Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Single page website builder by AJ. Carrd hosts static personal sites, portfolios and landing pages on Cloudflare with minimal first party cookies.
Carrd is a single page website builder created by an independent developer known as AJ. It is widely used for personal profiles, portfolios, link in bio pages and lightweight landing pages. Published Carrd sites are essentially static HTML pages served from Cloudflare edge locations, which keeps the tracking footprint very small compared with full content management systems.
By default a visitor encounters two cookies. Cloudflare drops a strictly necessary bot management cookie called __cf_bm to protect the site from abusive traffic. The Carrd platform itself sets an authentication session cookie when the site owner is logged into the editor. Neither cookie is used for marketing or cross site profiling. Published pages may, however, embed Google Fonts, Google Analytics, Stripe, MailChimp, YouTube or custom scripts when the site owner enables those features. Each of those embeds brings its own cookies and trackers.
The Cloudflare bot cookie and the Carrd editor cookie qualify as strictly necessary under Article 5(3) of the ePrivacy Directive, so they do not require prior consent. Any embedded analytics or advertising widget, however, triggers Article 5(3) consent plus a valid Article 6(1)(a) GDPR legal basis. The site owner is the controller for the visitor data, while Carrd LLC and Cloudflare act as processors.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Carrd LLC is based in the United States and Cloudflare also operates from the United States with global edge delivery. EU visitors are typically routed to an EU Cloudflare PoP, but log data and account information are processed in the US. Transfers rely on the EU US Data Privacy Framework where the recipient is certified, supplemented by Standard Contractual Clauses.
Publish a privacy notice that lists Carrd and Cloudflare as processors and discloses the United States transfer. If you embed analytics, ads, social or font widgets, add a consent banner that loads them only after opt in. Use a self hosted Google Fonts file or a privacy friendly alternative to avoid IP leakage. Keep contact form data minimal and document your retention periods.
Websites using Carrd must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is not required for a typical Carrd site that serves static content without analytics. Publishers should still run a short Article 35 screening when they embed advertising pixels, behavioural analytics, fingerprinting widgets or process special category data through forms. Document the Cloudflare and Carrd processors, the transfer mechanism to the United States, and any third party scripts injected into the page.
Sample consent text
We use a strictly necessary Cloudflare cookie to keep this site secure and a Carrd session cookie when the site owner edits the page. These do not require your consent. If we embed analytics, advertising or social widgets, those will only load after you accept the relevant categories below. You can change your choice at any time.
Third-party domains contacted
carrd.cocloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | strictly_necessary | 30 minutes | Cloudflare bot management cookie that protects the Carrd hosted page from automated abusive traffic. Considered strictly necessary under Article 5(3) ePrivacy and exempt from consent. |
| carrd_session | strictly_necessary | Session | Authentication cookie set by the Carrd platform when the site owner is logged into the editor. Used only for editor authentication, not for visitor tracking. |
Carrd collects user analytics data — you legally need a consent banner. Try FlowConsent free.
By default Carrd serves your published page through Cloudflare which sets the strictly necessary __cf_bm bot management cookie. The Carrd platform sets a session authentication cookie only when the site owner is logged into the editor. No marketing cookies are set unless you embed third party widgets.
You do not need consent for the Cloudflare bot management cookie or the Carrd editor cookie because both are strictly necessary. If you embed Google Analytics, Meta Pixel, MailChimp tracking, YouTube or custom marketing scripts you must collect prior opt in consent before they load.
Article 6(1)(f) GDPR legitimate interest covers the strictly necessary platform cookies. Optional widgets you embed require Article 6(1)(a) GDPR consent in combination with Article 5(3) of the ePrivacy Directive. Form submissions usually rely on Article 6(1)(b) contract performance or Article 6(1)(a) consent.
Yes. Carrd LLC and Cloudflare both operate from the United States. Cloudflare serves the page through EU edge nodes but logs are processed in the US. Transfers rely on the EU US Data Privacy Framework where the recipient is certified and on Standard Contractual Clauses otherwise.
For a basic static Carrd site without analytics, a DPIA is not required. A short Article 35 screening is recommended if you add behavioural analytics, advertising pixels, fingerprinting widgets or collect special category data through embedded forms.
Disclose Carrd and Cloudflare as processors, document the US transfer, restrict embedded scripts to those you really need, gate optional widgets behind a consent banner, and self host fonts where possible to avoid IP leakage.
Privacy friendly alternatives include EU hosted page builders such as Webflow with EU workspaces, Framer with EU hosting, Cloudflare Pages on its own with no editor cookies, or static site generators such as Hugo or Astro deployed on Netlify or Vercel EU regions.
List the __cf_bm Cloudflare cookie and the Carrd editor session cookie as strictly necessary. Add a section for any optional embeds such as Google Analytics or Stripe. Refresh the policy whenever you add or remove a script and record the change in your records of processing.