request when we have sufficient information to verify that the requester is the person or an authorized representative of the person about whom we have collected Personal Data, and to properly understand, evaluate, and respond to the request. We do not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We endeavor to respond to Consumer Privacy Requests in accordance with the requirements of the law applicable to your jurisdiction. Depending on the circumstances and the nature of your request, we may be unable to fulfill your request in part or in whole, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.
Additional contact information for Brevo is provided in Section 9 of this Privacy Policy.
CONSENT TO DATA TRANSFERS
Brevo has operations in the United States and the European Union, and engages service providers located in the European Union and elsewhere. As such, your Personal Data may be transferred across jurisdictional boundaries. Brevo works to limit cross-border data transfers wherever possible, and works to ensure that all data transfers use a lawful data transfer mechanism. When your information is moved from your home country to another country, the laws and rules that protect your Personal Data in the country to which your information is transferred may be different from those of the country where you live. For example, if your information is in the United States it may be accessed by government authorities under United States law. By allowing us to collect Personal Data about you, you consent to the transfer and processing of your Personal Data as described in this section.
We do not warrant that Brevo is appropriate or authorized for use outside of the European Union or United States. Customers are solely responsible for determining whether their use of the Services complies with applicable laws.
DATA SECURITY
Brevo implements and maintains reasonable and appropriate security procedures and practices to help protect your Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure. Our security measures are appropriate to the volume, scope, and nature of the Personal Data processed and designed to meet our duty of care with respect to your Personal Data. We employ a series of security measures, including a multi-level firewall, encryption, and anti-virus and intrusion detection solutions. All data is stored on secure servers in Tier 3 and PCI DSS certified data centers and is only accessible to our personnel and contractors via authentication measures. We ensure that Brevo employees, contractors, and agents responsible for handling your inquiries are informed of applicable privacy law requirements and we restrict access to those who need that information in order to process it.
Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Data for improper purposes. We also have no control over our Customers’ security measures or practices, and we make no representations or guarantees that your Personal Data is secure once transmitted or stored on their systems.
It is your responsibility to keep your Customer account secure from unauthorized access. We encourage our Customers to take steps to protect against unauthorized access to their accounts, such as choosing a robust password, keeping the password private, and signing off after using a shared computer or other device. Brevo is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account.
ADDITIONAL TERMS REGARDING THE USE OF THE INBOX FEATURE
Brevo’s Software complies with the Google API Services user Data Policy, including the Limited Use requirements. Any use and transfer of information received from Google API’s from Brevo’s Software to any other applications will require to adhere to Google API Services User Data Policy, including the Limited Use requirements.
Notwithstanding anything else in the present Privacy Policy, if the User provides Brevo access to their Gmail user data, Brevo shall:
- only use access to read, write, modify, or control Gmail message bodies (including attachments), metadata, headers, and settings, allowing Brevo to provide a web email client for the Users to compose, send, read, and process emails;
- never transfer such data to other parties unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets;
- in no way use such data for its management of customer acquisition and marketing activities;
- in no way use such data to serve advertisements;
- not allow humans to read this data unless Brevo has the User’s affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for Brevo’s internal operations, and even then, only when the data have been aggregated and anonymized.
THIRD PARTY WEBSITES
The Services may contain links to websites owned or operated by third parties. We have no ability to control, and we are not responsible for, the privacy and data collection, use, and disclosure practices of third-party websites. We encourage you to read the privacy statements of each website that collects your Personal Data.
CHANGES TO THIS PRIVACY POLICY
We may periodically update this Privacy Policy. If we make any material changes, we will notify you by updating this posting or by posting notice in the Services. The date that this Privacy Policy was last revised is identified at the top of the page. Your continued use of the Services after the effective date will be subject to the new Privacy Policy. You are responsible for periodically checking this Privacy Policy for changes.
DEFINITIONS
- “Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- “Data subject”: means an identified or identifiable natural person.
- “GDPR”: means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- “Processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- “Personal data”: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data falls into various categories, such as identifiers, sensitive personal information (e.g., contents of messages when we are not the recipient, race, health data, union membership, or, in some cases, in some cases, information about a known child), legally protected information (e.g., race, citizenship, marital status, sex); biometrics, commercial history, employment-related data, nonpublic educational information, internet activity, or inferences drawn to create a consumer profile. Personal Data includes Personal Information as defined under the CCPA.
- “Processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.