Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AI powered SaaS website builder for startup landing pages (formerly Landen). Hosts sites in the EU and the US. Sets first party session cookies on hosted sites and ships built in visitor analytics.
Umso is an AI powered SaaS website builder aimed at startups and product teams who need a fast, no code landing page. It was launched as Landen and renamed Umso in 2021. The platform generates marketing sites from a short prompt, hosts them on its own infrastructure, and offers built in lead capture forms, basic analytics and integrations with CRMs and email tools.
Umso hosted sites set a first party session cookie for navigation, a CSRF token cookie to protect forms, and a preferences cookie that stores the visitor cookie banner choice. The built in analytics records page views, referrers, country (from IP, then truncated), browser and operating system. Forms submitted on the page are stored in the Umso dashboard and may be forwarded to the connected email or CRM provider.
The session and CSRF cookies fall under the strictly necessary exemption of Article 5(3) ePrivacy Directive, so they can be set without consent. The built in analytics, although first party, is not strictly necessary and therefore requires prior consent unless configured in a way that the CNIL considers exempt (no cross site tracking, no audience profiling, anonymous statistics only). Any third party widget the site owner embeds (chat, video, social) brings its own consent requirements.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Site owners using Umso must add a cookie banner if they activate the built in analytics or any third party widget. The banner must let the user refuse as easily as accept, store the choice for at least six months and allow withdrawal at any time. Form data is processed under Article 6(1)(b) GDPR for pre contractual steps if a quote is requested, or under Article 6(1)(a) consent for marketing newsletters.
Umso runs on AWS with a primary region in Frankfurt and edge nodes in the United States. Static assets and analytics events may transit through US points of presence. Transfers to the US rely on the EU US Data Privacy Framework and on standard contractual clauses signed with Umso. A transfer impact assessment should document the supplementary measures: HTTPS encryption, IP truncation in analytics and limited retention of raw logs.
Sign a data processing addendum with Umso, list the company as a processor in your records of processing, configure the built in cookie banner or replace it with a more capable CMP if you embed third party widgets, document the storage period of form submissions, and provide an easy way for visitors to exercise their rights (access, deletion, portability). Review every twelve months whether the analytics is still needed or can be downgraded to a consent free aggregated mode.
Websites using Umso must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a small marketing site built with Umso, but becomes relevant when the site collects sensitive form data (health, finance, identification), runs targeted advertising or processes a large number of leads. Document the categories of data captured by forms, the routing to email or CRM, the retention of analytics events and the transfer of static assets to AWS regions outside the EEA.
Sample consent text
We use Umso to host this website. Umso sets a session cookie on this page and collects anonymous usage statistics to operate the site. By accepting, you also allow optional analytics and embedded widgets such as forms or chat. You can accept, refuse or withdraw your consent at any time.
Third-party domains contacted
umso.coumso.comlanden.coCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| umso_session | first party session | Session | Maintains the visitor session on the hosted site (navigation state, form context). Strictly necessary. |
| umso_csrf | first party security | Session | CSRF token cookie protecting form submissions against cross site request forgery. Strictly necessary. |
| umso_consent | first party preference | 6 months | Stores the visitor cookie banner choice (accept, refuse or per category). |
| umso_uid | first party analytics | 12 months | Anonymous visitor identifier used by the built in Umso analytics to deduplicate sessions. |
Umso collects user analytics data — you legally need a consent banner. Try FlowConsent free.
A site published with Umso sets a first party session cookie (umso_session) for navigation, a CSRF token cookie to protect form submissions, and a cookie that stores the visitor cookie banner choice. If the built in analytics is enabled, an additional first party visitor cookie (umso_uid) is dropped to deduplicate sessions.
The strictly necessary session and CSRF cookies do not need consent. The built in analytics, however, requires a prior opt in under Article 5(3) ePrivacy Directive unless configured to be fully anonymous and limited to aggregated audience measurement, as accepted by the French CNIL guidelines on exempted analytics.
Legitimate interest (Article 6(1)(f) GDPR) for the strictly necessary cookies needed to deliver the site. Consent (Article 6(1)(a) GDPR) for the built in analytics and for any third party widget such as chat, video or social embeds. Performance of a contract (Article 6(1)(b)) for form submissions used in pre contractual steps.
Yes. Although the primary AWS region is Frankfurt, edge nodes and some Umso operational systems are based in the United States. Transfers to the US rely on the EU US Data Privacy Framework supplemented by standard contractual clauses, plus encryption in transit and limited retention as supplementary measures.
For a standard marketing site a DPIA is not mandatory. It becomes recommended when forms collect special category data (health, finance, employment status), when audiences include minors, when leads are matched to advertising platforms, or when the site processes a large volume of contacts on a regular basis.
Sign the Umso data processing addendum, list Umso in your records of processing, replace or extend the built in banner with a CMP that supports refuse, withdraw and proof of consent, gate analytics and third party widgets behind that banner, document the storage period of form submissions and provide a clear privacy notice.
Other AI website builders with EU only hosting (Framer, Webflow EU plans), classic CMS with EU hosting (WordPress on OVH or Scaleway, Ghost, Strapi), or static site generators deployed on Netlify EU regions. Each option still requires its own consent banner and DPA.
List Umso as the hosting processor, describe the session cookie, the CSRF cookie and the analytics cookie if enabled, mention the AWS regions used and the EU US Data Privacy Framework, link to the Umso privacy policy and explain how visitors can refuse or withdraw consent for analytics and third party widgets. Review the entry every twelve months.