Quick Answer: What a ConvertKit User's Privacy Policy Must Cover
- Email collection: What you collect on signup (email, name, custom fields)
- How you use it: Newsletters, promotional emails, automated sequences
- Platform disclosure: That ConvertKit (Kit) processes subscriber data on your behalf
- Tagging and segmentation: That you track subscriber behavior and apply tags
- GDPR consent: Legal basis for processing EU subscribers' data
- Unsubscribe rights: How subscribers can opt out of communications
ConvertKit, Kit, and Your Privacy Obligations
ConvertKit rebranded to Kit in 2024, but the legal and privacy landscape for users remains the same. When someone subscribes to your email list through a ConvertKit form, their personal data flows into ConvertKit's systems. You, as the list owner, become the data controller for that subscriber's information.
ConvertKit acts as a data processor - it stores and sends emails on your behalf, following your instructions. But the legal responsibility for how that data is collected, used, and protected rests with you. ConvertKit's own privacy policy covers Convertkit-the-company's data practices, not yours.
This means you need your own privacy policy linked from your website, your signup forms, and your email footer. Without it, you are likely in violation of GDPR (if you have EU subscribers), CAN-SPAM (if you send commercial email to US subscribers), and possibly CASL (Canadian anti-spam law).
Did you know?
ConvertKit's terms of service require list owners to comply with applicable privacy laws including GDPR and CAN-SPAM. If your account is reported for spam or privacy violations, ConvertKit can suspend your account. Having an accurate, accessible privacy policy is one of the most important steps to staying in good standing with ConvertKit (Kit) as well as with regulators.
Subscriber Data Handling: What Your Policy Must Say
Your privacy policy must clearly explain how you handle subscriber data from the moment someone signs up until their data is deleted. Key elements to cover include:
Data Collection
Describe what personal data you collect when someone subscribes. At minimum this is an email address, but if your forms collect names, company names, website URLs, or other custom fields, those must all be disclosed. Be specific about which forms collect which data.
Purpose of Collection
Your policy must explain why you collect subscriber data. Common purposes include: sending newsletters and content updates, sending promotional emails about products or services, personalizing email content based on subscriber interests, and analyzing open and click rates to improve content.
Retention Period
How long do you keep subscriber data? Best practice is to retain active subscriber data as long as they remain subscribed, and to purge unsubscribed or inactive subscribers after a defined period (commonly 12-24 months). Your policy should state your retention approach clearly.
ConvertKit as a Data Processor
Your privacy policy must name ConvertKit (Kit) as the email marketing platform you use and describe it as a third-party processor that stores and sends emails on your behalf. You should note that ConvertKit operates under its own privacy policy and security measures, and optionally provide a link to their privacy policy.
Forms and Landing Pages Data
ConvertKit forms and landing pages are the primary data collection points on your site. Each form or landing page that collects data is subject to privacy requirements, and your privacy policy must accurately describe what each one collects.
When a visitor fills out a ConvertKit form embedded on your website, their data flows to ConvertKit's servers. If the form is embedded on your domain, this is transparent to the visitor. If you use ConvertKit's hosted landing pages (on app.kit.com or your custom domain), it is still your responsibility to have a privacy policy linked from that page.
Privacy Policy Link Requirements for Forms
- GDPR requires a clearly visible privacy policy link on or near any form that collects personal data from EU residents
- CalOPPA (California) requires a conspicuous link to your privacy policy on your homepage and any page where personal data is collected
- Good practice: include a brief disclosure near the form button such as "By subscribing you agree to our Privacy Policy and consent to receiving our newsletter"
- ConvertKit's own terms encourage but do not technically require a privacy link on embedded forms, but legal requirements override this
Did you know?
ConvertKit's landing page builder allows you to add custom text below the subscribe button. This is the ideal place to add a privacy disclosure and link: "We respect your privacy. Unsubscribe at any time. View our Privacy Policy." This single line satisfies multiple requirements under GDPR, CAN-SPAM, and CASL simultaneously.
Automations, Tagging, and Behavioral Tracking
ConvertKit's automation and tagging system allows you to build detailed behavioral profiles of your subscribers. Automations can apply tags when subscribers click specific links, open (or do not open) certain emails, visit specific pages on your site (via ConvertKit's Subscriber Identification feature), or purchase products.
Under GDPR, this kind of behavioral tracking and profiling constitutes personal data processing that must be disclosed. Your privacy policy must explain:
- That you use automated email sequences that deliver content based on subscriber behavior
- That you apply tags or segments to subscribers based on their interactions with your emails or website
- What the tags or segments are used for (personalizing content, triggering different email sequences, identifying purchase intent)
- Whether you use ConvertKit's Subscriber Identification feature to track what pages tagged subscribers visit on your site
ConvertKit Subscriber Identification
ConvertKit's Subscriber Identification (or Site Tracking) feature allows you to track what pages on your website a subscriber visits after they have clicked through from an email. This creates a link between a subscriber's email address and their browsing behavior on your site. Under GDPR, this is personal data processing that requires explicit disclosure and a lawful basis (typically consent or legitimate interests, depending on how it is used).
