GetResponse 2026: Gdańsk Poland Platform, US Delaware Subsidiary, and GDPR Compliance Verdict for EU Email Marketing
Post #950 in the sota.io EU Cyber Compliance Series | EU-EMAIL-MARKETING-SERIE Post #5
This is the fifth post in the sota.io EU-EMAIL-MARKETING-SERIE. The first four examined platforms where the compliance problem is structural and unresolvable: Mailchimp is owned by Intuit (Delaware/California), Klaviyo is a NYSE-listed Delaware corporation, Constant Contact is controlled by Newfold Digital (Delaware/private equity), and ActiveCampaign is a Delaware/Illinois company backed by Silversmith Capital. Every one of those platforms is a domestic US person under the CLOUD Act, meaning every EU email list stored there is reachable by US federal legal process without any EU judicial oversight.
GetResponse is different. It was founded in 1998 in Gdańsk, Poland by Simon Grabowski, and its primary legal entity — GetResponse S.A. — is incorporated under Polish law and subject to the jurisdiction of Polish courts and the Polish Data Protection Authority (UODO). That makes GetResponse the only platform in this series that is genuinely EU-native. For EU organisations asking which major email marketing platform carries the lowest CLOUD Act exposure, GetResponse is the correct answer.
The analysis, however, cannot stop there. GetResponse also operates GetResponse Inc., a subsidiary incorporated in Delaware, USA. US operations, US-based employees, and the existence of a domestic US legal entity all introduce considerations that a thorough GDPR compliance review must address. This guide works through each of them.
The Corporate Structure: Polish Foundation, US Subsidiary
Origin and Ownership
GetResponse was founded in 1998 by Simon Grabowski in Gdańsk, a major port city in the Pomerania region of northern Poland. The company began as a simple autoresponder service — one of the earliest such products globally — and grew into a comprehensive email marketing and automation platform over the following two decades. Grabowski has remained the CEO and controlling shareholder through 2026.
The company's primary operating entity is GetResponse S.A., a Polish joint-stock company (spółka akcyjna) registered with the National Court Register (Krajowy Rejestr Sądowy) in Poland. As a Polish S.A., GetResponse S.A. is incorporated under the Commercial Companies Code (Kodeks spółek handlowych) and operates under the jurisdiction of Polish law and Polish courts.
This is the foundational legal fact that distinguishes GetResponse from the four US-headquartered platforms covered in the preceding posts of this series. GetResponse S.A. is not a domestic US person under 18 U.S.C. § 2713. A US District Court order cannot be directed at GetResponse S.A. in the same way it can be directed at Intuit Inc., Klaviyo Inc., or ActiveCampaign Inc.
Funding History: Bootstrapped and Founder-Led
Unlike Klaviyo (IPO), Mailchimp (acquired by Intuit for $12B), Constant Contact (private equity roll-up), or ActiveCampaign (Silversmith Capital), GetResponse has remained bootstrapped and founder-controlled since 1998. Simon Grabowski has not taken institutional venture capital or private equity investment. The company has grown organically to serve approximately 350,000 customers across 183 countries.
The absence of US venture capital or private equity ownership is a meaningful compliance factor. US institutional investors — particularly those incorporated as Delaware LLCs or Delaware corporations — can impose governance rights, board seats, and contractual obligations that give US-incorporated entities indirect access to or control over the company's data. GetResponse's founder-controlled structure means there is no US PE firm, no US LP investor, and no US board member with contractual authority over company operations.
GetResponse Inc. — The Delaware Subsidiary
GetResponse operates a US subsidiary, GetResponse Inc., incorporated in Delaware. GetResponse Inc. handles US-market commercial operations — sales, customer support, and marketing for North American customers — and employs US-based staff.
GetResponse Inc., as a Delaware corporation, is a domestic US person under the CLOUD Act. A US federal court can issue an order to GetResponse Inc. under 18 U.S.C. § 2713. The operative question for EU compliance is: what data does GetResponse Inc. hold, and does it have custody or control over EU customer data?
