Table of contents
Sendinblue attaches particular importance to the respect for the privacy of the Users and of the confidentiality of their personal data, and is thus committed to processing the data in compliance with the applicable laws and regulations, and in particular Law No. 78-17 of 6 January 1978 relating to Information Technology, Data Files and Civil Liberties (hereafter referred to as the “Data Protection Act”), and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter referred to as the “GDPR”).
Personal data: any information relating to an identified or identifiable natural person, that is, a person who can be identified, directly or indirectly, by reference to an identification number or to one or more elements specific to that person.
Processing of personal data: any operation or any set of operations relating to personal data, whatever the process used, and in particular the collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as locking, erasure, or destruction.
Cookie : a cookie is a piece of information placed on the hard drive of Internet users by the server of the site they visit. It contains several pieces of data: the name of the server which installed it, an identifier in the form of a unique number, and possibly an expiry date. This information is sometimes stored on the computer in a simple text file that a server accesses to read and save pieces of information.
Data Controller – DPO
The data controller for the processing of the personal data referred to herein is Sendinblue, a simplified joint stock company with a share capital of 137,531 Euros, registered with the Paris Trade and Companies Register under number 498 019 298 and whose registered office is located at 7 rue de Madrid, 75008 Paris, France.
Sendinblue has appointed a Data Protection Officer who can be contacted at the following address: firstname.lastname@example.org.
Sendinblue collects data from Users in order to make the Services for which they have subscribed to the platform available to them.
The mandatory or optional nature of the data provided (in order to complete the Users’ registration and to render the Services) is indicated at the time of collection by an asterisk.
In addition, certain data is collected automatically as a result of the User’s actions on the site (see the paragraph on cookies).
The personal data collected by Sendinblue during the provision of the Services is necessary for the performance of the contracts concluded with the Users, or to allow Sendinblue to pursue its legitimate interests while respecting the rights of the Users. Certain data may also be processed based on the Users’ consent.
The purposes for which Sendinblue processes data are the following:
- commercial and accounting management of the contract;
- management of customer acquisition and marketing activities;
- detection of malicious behaviour (fraud, phishing, spam, etc.);
- the improvement of the Users path on the site;
- more generally, any purpose referred to in Article 2 of Deliberation No. 2012-209 of 21 June 2012 creating a simplified standard for the automated processing of personal data relating to the management of users and prospects.
Recipients of the data
The personal data collected is intended for Sendinblue’s commercial and accounting departments. It may be transmitted to Sendinblue’s subsidiaries, or to third-party data processors which Sendinblue is authorized to use within the context of the performance of its Services.
In this context, personal data may be transferred to an EU or non-EU country. Sendinblue implements guarantees ensuring the protection and security of this data, in compliance with applicable rules and regulations.
Sendinblue does not transfer or rent personal data to third parties for marketing purposes without the express consent of the Users of Sendinblue.
In addition, personal data may only be disclosed to third parties for purposes other than marketing in the following cases:
- with their authorisation;
- at the request of the competent legal authorities, upon judicial request, or in the context of a legal dispute.
Data retention period
To satisfy its legal obligations or in order to have the necessary elements to assert its rights, Sendinblue will be able to retain the data under the conditions established by applicable rules and regulations.
Thus, personal data collected by Sendinblue relating to the identity and contact details of its Users is retained for a maximum period of two years after the termination of the contractual relationship for Users that are customers, or from their collection by the data controller or the last contact from the Users that are prospects, for the data relating to the latter.
The termination of the contractual relationship is understood as the express termination of the contract by the User, or the non-use of Sendinblue Services for a period of five years.
Rights of Users
In accordance with applicable rules, the Users have the right to access and rectify their personal data, which enables them to rectify, complete, update, or delete data that is inaccurate, incomplete, ambiguous, or outdated, or whose collection, use, communication, or storage is prohibited.
The Users also have the right to request the limitation of the processing, and to oppose on legitimate grounds the processing of their personal data. The User may also communicate instructions on the fate of their personal data in the event of their death.
Where applicable, the User may request the portability of their personal data or, where the legal basis for the processing is consent, withdraw their consent at any time.
The Users may exercise their rights by sending an email to email@example.com or a letter to:
Sendinblue SAS – Politique de confidentialité
7 rue de Madrid, 75008 Paris, France
These requests shall be processed within a maximum period of 30 days.
The Users may also at any time modify the data pertaining to them by logging on to https://www.sendinblue.com and clicking on “edit my profile” or by contacting the customer relations department at firstname.lastname@example.org
The Users may unsubscribe from the Sendinblue newsletter or marketing emails by following the unsubscribe links in each of these emails.