If you use this feature, your privacy policy must specifically disclose that you track subscriber page visits on your website using ConvertKit, and explain the purpose (typically, to send more relevant content based on what they are reading about).
GDPR Subscriber Consent for ConvertKit Users
If any of your subscribers are based in the EU or EEA, GDPR applies. This requires a lawful basis for processing subscriber data. For email marketing, the most appropriate lawful basis is consent - and GDPR sets strict requirements for what constitutes valid consent.
GDPR Consent Requirements for Email Signups
| Requirement | What It Means | How to Implement in ConvertKit |
|---|---|---|
| Freely given | Subscribing cannot be required to access a product or service they paid for | Do not gate paid products behind newsletter consent |
| Specific | Consent for newsletters is separate from consent for promotional emails | Use separate forms or checkboxes for different content types |
| Informed | Subscribers must know what they are signing up for and who is sending | Clear form description + privacy policy link |
| Unambiguous | No pre-checked boxes; requires an active opt-in | ConvertKit forms require active submission; enable double opt-in |
| Withdrawable | Easy to unsubscribe; unsubscribing must not be harder than subscribing | ConvertKit's unsubscribe link is required in every email |
Your privacy policy must document the legal basis you rely on for each type of processing. For EU subscribers who sign up for marketing content, this should be: "Legal basis: Consent. Subscribers may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us at [your email]."
CAN-SPAM Requirements for ConvertKit Users
The US CAN-SPAM Act applies to all commercial email sent to US recipients. Unlike GDPR, it does not require prior consent to send marketing emails, but it does impose several requirements that must be reflected in both your email practices and your privacy policy.
CAN-SPAM Compliance Checklist for ConvertKit Users
Include your physical mailing address in every email
CAN-SPAM requires a valid physical postal address in every commercial email. ConvertKit has a field for this in your account settings. It can be a PO Box or registered business address.
Include a clear and functional unsubscribe mechanism
ConvertKit automatically includes an unsubscribe link in all emails, which satisfies this requirement. Your privacy policy should describe this unsubscribe mechanism.
Honor unsubscribe requests within 10 business days
ConvertKit processes unsubscribes immediately, which exceeds the CAN-SPAM 10-day requirement. Your privacy policy should note that unsubscribe requests are honored promptly.
Use accurate From name and subject lines
Misleading From names (using a celebrity's name or a brand you are not affiliated with) or deceptive subject lines violate CAN-SPAM. Your policy does not need to detail this, but your practices must comply.
Identify the message as an advertisement if applicable
Not required for every email, but clearly promotional emails should be identifiable as such. Your privacy policy can note that you may send promotional content and that subscribers can opt out.
Did you know?
CASL (Canada's Anti-Spam Legislation) is stricter than CAN-SPAM and more similar to GDPR in that it requires express or implied consent before sending commercial emails to Canadian recipients. If you have Canadian subscribers, your privacy policy should address how you obtain and document consent for Canadian subscribers, and note that they can withdraw consent at any time.
5 Common ConvertKit Privacy Policy Mistakes
Not having a privacy policy at all and relying on ConvertKit's terms
ConvertKit's privacy policy governs the company's data practices, not yours as the list owner. Every ConvertKit user who collects email subscribers needs their own privacy policy to meet legal requirements and ConvertKit's own terms of service.
Not disclosing behavioral tracking through tags and automations
If you use ConvertKit automations to tag subscribers based on which links they click or which pages they visit, this behavioral profiling is personal data processing under GDPR. It must be disclosed in your privacy policy with the purpose and legal basis.
Using ConvertKit for both a free newsletter and paid product promotions without separate GDPR consent
Under GDPR, consent for a free newsletter does not automatically extend to promotional emails for paid products. If you plan to send both, your signup form and privacy policy should distinguish between the two types of content and how subscribers can opt out of one but not the other.
Not linking to your privacy policy from ConvertKit landing pages and forms
If someone subscribes through a ConvertKit hosted landing page and your privacy policy is only on your main website, EU visitors may not see it before subscribing. GDPR requires the privacy policy to be easily accessible at the point of data collection.
Not updating the privacy policy when switching between ConvertKit plans or enabling new features
Upgrading to a ConvertKit plan that enables Subscriber Identification or Commerce features means new categories of data are being processed. Each new feature that processes subscriber data requires a review and potential update of your privacy policy.
Frequently Asked Questions
Do I need my own privacy policy if I use ConvertKit?
What subscriber data does ConvertKit give me access to?
How do I get GDPR-compliant consent using ConvertKit forms?
Does ConvertKit's double opt-in satisfy GDPR consent requirements?
ConvertKit rebranded as Kit - do I need to update my privacy policy?
Generate a ConvertKit-Ready Privacy Policy in Minutes
Cover subscriber data handling, ConvertKit as a processor, GDPR consent, CAN-SPAM compliance, and behavioral tracking disclosures in one compliant privacy policy tailored to your email marketing setup.
Generate Your Privacy Policy Free