Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Redux Framework is a popular WordPress options framework used by theme and plugin developers to build admin settings panels. It is a back end PHP library that also loads JavaScript in the WordPress admin and, in some theme integrations, on the front end. Some versions communicate with redux.io endpoints for license verification, update checks, or anonymous usage statistics. Privacy obligations apply primarily when assets load on the public front end or when telemetry is enabled.
Redux Framework is a WordPress options framework, that is, a developer toolkit that helps theme and plugin authors build the configuration screens that site owners see inside the WordPress admin. It is maintained by ReduxCore and bundled in many commercial themes sold on marketplaces like ThemeForest. Strictly speaking it is a back end PHP library, but it also enqueues JavaScript and CSS in the WordPress admin to render its option panels, color pickers, media selectors, and live previews. Some themes call Redux helpers on the public front end, which is when privacy obligations typically come into scope.
In a default WordPress admin scenario, Redux Framework itself does not set tracking cookies. The session is governed by WordPress core cookies such as wp-settings-* and the authentication cookies, which exist regardless of Redux. Older versions of Redux Framework included an opt in or, in some releases, opt out anonymous tracking feature that sent aggregate usage statistics (active theme, plugin version, PHP version) to ReduxCore endpoints. License and update checks may transmit a domain name, license key, and product slug to redux.io. When a theme loads Redux assets on the front end, the visitors browser fetches scripts from the site, which logs an IP address and user agent server side.
The compliance picture depends on where Redux Framework runs. For pure admin usage by site administrators, the operator is generally both controller and data subject, and consumer facing rules like Art. 5(3) ePrivacy Directive do not apply to visitors. Once a theme exposes Redux assets to public visitors, ePrivacy is triggered for any storage or access of information on the device, and the GDPR applies to any visitor IP addresses or identifiers that reach US servers. Telemetry features, where active, qualify as processing of metadata that may be linked to a site and therefore to the natural persons operating it.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Where Redux Framework only runs in the WordPress admin and no telemetry leaves the server, no visitor consent is required. Where a theme loads Redux JavaScript on public pages, prior informed consent under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR is the safe legal basis, because the loading is not strictly necessary for a service requested by the visitor. License verification calls initiated by the administrator can usually rest on legitimate interest (Art. 6(1)(f) GDPR), provided the data flows are documented and proportionate. Telemetry options should be disabled unless a separate basis is identified.
ReduxCore is based in the United States and uses Cloudflare, so any license, update, or telemetry request from an EU site becomes an international transfer that needs an Art. 46 GDPR safeguard such as the EU US Data Privacy Framework or Standard Contractual Clauses. Practical steps: disable any Redux tracking option in your theme settings, audit whether your theme enqueues Redux assets on the front end and dequeue them where unnecessary, gate any remaining front end loading behind your consent banner, document license check traffic in your records of processing, and update your privacy policy to mention ReduxCore as a processor where applicable.
Websites using Redux Framework must obtain user consent under GDPR regulations.
DPIA considerations
A formal DPIA is not usually required for admin only usage of Redux Framework because it does not systematically process personal data of website visitors. A targeted risk assessment is sensible when telemetry features are enabled, when license verification routes data through US servers, or when a theme using Redux Framework loads framework assets on the public front end and may transmit visitor identifiers.
Sample consent text
This site uses Redux Framework assets loaded by our WordPress theme. When you accept, these scripts may load on public pages and the framework may communicate with redux.io for licensing or update checks, which can involve a transfer of technical data to the United States.
Third-party domains contacted
redux.iocdn.redux.iosupport.redux.ioapi.redux.iotracking.redux.ioreduxframework.comcloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wp-settings-{user_id} | first_party | 1 year | WordPress core cookie that persists admin UI preferences (column visibility, screen options). Present whenever a Redux Framework options screen is used. Set by WordPress, not by Redux itself. |
| wp-settings-time-{user_id} | first_party | 1 year | Companion WordPress core cookie storing the last time wp-settings was updated. Functional, set by WordPress core regardless of Redux. |
| wordpress_logged_in_{hash} | first_party | Session or 14 days with remember me | WordPress authentication cookie required to access the admin where Redux Framework runs. Strictly necessary for the administrator session. |
| redux_notice_dismiss | first_party | 1 year | Optional cookie used by some Redux Framework versions to remember that an admin notice has been dismissed. Exact name varies by theme integration and is only set in the WordPress admin. |
| __cfduid / cf_clearance | third_party | Up to 1 year | Cloudflare cookies that may appear when the browser contacts redux.io or its subdomains for license or update checks. Set by Cloudflare on the ReduxCore domain, not on your own site. |
| redux_pointer_{slug} | first_party | 1 year | Generic functional cookie used by some Redux based themes to track whether the user has seen a pointer or onboarding hint in the admin. Names vary, configure or disable in the theme settings. |
Redux Framework collects user analytics data — you legally need a consent banner. Try FlowConsent free.
By default Redux Framework does not set its own cookies. WordPress core cookies (wp-settings-*, wp-settings-time-*, authentication cookies) remain in place. Some themes that use Redux may add their own cookies for previews or admin notices, so audit the specific theme integration on your site.
For admin only usage no visitor consent is needed because no scripts touch public visitors. If your theme enqueues Redux assets on the public front end, prior consent under Art. 5(3) ePrivacy is required unless the loading is strictly necessary for a service you actively requested.
License verification and update checks initiated by the site administrator typically rely on legitimate interest under Art. 6(1)(f) GDPR. Anonymous telemetry or front end script loading requires consent under Art. 6(1)(a) GDPR combined with Art. 5(3) ePrivacy.
Yes when license verification, update checks, or telemetry are active, requests go to ReduxCore endpoints in the United States and pass through Cloudflare. EU operators need an Art. 46 GDPR safeguard such as the EU US Data Privacy Framework or Standard Contractual Clauses.
Usually no, because admin only usage does not systematically process visitor data. A targeted assessment is sensible if telemetry is on, if license traffic includes identifiable site information, or if a theme loads Redux on public pages and may capture visitor IP addresses at scale.
Keep it admin only where possible, disable any tracking option in the theme settings, dequeue front end scripts you do not need, gate any remaining public loading behind your consent banner, log license traffic in your records of processing, and update your privacy notice to mention ReduxCore.
Yes. Popular options include Advanced Custom Fields (ACF), Carbon Fields, CMB2, Kirki, and the native WordPress Customizer API. ACF and the Customizer keep data fully on your own server and avoid third country calls.
Mention that your theme is built on Redux Framework, list any cookies it actually sets in your installation, note whether license or telemetry traffic goes to ReduxCore in the United States, and document the legal basis used (legitimate interest for licensing, consent for any front end scripts).