This question has a structured answer based on how GetResponse segments its data processing:
- EU customers contract with GetResponse S.A. — the Polish entity. The Data Processing Agreement that EU customers execute is an Article 28 GDPR agreement with GetResponse S.A. as the processor.
- EU customer data is stored on servers within the European Economic Area — GetResponse operates data centres in the EU, including in Germany (Frankfurt region), and routes EU-origin data to EU infrastructure.
- GetResponse Inc. does not serve as the controller or processor for EU customer data — its scope is limited to US-market operations.
Under this structure, a CLOUD Act order directed at GetResponse Inc. would not reach EU customer data because GetResponse Inc. does not have custody or control of that data. The data is held by GetResponse S.A. under Polish law.
Why This Structure Matters Under the CLOUD Act
The CLOUD Act operates against domestic US persons — entities incorporated or domiciled in the United States — and it reaches data within their "custody or control" wherever that data is physically located (18 U.S.C. § 2713). The phrase "custody or control" has been interpreted to include data that the domestic US entity has the technical and legal ability to produce, even if stored on servers in another jurisdiction.
For GetResponse's structure, the CLOUD Act analysis proceeds as follows:
GetResponse S.A. (Polish entity)
GetResponse S.A. is a Polish corporation. It is not a domestic US person. A US federal court cannot issue a direct compelled disclosure order against GetResponse S.A. under the CLOUD Act. If the US government sought data held by GetResponse S.A., it would need to proceed through the US-Poland MLAT (Mutual Legal Assistance Treaty), which requires:
- A request through diplomatic channels
- Involvement of Polish judicial authorities
- A finding under Polish law that the request is lawful
- A mechanism for the subject of the order to challenge it before Polish courts
This is a materially different legal process from a direct CLOUD Act production order. It provides the EU data subject with procedural protections that do not exist when a US court issues a direct order to a US domestic person.
GetResponse Inc. (Delaware subsidiary)
GetResponse Inc. is a domestic US person and is subject to CLOUD Act orders. However, if GetResponse Inc. does not hold or control EU customer data — if the data architecture places EU customer data exclusively under GetResponse S.A.'s custody — then a CLOUD Act order directed at GetResponse Inc. cannot compel production of that data.
The CLOUD Act's phrase "within such provider's control" does not extend to data held by a foreign parent or sibling company unless the US entity has the legal or technical ability to access that data. In a properly structured corporate arrangement — where the EU subsidiary holds EU customer data independently, without the US subsidiary having technical access or contractual authority over it — the US entity cannot produce data it does not control.
GetResponse's structure — EU customer contracts with the Polish S.A., EU data on EU servers — represents exactly this design. EU compliance teams should verify this through GetResponse's DPA and by requesting confirmation of the data processing geography in writing.
GetResponse's GDPR Compliance Record
Polish Data Protection Authority (UODO) Oversight
As a Polish entity, GetResponse S.A. is subject to the oversight of the Urząd Ochrony Danych Osobowych (UODO) — Poland's national data protection authority, which operates as a supervisory authority under GDPR Article 51. UODO has enforcement powers including administrative fines under GDPR Article 83.
There have been no publicly reported UODO enforcement actions against GetResponse S.A. as of 2026. GetResponse has not been the subject of any published cross-border GDPR enforcement case through the GDPR's One-Stop-Shop mechanism.
Article 28 Processor Agreement
GetResponse offers a GDPR-compliant Data Processing Agreement for EU customers. Key terms relevant to GDPR Article 28:
- Processor designation — GetResponse S.A. is designated as the data processor
- Sub-processor list — GetResponse maintains a list of approved sub-processors and provides advance notification of sub-processor changes
- Data return and deletion — on contract termination, GetResponse commits to data deletion or return within a specified timeframe
- Audit rights — the DPA includes audit rights as required by Article 28(3)(h)
- Processing instructions — GetResponse commits to process data only on documented instructions from the controller
EU organisations should execute the GetResponse DPA before transferring contact data to the platform.
