Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Dyte is a developer platform offering WebRTC based video, voice and live chat SDKs, acquired by Cloudflare in 2023 and integrated into Cloudflare Realtime. It powers embedded video calls in telehealth, e-learning, customer support and remote work apps through prebuilt UI components and REST APIs. Audio and video streams flow through Cloudflare and Dyte infrastructure in the United States and India, which triggers GDPR consent and cross-border transfer obligations for European deployments.
Dyte is a developer platform that provides WebRTC based SDKs and APIs for embedding live video, voice and chat into websites and applications. It was acquired by Cloudflare in late 2023 and is now part of the Cloudflare Realtime product line, sharing the same global edge network for low latency media routing.
Typical use cases include telehealth consultations, online classrooms, remote sales, customer support video calls and collaborative tools. Dyte exposes prebuilt UI components, headless SDKs for web and mobile, and REST APIs for meeting management and recording.
When the Dyte SDK is loaded on a page, it fetches JavaScript and configuration from Dyte and Cloudflare domains, opens WebSocket signalling channels and negotiates peer connections for audio and video. During a session it processes audio and video streams, screen shares, chat messages, participant names, device identifiers, IP addresses, browser and operating system metadata, plus quality of service telemetry.
Dyte itself relies mainly on session storage and local storage for SDK state, but also sets a small number of functional cookies on its prebuilt meeting portal (app.dyte.io) for authentication, session continuity and consent preferences. Audio and video streams can qualify as biometric data when processed for unique identification, which engages the special category regime of Article 9 GDPR.
Loading Dyte from a third party domain and writing to local storage on the user device falls under Article 5(3) of the ePrivacy Directive. Prior consent is required unless the storage is strictly necessary for a service explicitly requested by the user, which is typically only the case once they have actively asked to join a meeting.
Under the GDPR, the operator of the site is the controller, while Dyte/Cloudflare acts as processor under a Data Processing Addendum. The risk profile is elevated by the use of WebRTC media streams, persistent device identifiers, fingerprinting signals from getUserMedia, and cross-border routing through US and Indian infrastructure.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For a contact widget that loads the Dyte SDK proactively on every page, opt-in consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy is the safest legal basis. The SDK and all related cookies must remain blocked until the user accepts the relevant category in the consent banner.
When the meeting itself is the requested service (for example a scheduled telehealth appointment), Article 6(1)(b) contract performance may justify the core processing, but tracking cookies, analytics events and recording features still need separate consent.
Cloudflare and Dyte operate a global infrastructure with primary presence in the United States and India. European audio, video and signalling data is regularly routed through US and Indian servers. The United States is covered by the EU-US Data Privacy Framework when Cloudflare is certified, otherwise Standard Contractual Clauses apply, supplemented by encryption in transit and at rest.
India does not benefit from an EU adequacy decision, so Standard Contractual Clauses under Article 46(2)(c) GDPR plus a Transfer Impact Assessment are required. Document the routing logic and any data residency options offered by Cloudflare Realtime in your records of processing.
Lazy load the Dyte SDK only after the user grants consent or actively initiates a call, sign the Cloudflare/Dyte Data Processing Addendum, and reference both Dyte and Cloudflare in your privacy policy as joint subprocessors. Disable session recording by default and offer an explicit opt-in before any meeting is recorded.
Run a Data Protection Impact Assessment for telehealth, education and HR use cases, restrict access to recordings, configure short retention periods, and review Cloudflare Realtime documentation for region pinning options. Keep an up to date list of Dyte domains in your Content Security Policy and consent management tool.
Websites using Dyte must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended whenever Dyte is used for telehealth, online education, HR interviews or any context that may capture special category data. Key considerations: (1) audio and video streams can be biometric data under Article 9 GDPR when used for unique identification; (2) WebRTC exposes IP addresses, device IDs and codec capabilities that enable fingerprinting; (3) data flows through US and Indian infrastructure, requiring SCCs and a Transfer Impact Assessment; (4) recording functionality must be reviewed for purpose limitation, retention and access control; (5) joint subprocessor relationship between Dyte and Cloudflare needs to be documented; (6) consent withdrawal must terminate the SDK session and delete client side identifiers.
Sample consent text
We use Dyte (now part of Cloudflare Realtime) to provide embedded video, voice and chat features. When you accept, the Dyte SDK loads JavaScript, opens a WebRTC connection and processes your audio, video, screen share and device metadata. Streams are routed through Cloudflare and Dyte servers in the United States and India under Standard Contractual Clauses. You can withdraw your consent at any time from our cookie settings, which will stop loading the SDK and end any active session.
Third-party domains contacted
dyte.ioapp.dyte.ioapi.dyte.iorealtime.dyte.iocdn.dyte.iovideo.dyte.ioassets.dyte.iocloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| dyte-auth-token | Functional / Authentication | Session | Authenticates the user inside the Dyte meeting portal (app.dyte.io) |
| dyte-preferred-input | Functional / Preferences | 1 year | Remembers the preferred microphone and camera devices for the next session |
| dyte-consent | Functional / Consent | 6 months | Stores the user consent preferences for the Dyte meeting portal |
| __cf_bm | Functional / Bot management (Cloudflare) | 30 minutes | Cloudflare bot management cookie set when serving Dyte assets through the Cloudflare edge |
| cf_clearance | Functional / Security (Cloudflare) | 30 days | Cloudflare challenge clearance cookie used to verify the visitor passed a security check |
Dyte places tracking cookies for advertising — comply with GDPR using FlowConsent.
Dyte relies mainly on session storage and local storage for SDK state. Its prebuilt meeting portal at app.dyte.io also sets a small number of functional cookies for authentication, session continuity and consent preferences. Marketing or analytics cookies are not part of the core SDK, but can be added by your own integrations.
Yes. The Dyte SDK loads third-party JavaScript and writes to the user device, which falls under Article 5(3) ePrivacy. Prior consent is required unless the call is the service the user explicitly requested. Block the SDK until consent is given in the cookie banner.
For optional widgets, the legal basis is consent under Article 6(1)(a) GDPR. When the meeting is the requested service, contract performance under Article 6(1)(b) GDPR may justify the core call processing, but any tracking, analytics or recording still requires consent.
Yes. Audio, video and signalling data are routed through Cloudflare and Dyte infrastructure in the United States and India. Transfers rely on the EU-US Data Privacy Framework when Cloudflare is certified, or on Standard Contractual Clauses, supplemented by a Transfer Impact Assessment for India.
A DPIA is strongly recommended for telehealth, online education, HR interviews or any case that may involve special category data. Audio and video can be biometric data under Article 9 GDPR, persistent identifiers enable profiling, and routing through US and Indian infrastructure adds risk.
Lazy load the SDK only after consent or user-initiated calls. Sign the Cloudflare/Dyte DPA. List both as subprocessors in your privacy policy. Disable session recording by default, configure retention and access controls, and add the Dyte domains to your Content Security Policy.
Alternatives include Daily.co, Twilio Video, Vonage Video API, Whereby Embedded, Jitsi (open source, self-hosted), LiveKit (open source SDKs), and 100ms. Some offer EU only data residency or stronger documentation for telehealth, which may simplify your compliance.
List Dyte as a third-party communication service in the cookies and SDKs section. Mention the functional cookies on app.dyte.io, the use of WebRTC, the data categories (audio, video, chat, metadata), the joint Cloudflare/Dyte processing chain, and the transfer to the United States and India under SCCs.