Klaviyo and GDPR: What you need to know

Learn how Klaviyo meets its obligations under the GDPR, how we enable our customers to comply with the GDPR, the measures we take to protect customer data, and how we support the lawful transfer and processing of data in the US.

Sign upRequest a demo
Person writing in a notebook with a pencil, next to a green mug on a table. Red arrow overlay pointing to the notebook.

Note: The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers – and all ecommerce merchants – to seek legal advice on how they specifically should comply with GDPR.

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law designed to strengthen, unify, and modernise data protection across the EU. It gives individuals greater control over their personal data and sets clear rules for how organisations collect, use, store, and share that data.

Two women sitting at a table, engaged in conversation, holding documents and a pen.

Does GDPR apply to companies outside of the EU?

Yes. The GDPR can apply to any company, regardless of where it’s located, if it handles the personal data of people in the EU, or offers goods or services to individuals in the EU.

 

That means even if your business is based in the U.S., Canada, Australia, or anywhere else, you might be required to comply with GDPR when marketing to or tracking individuals in the EU.

Two women focused on a computer screen, with a potted plant in the foreground.

Does GDPR apply in the United Kingdom after Brexit?

Following Brexit, the GDPR has been retained in UK law as the UK GDPR. This version continues to be read alongside the UK Data Protection Act 2018, which sets out the framework for data protection in the UK. The UK GDPR is largely aligned with the EU GDPR, meaning that the same principles and individual rights apply.

 

Klaviyo is also certified under the UK Extension to the EU-U.S. Data Privacy Framework, which supports lawful transfers of UK personal data to the U.S.

How Klaviyo helps support you with your GDPR Compliance

Consent management tools

Klaviyo’s signup forms are designed with GDPR compliance in mind – you can:

– Add granular consent checkboxes, 

– Customise messaging, and 

– Use geo-targeting to only show forms to EU and UK visitors. 

Each form submission is automatically logged with a timestamp and version, giving you a record of consent.

It’s important to keep in mind that as the data controller, you’re responsible for configuring your forms correctly.

 

Handling of data requests

Klaviyo includes built-in tools to help you respond to common GDPR data rights requests. You can easily:

– Export an individual’s data

Delete their profile

Klaviyo also preserves a list of deleted profiles which provides a record that your business has complied with any deletion requests. 

Person using a smartphone with a "back in stock" notification, and another person working on a laptop showing analytics graphs.

Smart segmentation and suppression

Klaviyo enables you to segment your contacts based on consent status, location, and other profile-based criteria. You can also suppress profiles that have not provided valid consent. 

 

Secure data transfers and agreements

Klaviyo is certified under the EU-U.S. Data Privacy Framework (DPF) and also includes the Standard Contractual Clauses (SCCs) in our Data Protection Addendum (DPA) to support lawful global data transfers. Klaviyo maintains appropriate technical and organisational safeguards, as outlined in its DPA and Trust Center.

 

Centralisation of data – via the Klaviyo’s Customer Data Platform

Klaviyo’s Customer Data Platform (CDP) brings together customer consent, engagement, and transactional data into unified profiles. This makes it easier for you to locate, export, or delete individual data as required. The CDP retains data for as long as you need to maintain it in your account, and then delete it when required, enabling consistent application of your data policies.

Two people discussing notes on a glass wall in an office setting.

GDPR FAQ

Klaviyo has implemented measures to meet its obligations as a Data Processor under the GDPR. We maintain a robust data protection framework that includes:

  • Data Processing Agreement (DPA): Our DPA governs how we process Customer Personal Data in line with GDPR obligations.
  • Security and Safeguards: We implement comprehensive technical and organisational measures (TOMs), along with supplementary protections, to ensure data security and integrity.
  • Data Subject Rights: Klaviyo provides tools to help customers manage GDPR data requests (DSARs).
  • Sub-processors: Klaviyo requires all sub-processors to meet data protection standards equivalent to those in our Customer DPA.
  • International Transfers: Klaviyo is certified under the EU-U.S. Data Privacy Framework (DPF) and also includes the Standard Contractual Clauses (SCCs) in our DPA to support lawful global data transfers.

We also continuously monitor global privacy regulations to ensure we stay compliant and keep your customers’ data protected.

While Klaviyo meets its GDPR obligations as a Data Processor, each business is responsible for its own compliance as a Data Controller.

Grow responsibly with Klaviyo

Sign up

Privacy isn’t just about compliance. It’s about trust. With Klaviyo, you get a CRM platform designed to protect data, respect privacy, and help your business grow responsibly. Get started with privacy-first marketing and join thousands of brands using Klaviyo to grow with confidence and respect for customer privacy.