Does your website use third-party services? Get GDPR compliant in minutes.

LaunchDarkly

What does LaunchDarkly do?

LaunchDarkly is a US feature flag and experimentation platform. It can be used server side without browser cookies, which keeps it low risk under GDPR when the context is properly anonymised.

What LaunchDarkly is

LaunchDarkly is a feature management and experimentation platform operated by LaunchDarkly Inc., headquartered in Oakland, California. It lets engineering and product teams release features gradually, run A/B experiments and target features by user segments. SDKs are available for most languages, both client and server side.

Data and cookies set

Server side SDKs send no browser cookies. Client side SDKs use localStorage to cache flag values keyed by an anonymous or known user context. Experimentation events include the flag key, the variation, the context key and a timestamp. The context can be made anonymous to reduce risk.

GDPR and ePrivacy implications

Feature flag evaluation with anonymous contexts and no persistent storage on the device usually does not trigger Article 5(3) ePrivacy: it can rely on legitimate interest. Experimentation that personalises features for identified users requires consent under Article 6(1)(a) GDPR.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent requirements

Use anonymous contexts whenever possible. If you target features by identifiable user attributes or run experiments that profile users, gate the SDK behind a CMP.

Data transfers outside the EEA

Default plans process data in the United States. LaunchDarkly offers an EU region (Frankfurt) on enterprise tiers. SCCs and the EU US Data Privacy Framework cover the US transfer; a transfer impact assessment is recommended.

Practical compliance steps

Prefer server side SDKs, use anonymous context keys, enable EU region where available, sign the DPA with SCCs, run a DPIA if you experiment on identifiable users and document the third country transfer.

GDPR consent category

Marketing

Websites using LaunchDarkly must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Article 6(1)(f) GDPR) for feature flag evaluation when properly anonymised. Consent (Article 6(1)(a) GDPR) when flag context contains identifiable behavioural data or when LaunchDarkly stores client side cookies for experimentation

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive 2002/58/EC, French CNIL guidelines, German TDDDG, Spanish LSSI

DPIA considerations

A DPIA may be required when LaunchDarkly contexts include identifiable user attributes or behavioural data linked to advertising. Prefer anonymous keys, enable EU residency where available and document the third country transfer.

Sample consent text

Our website uses LaunchDarkly, a feature flag and experimentation platform operated by LaunchDarkly Inc. (United States), to gradually release features. Flag evaluation is performed on anonymous contexts. If you allow optional cookies, your usage data may be sent to LaunchDarkly under SCCs and the EU US Data Privacy Framework.

Technical details

Tracking methodapi_integration

Server locationUnited States (AWS) with optional EU region (Frankfurt) for federal and enterprise tiers

Cookieless tracking availableYes

Data transferred outside the EULaunchDarkly Inc. is a US company headquartered in Oakland, California. Feature flag evaluations and analytics events are processed in the United States by default. An EU region option is available on enterprise tiers. SCCs and the EU US Data Privacy Framework apply.

Third-party domains contacted

app.launchdarkly.comclientstream.launchdarkly.comevents.launchdarkly.com

Cookies placed

Name	Type	Duration	Purpose
ld:$anonUserId	first_party	Persistent (localStorage)	Stores cached feature flag values keyed by an anonymous or known context (localStorage rather than HTTP cookie).
ld:goals	first_party	Persistent (localStorage)	Stores experimentation goal tracking data for the LaunchDarkly client SDK.

LaunchDarkly places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does LaunchDarkly set?

Server side SDKs set no cookies. Client side SDKs cache flag values in localStorage indexed by an anonymous or known context. No third party advertising cookies are involved.

Do I need consent?

Usually no for server side evaluation with anonymous contexts. Yes for client side experimentation that profiles identified users.

What is the legal basis?

Legitimate interest under Article 6(1)(f) GDPR for anonymous evaluation. Consent for experiments that personalise features for identified users.

Are any data transferred to the United States?

Yes by default. EU region (Frankfurt) is available on enterprise tiers. SCCs and the EU US Data Privacy Framework cover the transfer.

Is a DPIA needed?

Recommended when contexts include identifiable user attributes or behavioural data linked to advertising.

How do I implement compliance correctly?

Prefer server side SDKs, use anonymous context keys, enable EU region where available, sign the DPA with SCCs and document the transfer.

What are the alternatives?

Flagsmith (EU hosting available), Unleash (self hosted open source), Statsig, ConfigCat, GrowthBook (open source, EU friendly).

How do I update the cookie policy?

Document any localStorage entry used by the LaunchDarkly client SDK and the third country transfer.

Get compliant — Try FlowConsent free

Free plan · 10-min setup