Data Residency in the EU
GetResponse has stated that EU customer data is processed and stored within the EEA. For EU customers, this means:
- Contact lists, campaign data, automation event logs, and behavioural tracking data are stored on servers within the EEA
- EU-origin data is not transferred to US servers for processing
- Backups and redundancy infrastructure remain within the EEA for EU accounts
EU compliance teams should request confirmation of the specific data centre locations in writing during the procurement process, and should verify that any sub-processors used for EU data processing are also EEA-based or covered by appropriate Article 46 safeguards.
What GetResponse Processes About EU Contacts
Understanding what data GetResponse processes helps EU compliance teams assess the sensitivity of the processing relationship.
Contact and Profile Data
Every contact stored in GetResponse is a data subject under GDPR Article 4(1). GetResponse stores:
- Core identifiers — email address, first and last name, phone number where collected
- Custom fields — any additional fields the account holder configures, including purchase history, preference data, company attributes, and segment classifications
- List membership — which lists, segments, and tags the contact belongs to; tag taxonomy functions as a behavioural classification system
- Consent record — subscription source, consent timestamp, and opt-in method (single or double)
- Engagement score — GetResponse calculates engagement scores based on open, click, and conversion history
Custom fields can encode sensitive data depending on account configuration. An e-commerce platform might tag contacts with purchase bracket data; a healthcare information provider might tag contacts with symptom interests. These fields should be disclosed in the controller's ROPA entry for GetResponse as a processor.
Email Campaign Data
GetResponse records the full event log for every email campaign delivered to EU contacts:
- Delivery events — timestamp, recipient address, and delivery status for every email sent
- Open events — timestamp and approximate location (derived from IP) for every email open recorded
- Click events — timestamp, IP, user agent, and destination URL for every tracked link click
- Conversion events — if GetResponse conversion tracking is active, purchase or goal completion events are recorded against the contact's profile
Open tracking uses a 1×1 tracking pixel — a standard technique that, in the EU context, captures the IP address of the contact's mail client at the time of pixel load. Under CJEU case law (Breyer v Bundesrepublik Deutschland, C-582/14), IP addresses captured in association with an identifiable individual constitute personal data.
Automation and Workflow Data
GetResponse's marketing automation feature — which allows account holders to build multi-step workflows triggered by contact behaviour, dates, or API events — generates processing records:
- Workflow entry logs — which contacts entered which workflows, when, and based on what trigger condition
- Step execution history — which automation steps each contact passed through
- Wait state records — what conditions were evaluated when a contact reached a conditional wait or decision branch
- Exit events — whether the contact completed the workflow or exited early, and the reason
These records document the decisional logic applied to each contact — which segments triggered which messaging interventions at which points in the customer lifecycle. In aggregate, they constitute a detailed processing record that should be accurately described in the controller's ROPA.
Landing Pages and Forms
GetResponse includes a landing page builder and form builder. When a contact submits a GetResponse-hosted form:
- Form submission data — all form field values at the time of submission
- IP address — the submitting contact's IP address
- Submission timestamp — date and time of submission
- Referrer — the URL from which the contact navigated to the form
If the form collects consent for email marketing, the submission record functions as the consent receipt. Controllers must retain this record to demonstrate compliance with GDPR Article 7(1) in the event of a challenge.
GetResponse versus the US Platforms: A Structural Comparison
The preceding posts in this series documented why Mailchimp, Klaviyo, Constant Contact, and ActiveCampaign create structural CLOUD Act exposure that cannot be resolved through DPAs, EU data residency addenda, or Standard Contractual Clauses. The structural problem in each case is that the entity controlling the data is a domestic US person — incorporated under Delaware or another US state's law — and domestic US persons are compelled by the CLOUD Act to comply with US federal legal process for data they control regardless of server location.
