Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Flagsmith is a UK-based open-source feature flag and remote configuration platform competing with LaunchDarkly, Unleash and GrowthBook. Engineering teams use it to roll out features progressively, run A/B tests, and target specific user segments. From a GDPR perspective, Flagsmith is one of the most privacy-friendly options: the platform can be self-hosted entirely on the customer's infrastructure, the SaaS offers EU region, and the UK has an EU adequacy decision so transfers do not require SCCs.
Flagsmith is an open-source feature flag and remote configuration platform built by a UK company. Engineering teams use it to launch features gradually, run A/B tests, segment users for targeted rollouts, and remotely configure application behaviour without redeploying code.
At flag evaluation time, the SDK sends a user identifier (anonymous or authenticated) and a set of traits (key-value attributes such as country, plan, signup_date) to the Flagsmith server. The server returns the flag values applicable to that user. Flagsmith stores the evaluation log for audit. No browser cookies are set by default.
Because Flagsmith does not set cookies on visitors, Art. 5(3) ePrivacy does not apply. The privacy impact comes entirely from what traits the engineering team chooses to send. Avoid sending sensitive attributes (medical condition, religion, political opinion) unless the use case has a clear Art. 9 GDPR basis. The lawful basis for non-sensitive trait-based evaluation is legitimate interest.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Three deployment options: (1) Flagsmith SaaS hosted in the UK; (2) Flagsmith SaaS hosted in the EU (Frankfurt); (3) self-hosted on your infrastructure (Kubernetes/Docker). Self-hosting eliminates third-party data flows entirely and is the strongest compliance posture. UK SaaS benefits from the EU adequacy decision so transfers do not require SCCs.
Document which traits each flag uses. Avoid sensitive traits. Use anonymous identifiers where possible. Configure log retention to the minimum useful for debugging. Establish a process for handling DSR (right to erasure) by deleting user identities from Flagsmith.
1. Choose hosting (SaaS EU, SaaS UK or self-hosted). 2. Sign DPA (for SaaS) or skip (self-hosted). 3. Document Flagsmith in your Record of Processing Activities. 4. Audit traits and exclude sensitive ones. 5. Configure log retention. 6. Map flag evaluation into DSR workflow. 7. Disclose Flagsmith in privacy notice for SaaS.
Websites using Flagsmith must obtain user consent under GDPR regulations.
DPIA considerations
Flagsmith processes user identifiers (anonymous or authenticated) and traits (segmentation attributes such as plan, country, beta_user) to evaluate feature flags. Key DPIA considerations: (1) the privacy impact depends entirely on what traits the engineering team sends; sensitive attributes (e.g. medical condition) require Art. 9 GDPR justification; (2) the self-hosted option eliminates third-party data flows; (3) for SaaS, the UK adequacy decision simplifies transfers; (4) flag evaluation logs may retain user identifiers and should be subject to retention policies. A streamlined DPIA is sufficient for typical use.
Sample consent text
We use Flagsmith to enable, disable or test features on our site. Flagsmith evaluates a user identifier (anonymous or your account ID) and basic traits (such as language or plan) on its infrastructure in the UK or EU. The UK has an EU adequacy decision so data is protected at the EU level. No tracking cookies are set on your browser.
Third-party domains contacted
flagsmith.comapi.flagsmith.comedge.api.flagsmith.comapp.flagsmith.comFlagsmith places tracking cookies for advertising — comply with GDPR using FlowConsent.
No, by default Flagsmith does not set cookies on visitors. The SDK communicates server-to-server or via Ajax requests carrying a user identifier and traits.
Not for flag evaluation itself. If a flag is tied to a behavioural identifier (e.g. cohort from analytics), ensure the underlying tracking has the right consent.
Legitimate interest for non-sensitive trait-based evaluation. For sensitive traits, an Art. 9 GDPR basis is required.
For SaaS UK, EU adequacy decision covers transfers without SCCs. For SaaS EU, no transfer outside the EU. For self-hosted, no third-party transfer.
Streamlined DPIA sufficient. Full DPIA if you send sensitive traits or operate as a critical NIS2 entity.
Choose EU or UK SaaS or self-host, audit traits, anonymise identifiers where possible, document in Record of Processing Activities, configure log retention, integrate with DSR workflow.
EU-friendly: GrowthBook (US, open source self-hostable), Unleash (Norway, open source), ConfigCat (Hungary). LaunchDarkly is the dominant US competitor.
For SaaS, disclose Flagsmith Ltd. as processor and the UK/EU hosting region. For self-hosted, document Flagsmith as an internal technical measure.