In the event of a dispute, the Users may file a complaint with the CNIL, for which contact details may be found at https://www.cnil.fr.
The Users may access detailed information on the use of their personal data, in particular concerning the purposes of the processing, the legal bases enabling Sendinblue to process the data, its storage period, its recipients, and, where applicable, its transfer to a country outside the European Union as well as the related compliance guarantees put in place for such transfers. To do so, the User can send their request by email to email@example.com.
Additional terms regarding the use of the Inbox Feature
- only use access to read, write, modify, or control Gmail message bodies (including attachments), metadata, headers, and settings, allowing Sendinblue to provide a web email client for the Users to compose, send, read, and process emails;
- never transfer such data to other parties unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets;
- in no way use such data for its management of customer acquisition and marketing activities;
- in no way use such data to serve advertisements;
- not allow humans to read this data unless Sendinblue has the User’s affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for Sendinblue’s internal operations, and even then, only when the data have been aggregated and anonymized.
Sendinblue has taken all necessary precautions to preserve the security of personal data and, in particular, to prevent it from being accessed by unauthorized third parties, distorted, or damaged.
These measures include the following:
- Multi-level firewall.
- Proven solutions for anti-virus protection and detection of intrusion attempts.
- Encrypted data transmission using SSL/https/VPN technology.
- Tier 3 and PCI DSS certified data centres.
In addition, access to processing data on behalf of Sendinblue by the receiving third-party services requires authentication of the persons accessing the data, by means of an individual access code and password, that is sufficiently robust and regularly renewed.
Data transmitted over unsecured communication channels is subject to technical measures designed to make such data incomprehensible to any unauthorised person.
Any questions about the security of the Sendinblue website can be directed to firstname.lastname@example.org.
The Users shall be notified of any changes made to this policy via our website or by email at least thirty days prior, when possible, to their entry into force.
Sendinblue SAS – Politique de confidentialité
7 rue de Madrid, 75008 Paris, France
This is the Privacy Notice for Sendinblue, Inc. dba Sendinblue (collectively, “Sendinblue,” “us,” “our,” or “we”). It explains how we collect and use information on Sendinblue.com and other websites we own or operate (collectively, the “Site”), our suite of software and professional services owned and operated by Sendinblue, Inc. or its affiliates and/or delivered under the business name Sendinblue (the “Software”) for managing contacts and designing, implementing, and administering email, sms, and certain other marketing programs , our other digital properties or services, and your communications with us by any means (collectively with the Site, Software, and Programs, the “Services”). Please read this Privacy Notice carefully to understand our privacy practices.
This Privacy Notice is governed by and part of our General Conditions of Use of Sendinblue Services (the “General Terms”). Your use of our Services is subject to this Privacy Notice and our General Terms, including its applicable limitations on damages and the provisions regarding resolution of disputes. Capitalized terms not defined in this Privacy Notice have the meanings given to them in the General Terms. Any additional notices we may provide you about our privacy practices will be considered to form part of this Privacy Notice.
Note that this Privacy Notice DOES NOT apply to any third-party websites, platforms, or activities, such as a Customer’s websites or marketing practices. If you are a Contact of our Customer(s), your use of a Customer’s website or receipt of marketing communications from a Sendinblue Customer is governed by the Customer’s privacy notice, and Sendinblue has no control over their privacy practices.
By using or accessing our Services in any manner, you acknowledge and accept this Privacy Notice, and you consent to Sendinblue’s collection, use, and disclosure of your information as described below. If you do not agree with this Privacy Notice, do not use our Services.
As used in this Privacy Notice, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information falls into various categories, such as identifiers, protected information, sensitive personal information (e.g., social security number, race, health data, or union membership), biometrics, commercial history, employment-related data, nonpublic educational information, internet activity, or inferences drawn to create a consumer profile. The use of sensitive personal data on the Platform and as part of the Services is forbidden.
Personal Information does not include (i) publicly available information (ii) aggregate information, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (iii) deidentified information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer.
Collection and use of personal information
The types of Personal Information we collect and how it is used depends on how you interact with us, such as a Site visitor, a Sendinblue customer using the Services or representative of a customer (a “Customer”) or as a Customer’s marketing contact (“Contact”). Sendinblue only collects, uses, retains, and shares Personal Information as reasonably necessary and proportionate to provide the Services or for other purposes that we disclose to you and are compatible with the context of how we collected your Personal Information. We will update this Privacy Notice or otherwise notify you before we collect additional categories of Personal Information from consumers or use such Personal Information for purposes that are incompatible with the purpose stated at the time of collection.