GetResponse occupies a categorically different position:
| Factor | GetResponse | Mailchimp | Klaviyo | Constant Contact | ActiveCampaign |
|---|---|---|---|---|---|
| Primary entity jurisdiction | Poland (EU) | USA (Delaware/CA) | USA (Delaware) | USA (Delaware) | USA (Delaware/IL) |
| US entity exists | ✓ GetResponse Inc. (DE) | N/A (IS the US entity) | N/A (IS the US entity) | N/A (IS the US entity) | N/A (IS the US entity) |
| EU customer contracts with | Polish S.A. | US entity | US entity | US entity | US entity |
| EU data stored in EU | ✓ Yes (Frankfurt) | ✗ US-primary | ✗ US-primary | ✗ US-primary | ✗ US-primary |
| CLOUD Act direct order possible | ✗ (Polish entity) | ✓ | ✓ | ✓ | ✓ |
| GDPR supervisory authority | UODO (Poland) | FTC / US | FTC / US | FTC / US | FTC / US |
| PE/VC ownership | ✗ (founder-controlled) | ✓ (Intuit) | ✓ (NYSE-public) | ✓ (Clearlake/Siris) | ✓ (Silversmith) |
| SCCs required for EU processing | ✗ No | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |
| Article 28 DPA under EU law | ✓ Yes | ✗ (US entity DPA) | ✗ (US entity DPA) | ✗ (US entity DPA) | ✗ (US entity DPA) |
The practical compliance difference is significant. When an EU controller uses Mailchimp, Klaviyo, Constant Contact, or ActiveCampaign, it must rely on Standard Contractual Clauses as the Article 46 transfer mechanism — and SCCs require a Transfer Impact Assessment that, for these US platforms, cannot produce a clean result because the CLOUD Act creates a structural incompatibility with SCCs (as the EDPB has noted in multiple opinions).
When an EU controller uses GetResponse — contracting with the Polish S.A., with data on EU servers — there is no third-country transfer. The processing remains within the EU. No SCCs are required. No Transfer Impact Assessment is needed. The Article 28 DPA with GetResponse S.A. is a standard EU-to-EU processor arrangement.
The US Subsidiary Consideration in Practice
EU compliance teams sometimes ask: if GetResponse Inc. (Delaware) exists, does that mean GetResponse is not truly GDPR-safe?
The answer requires distinguishing between three questions:
1. Is GetResponse Inc. subject to the CLOUD Act? Yes. It is a Delaware corporation and a domestic US person.
2. Does GetResponse Inc. control EU customer data? Based on GetResponse's published structure — EU customers contract with GetResponse S.A., EU data is on EU servers — GetResponse Inc. does not have custody or control of EU customer data. A CLOUD Act order directed at GetResponse Inc. would not reach data that GetResponse Inc. does not control.
3. Should EU compliance teams verify this in writing? Yes. The correct process is:
- Execute the Data Processing Agreement with GetResponse S.A. (the Polish entity)
- Include a written representation in the contract confirming that EU customer data is stored and processed exclusively within the EEA by GetResponse S.A. and its EU-based sub-processors
- Request the sub-processor list and verify that no US entity appears as a sub-processor for EU data
- Confirm annually, particularly when significant platform changes or sub-processor updates occur
This due diligence procedure is standard for any EU-native SaaS processor. It is far less burdensome than the Transfer Impact Assessment process required for US-domiciled platforms.
When to Prefer Other EU-Native Platforms
GetResponse is the most fully-featured EU-native email marketing platform at scale, but it is not the only option. EU organisations should also evaluate:
Brevo (formerly Sendinblue) — France
Brevo S.A.S. is incorporated in France and supervised by the CNIL (Commission Nationale de l'Informatique et des Libertés). Brevo offers email marketing, SMS, transactional email, CRM functionality, and marketing automation. It is fully EU-incorporated with no US parent company. Brevo processes data in Frankfurt and Paris data centres. For EU organisations in regulated sectors — banking, healthcare, insurance — the CNIL supervisory authority may be preferred over UODO depending on cross-border DPA lead-authority arrangements.
