What Klaviyo says officially
Klaviyo’s current privacy FAQs tell customers that its Acceptable Use Policy prohibits sensitive or special-category personal information, including health data. The Acceptable Use Policy sets that restriction on use of the service, while the Terms of Service incorporate the customer’s obligations.
The restriction applies to the data submitted to Klaviyo, not only to a particular email template or plan. Profiles, events, custom properties, forms, segments, messages, analytics, and connected systems can all introduce prohibited health information.
That express policy supports a “no” verdict for PHI. General security or privacy features cannot override a data category the vendor prohibits.
What this means for a medical practice
Marketing automation builds a detailed picture from contact data, web activity, purchases, message engagement, tags, and predicted behavior. In healthcare, a profile property such as diagnosis, an event for booking a procedure, or membership in a treatment-specific segment can reveal PHI.
Context can be enough even without a clinical field. A campaign sent only to named fertility patients, a form embedded on a condition page, or an abandoned-booking event tied to a recipient may disclose a healthcare relationship. Syncing an EHR or scheduling database into Klaviyo can transfer more data than the marketing team sees on screen.
A HIPAAconscious medical website should not load Klaviyo tracking on a patient or treatment journey where events may reveal PHI. Our healthcare marketing guidance supports public education and brand communication without turning clinical records into advertising profiles.
If a practice uses Klaviyo for a genuinely non-health retail business, it should keep that account and data source separated from the medical practice. A shared customer table, domain-wide tracking script, or cross-account automation could defeat the separation.
Removal requires more than deleting a visible profile property. Review event payloads, historical imports, suppressed profiles, segments, message previews, analytics, data-warehouse syncs, support attachments, and integration logs. If prohibited information was already submitted, preserve the facts needed for the practice’s incident process and use Klaviyo’s documented support and deletion mechanisms rather than silently renaming the field.
Teams should also prevent reintroduction. Document approved list sources and fields, remove medical-site tracking, restrict API keys, and require review before a new form or integration goes live. Use fictional contacts for testing. Staff who receive a clinical reply to a marketing message should redirect the sender to an approved channel and avoid copying the health details into profile notes or internal campaign comments.
Compliant alternatives
Constant Contact offers a standard BAA request path for a narrow outreach use that permits basic relationship context while excluding sensitive PHI. HubSpot permits PHI only in Enterprise accounts with Sensitive Data enabled, an accepted BAA, properly flagged properties, and use of listed covered services.
Neither alternative should become a diagnosis-based advertising database. Select a platform only after defining the minimum contact data, allowed message types, website tracking boundary, account users, retention, and integrations.
Bottom line
Do not place PHI or health-related profile data in Klaviyo. Its current policies prohibit health and other sensitive personal data. Keep profiles, segments, forms, messages, events, tracking, support, and connected systems outside the patient-data flow.