Categories of Personal Information
During the preceding 12 months, we have collected these categories of Personal Information:
- Identifiers (e.g., name, address, phone number, email address, password, IP address)
- Employment-related information (e.g., current or past employment)
- Commercial information (e.g., purchases considered or completed)
- Internet activity (e.g., interactions with the Site and Platform)
Sources of Collection
We collect Personal Information from the following sources and use that information as described below:
- Directly from you when you contact us or place an order. If you contact us via the Site or by email, phone, or other means to request information or support, we will collect your name, contact information, and employment-related information as needed to respond to your inquiry. If you place an order with us, we will use a PCI-compliant payment processor to collect and process your payment information. You may opt-in to save your payment information for future orders, but this is not required. We collect this information with your consent, and we use it to respond to your inquiries, communicate with you about your order status, or for the purposes stated at the time of collection.
- Directly from you when you create a Customer account. If you create a Customer account, we will collect your name, email address, company name, and require you to choose a password to login. We collect this information with your consent, and we use it to provide the Services, identify and administer your account, and communicate with you about the Services. You have the right to opt-out of communications from us, but you cannot opt out of communications that we send you regarding your account.
- From our Customers about their Contacts. Sendinblue Services enables Customers to promote their brands through email, SMS, chat, and other types of marketing communications. Customers may choose to input their Contacts’ Personal Information into the Services to send them marketing communications. Sendinblue collects Contacts’ Personal Information to fulfill our contractual obligations as a service provider to the Customer. A Customer’s processing of Contacts’ Personal Information via the Services is subject to the Customer’s privacy practices, not ours. Sendinblue is not responsible for any Customer’s compliance with applicable privacy laws, or a Customer’s obligations to related to their Contacts’ privacy rights.
Sendinblue does not knowingly collect Personal Information from children under 16. However, we cannot control the Personal Information our Customer’s collect. If a Customer chooses to input Personal Information of children under age 16 on the Services, that Customer does so under its own privacy practices, not ours. Sendinblue is not responsible for a Customer’s failure to comply with any law designed to protect children or any other law governing the Customer’s use of our Services. Please contact the Customer directly if you have questions about their privacy practices. As part of our commitment to your privacy, we encourage you to contact us at email@example.com if you believe we might have collected any information online from a child under 16, or if you are aware of any unauthorized submission of information to us. Sendinblue reserves the right to delete any information from our systems if we discover it was improperly collected.
Retention of Personal Information
- Personal Information about Contacts. The Customer is responsible for determining a data retention period of the Contact Personal Information and to operate the deletion when necessary. If the Customer does not take action, Sendinblue retains all categories of Personal Information we collect only as long as your Sendinblue account remains active or as necessary to provide you with the Services you request.
- Commercial relationship personal information. We may also retain and use Personal Information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We regularly review and deidentify unnecessary Personal Information and other data and we periodically deidentify unused accounts.
- Cookie Data. Any Personal Information that we may collect using cookies or other tracing technologies is retained on our system for 12 months. In some cases, we may be required to retain this Personal Information for longer or shorter periods to meet our regulatory obligations, in which case we will retain the data for the required period.
In addition to the specific uses described above, Sendinblue might also use your Personal Information to:
- Provide, maintain, and improve our Services and user experience.
- Send you support and administrative messages.
- Monitor your compliance with any of your agreements with us.
- Detect, investigate, and prevent fraudulent transactions and other illegal activities and protect the rights and property of Company and others.
- Protect your privacy and enforce this Privacy Notice.
- If we believe it is necessary, to identify, contact, or bring legal action against persons who may be causing injury to you, to us, or to others.
- Comply with a law, regulation, legal process, or court order.
- Fulfill any other purpose to which you consent.
Disclosing personal information
In the preceding 12 months, Sendinblue has disclosed all categories of Personal Information that we collected for a business purpose.
Sendinblue may disclose Personal Information to the recipients described below, or to other recipients with your permission or as required by law.
- Service Providers: Sendinblue uses a variety of service providers such as data hosting companies, analytics services, email hosting services, and payment processors. The type of information that we share with a service provider will depend on the service that they provide to us. Our service providers are subject to contractual agreements that protect your Personal Information, and we require all service providers to maintain confidentiality standards that are commercially reasonable to ensure the security of your Personal Information.