MailerLite — Lithuania
MailerLite UAB is incorporated in Vilnius, Lithuania and supervised by the State Data Inspectorate (Valstybinė duomenų apsaugos inspekcija). MailerLite offers email marketing and basic automation at competitive price points. It is a smaller, simpler platform than GetResponse but carries identical EU-native compliance advantages. MailerLite processes data in EU-based infrastructure.
CleverReach — Germany
CleverReach GmbH & Co. KG is incorporated in Germany (Rastede, Lower Saxony) and supervised by the Landesbeauftragte für den Datenschutz Niedersachsen (LfD Nds). CleverReach is particularly suited to German and DACH-market organisations where German-language support, DSGVO (German GDPR implementation) expertise, and local legal relationships matter. It is focused on email marketing rather than full marketing automation.
Rapidmail — Germany
Rapidmail GmbH is incorporated in Freiburg im Breisgau, Germany. A smaller platform than CleverReach, Rapidmail focuses on simplicity and DSGVO compliance for SMB clients in the German market. Supervised by the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg.
Mautic — Self-Hosted
Mautic is an open-source marketing automation platform originally created by DB Hurley and now managed by the Mautic Association (a nonprofit incorporated in the Netherlands). Self-hosted Mautic eliminates any third-party processor relationship: data stays on the controller's own servers, subject only to the controller's own compliance obligations. Self-hosted deployment requires technical resources for server management, security patching, and deliverability infrastructure (SPF, DKIM, DMARC, dedicated IP reputation).
Choosing Between GetResponse and Other EU-Native Platforms
The platform selection decision for EU organisations should proceed through the following considerations:
Marketing automation depth
GetResponse offers the most complete EU-native marketing automation stack: visual workflow builder, behavioural scoring, CRM integration, conversion funnels, landing pages, webinar integration, and SMS. For organisations that need a single EU-native platform combining email marketing, automation, and light CRM, GetResponse is the most capable option without crossing into US-jurisdiction software.
Price sensitivity
At equivalent contact list sizes, GetResponse is competitively priced against Mailchimp and Klaviyo, and offers a free tier (limited to 500 contacts) — a significant advantage for early-stage organisations. MailerLite offers a more generous free tier (1,000 contacts). CleverReach has no free tier.
Sector-specific DPA authority preferences
For regulated sectors — banking supervised by BaFin and ECB, healthcare subject to national health data laws, critical infrastructure — the supervisory authority of the processor's jurisdiction may be a selection criterion. UODO (Poland), CNIL (France), and the German state DPAs have different enforcement histories, cooperation patterns, and sector expertise. Organisations where the supervisory authority relationship matters should select based on regulatory fit.
Feature gaps
GetResponse does not offer the predictive AI features that US platforms have invested heavily in — predictive send time optimisation, AI-generated content, and contact scoring based on machine learning. For EU organisations that require advanced AI-augmented marketing automation, none of the fully EU-native platforms currently match US platform AI capabilities. The compliance trade-off between AI feature richness and CLOUD Act exposure is a decision for each organisation to make explicitly.
The EU-EMAIL-MARKETING-SERIE: Where GetResponse Fits
The five platforms covered so far in this series fall into two compliance categories:
| Platform | Jurisdiction | CLOUD Act exposure | For EU organisations |
|---|---|---|---|
| Mailchimp (Intuit) | Delaware/California | ✓ Direct | Replace with EU-native |
| Klaviyo | Delaware (NYSE) | ✓ Direct | Replace with EU-native |
| Constant Contact (Newfold) | Delaware (PE-owned) | ✓ Direct | Replace with EU-native |
| ActiveCampaign | Delaware/Illinois (PE) | ✓ Direct | Replace with EU-native |
| GetResponse | Poland (EU) | ✗ Indirect via US sub | EU-native, verify sub-processors |
GetResponse is the correct landing point for EU organisations migrating away from the US platforms. The migration path is:
- Export contact lists, tags, and custom field data from the US platform
- Map the custom field schema to GetResponse field configuration
- Rebuild automation workflows in GetResponse's visual builder
- Execute the Data Processing Agreement with GetResponse S.A.
- Verify EU server location in writing
- Update privacy policy to reflect the new processor and the change from SCC-based transfer to EU-to-EU processing
- Update your ROPA (Article 30 record) to remove the US platform and add GetResponse S.A.
The final step — removing the Standard Contractual Clauses and Transfer Impact Assessment from your GDPR documentation — represents a measurable compliance improvement that can be reported to DPOs, Legal teams, and regulatory contacts with a specific before/after demonstration.
Summary: GetResponse Is the EU-Native Solution This Series Has Been Building Toward
Four platforms into this series, every option examined has been a US-domiciled entity subject to the CLOUD Act. Every DPA offered, every EU data residency commitment made, and every Standard Contractual Clause executed by those platforms does not alter the structural fact that the controlling legal entity is a domestic US person whose data obligations to US federal authorities supersede its contractual commitments to EU processors.
GetResponse is the answer to that structural problem within the email marketing category. It was founded and remains headquartered in Gdańsk, Poland. Its primary legal entity is a Polish S.A. subject to Polish law and UODO oversight. EU customers contract with the Polish entity. EU data is processed on EU infrastructure. No SCCs are required. No Transfer Impact Assessment is needed.
The existence of GetResponse Inc. (Delaware) should be verified and understood — EU compliance teams should confirm in writing that GetResponse Inc. has no custody or control over EU customer data. That verification step is standard processor due diligence and is categorically simpler than the impossible task of producing a clean Transfer Impact Assessment for Mailchimp, Klaviyo, Constant Contact, or ActiveCampaign.
For EU organisations that have used US email marketing platforms, the migration to GetResponse is the operationally straightforward path to eliminating a structural CLOUD Act compliance liability.
Platform Comparison: EU-Native Email Marketing Options
| Criteria | GetResponse | Brevo (FR) | MailerLite (LT) | CleverReach (DE) | Mautic (self-hosted) |
|---|---|---|---|---|---|
| EU incorporated | ✓ Poland | ✓ France | ✓ Lithuania | ✓ Germany | ✓ NL nonprofit |
| No US parent | ✓ | ✓ | ✓ | ✓ | ✓ Open source |
| CLOUD Act direct exposure | ✗ No | ✗ No | ✗ No | ✗ No | ✗ No |
| US subsidiary exists | ✓ GetResponse Inc. (DE) | ✗ No | ✗ No | ✗ No | N/A |
| EU data on EU servers | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | Controller-managed |
| SCCs required | ✗ No | ✗ No | ✗ No | ✗ No | N/A |
| GDPR supervisory authority | UODO (PL) | CNIL (FR) | State DPI (LT) | LfD Nds (DE) | Controller's DPA |
| Free tier available | ✓ 500 contacts | ✓ 300 emails/day | ✓ 1,000 contacts | ✗ No | ✓ (self-hosted) |
| Marketing automation | ✓ Full | ✓ Full | ✓ Basic | ✓ Basic | ✓ Full |
| Built-in CRM | ✓ Yes | ✓ Yes | ✗ No | ✗ No | ✓ Yes |
| Landing pages | ✓ Yes | ✓ Yes | ✓ Yes | ✗ Limited | ✓ Yes |
| PE/VC ownership | ✗ Bootstrapped | ✗ Independent | ✗ Independent | ✗ Independent | ✗ Community |
See Also
- Mailchimp EU Alternative 2026: Intuit CLOUD Act and GDPR Email Marketing Risk
- Klaviyo EU Alternative 2026: NYSE Delaware Corp, CLOUD Act E-Commerce Risk
- Constant Contact EU Alternative 2026: Newfold Digital Delaware Corp, CLOUD Act Exposure
- ActiveCampaign EU Alternative 2026: Illinois/Delaware Corp, CLOUD Act Exposure, and GDPR Risk
This article is part of the sota.io EU Cyber Compliance Series. For questions about GDPR-compliant infrastructure deployment in the EU, see sota.io.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.