- Government Agencies: Occasionally Sendinblue may be required by law enforcement or judicial authorities to provide Personal Information to governmental authorities. We fully cooperate with law enforcement agencies in identifying those who use our Services for illegal activities. Sendinblue reserves the right to disclose Personal Information to law enforcement and other governmental agencies, at our sole discretion in connection with an investigation of any matter that is illegal or that could expose Sendinblue or our affiliates to liability.
- Affiliates and Third Parties: We may disclose the Personal Information we collect about you to our affiliates like a parent company or subsidiaries. For example, we share Personal Information for Customer support purposes, marketing, or technical operations. Under specific circumstances, we may disclose Personal Information to certain third parties as permitted by applicable law, for example: if we go through a business transition (e.g., merger, acquisition, or asset sale); to comply with a legal requirement or a court order; when we believe it is appropriate to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.
Aggregated and Deidentified Information
We reserve the right to disclose aggregated, anonymized, or deidentified information about any individuals with affiliated or nonaffiliated entities for marketing, advertising, research, or other purposes, without restriction. For example, we may share reports showing trends about the general use of our Services without identifying an individual.
Your privacy rights
Sendinblue believes you should have the ability to control the Personal Information we collect and hold about you on your own. You can use the methods described below to control how we collect and use your Personal Information.
- Customer Accounts: Customers can change or delete the Personal Information in their accounts at any time by signing into the Platform and editing information or changing settings. Sendinblue may offer instructions to guide Customers in making additional changes. A Customer can delete all of their Personal Information on Sendinblue by closing the account.
- Contact Information: Customers can change or delete their Contacts’ Personal Information at any time by signing into the Platform and editing information or changing settings. Sendinblue may offer instructions to guide Customers in making additional changes. If a Contact submits a Consumer Privacy Request directly to Sendinblue, we will relay the request to the applicable Customer for further processing.
- Email Communications: If you are a Customer or Site visitor, we may send you marketing emails about the Services. Customers may also receive informational or support emails from us. If you do not wish to receive these emails, you may change your preferences via the links provided in the emails or by sending a request to privacy@Sendinblue.com to be removed from our email list. Note that if you opt-out of marketing communications, we may still send you non-promotional communications, such as those about your account or our ongoing business relations.
- Texting Consent: If you provide us with your wireless phone number, you consent to Sendinblue sending you informational or service text messages. However, we will only send you marketing text messages if you opt-in to receive these notifications from us. For all Sendinblue text messages, the number of texts you receive will depend on the Services you use and the information you request from us. You can unsubscribe from Sendinblue text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
- Do Not Track: Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests. If this changes in the future, we will update this Privacy Notice.
Depending on where you reside, you may have additional privacy rights or be entitled to additional controls over your Personal Information. Please see our supplemental notices specific to residents of California.
If you wish to exercise your privacy rights beyond the methods available through the Platform, or if you want to express concerns, lodge a complaint, or request information, please submit a verifiable Consumer Privacy Request using our online Consumer Privacy Request form or by sending an email to firstname.lastname@example.org.
Note that if you are a Customer’s Contact, then we process your Personal Information as a service provider to the Customer and we cannot fulfill your request directly. In that case, we will relay your request to the appropriate Customer for further processing and fulfillment, provided that we have sufficient information to do so.
Sendinblue can only fulfill a Consumer Privacy Request when we have sufficient information to verify that the requester is the person or an authorized representative of the person about whom we have collected Personal Information, and to properly understand, evaluate, and respond to the request. We do not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We endeavor to respond to Consumer Privacy Requests in accordance with the requirements of the law applicable to your jurisdiction. Depending on the circumstances and the nature of your request, we may be unable to fulfill your request in part or in whole, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.
CALIFORNIA PRIVACY RIGHTS
This section provides residents of the State of California (“California Consumers”) with the disclosures and notices required under the California Consumer Privacy Act of 2018 (“CCPA”). The following paragraphs apply solely to California Consumers and describe the specific rights afforded under the CCPA. California Consumers may exercise the following rights over their Personal Information, subject to any exceptions and limitations that may apply:
- Right to Know: You have the right to request that we disclose information to you about our collection and use of your Personal Information, such as: (i) the categories of Personal Information we have collected about you; (ii) the categories of sources for the Personal Information we have collected about you; (iii) our business or commercial purpose for collecting, selling or sharing your Personal Information; (iv) the categories of third parties with whom we disclose your Personal Information; and (v) a list of specific pieces of Personal Information we have collected about you. If a business sells or shares your Personal Information, you also You also have the right to ask the company to disclose the categories of your Personal Information sold or shared and the categories of third parties to whom that Personal information was sold or shared, as well as the categories of Personal information disclosed for a business purpose and the categories of recipients of that information. Sendinblue is only required to respond to two disclosure requests from you within a 12-month period.
- Right to Access. You have the right to request that we provide you with access to specific pieces of Personal Information we have collected about you over the past 12 months (also called a data portability request). If you submit a right to access request, we will provide you with copies of the requested Personal Information in a portable and readily usable format. Please note that Sendinblue may be prohibited by law from disclosing copies of certain Personal Information when the disclosure would create a substantial, articulable, and unreasonable risk to the security of the information, our systems, or your account. We are only required by law to respond to two access requests from you within a 12-month period.
- Right to Correct. If you discover that we maintain inaccurate Personal Information about you, or if your Personal Information changes, please inform us and we will update our records to reflect the correct information.
- Right to Deletion. You have the right to request that we delete Personal Information that we collected from you and retained, with certain exceptions. Sendinblue may permanently delete, deidentify, or aggregate the Personal Information in response to a request for deletion. If you submit a right to deletion request, we will confirm the Personal Information to be deleted prior to its deletion, and we will notify you when your request is complete.
- No Selling Personal Information. Sendinblue does not and will never sell your Personal Information to third parties..
- Sharing Personal Information. Sendinblue may share Personal Information we collect via cookies and other tracing technologies with third parties for cross-contextual behavioral advertising purposes. You can opt-out of this sharing by adjusting your cookie settings or by submitting a Consumer Privacy Request.
- Limited Use and Disclosure of Sensitive Personal Information. Sendinblue does not seek to collect sensitive Personal Information from any consumer. If a Customer chooses to input sensitive Personal Information into the Platform, we will not use or disclose Sensitive Personal Information for the purpose of inferring characteristics about any consumer. If this ever changes in the future, we will update this Privacy Notice and provide you with methods to limit use and disclosure of Sensitive Personal Information. However, we have no control over whether our Customers may use or disclose their contacts’ sensitive Personal information for any particular purpose. If you are a Contact of our Customers, please direct any questions about your sensitive Personal Information to the respective Customer.
- Right to Nondiscrimination. We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by law, we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; or (iv) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under the CCPA.
- Right to Disclosure of Marketing Information. Under California’s Shine the Light Act (Ca. Civ. Code § 1798.83-1798.84), California Consumers are entitled to request certain disclosures about Personal Information sharing with affiliates and/or third parties for marketing purposes. Please contact us if you wish to obtain these disclosures.
California Consumers may exercise these rights over their Personal Information by logging into their Customer account or by sending us a verifiable Consumer Privacy Request, subject to any exceptions and limitations that may apply.
Employee Data Exception
In many cases, the Personal Information we collect about you is in a business-to-business context when you are acting as an employee to a Customer or potential Customer in the performance of your job duties. Please note that Personal Information collected and used in this context is not protected under the CCPA.
Sendinblue implements reasonable and appropriate security procedures and practices to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures, including a multi-level firewall, encryption, and anti-virus and intrusion detection solutions. All data is stored on secure servers in Tier 3 and PCI DSS certified data centers and is only accessible to our personnel and contractors via authentication measures. We ensure that Sendinblue employees, contractors, and agents responsible for handling your inquiries are informed of applicable privacy law requirements and we restrict access to those who need that information in order to process it.
Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. We also have no control over our Customers’ security measures or practices, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.
It is your responsibility to keep your Customer account secure from unauthorized access. We encourage our Customers to take steps to protect against unauthorized access to their accounts, such as choosing a robust password, keeping the password private, and signing off after using a shared computer or other device. Sendinblue is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account.
Third party websites
The Services may contain links to websites owned or operated by third parties. We have no ability to control, and we are not responsible for, the privacy and data collection, use, and disclosure practices of third-party websites. We encourage you to read the privacy statements of each website that collects your Personal Information.
Changes to this privacy notice
We may periodically update this Privacy Notice. If we make any material changes, we will notify you by updating this posting or by posting notice in the Services. The date that this Privacy Notice was last revised is identified at the top of the page. Your continued use of the Services after the effective date will be subject to the new Privacy Notice. You are responsible for periodically checking this Privacy Notice for changes.
If you have questions about our privacy practices or would like to make a complaint, please contact us at DPO@sendinblue.com, by phone at 1 (844) 744-2639, or by mail at Sendinblue 1402 Third Avenue, #301, Seattle, WA 98101.