Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
WeWeb is a French no code visual front end builder used to create Vue.js powered web apps without writing code. Editors design pages, connect data sources and deploy to production through the WeWeb platform. The runtime is served from the European Union over Cloudflare, with optional plugins that may add cookies subject to consent.
WeWeb is a French no code platform that lets teams build production grade Vue.js applications visually. Editors connect REST APIs, Supabase, Xano, Airtable, PostgreSQL and other backends, configure authentication, design pages with drag and drop components and publish to a managed domain or to a custom domain. The runtime consists of a Vue based JavaScript bundle that runs in the visitor browser and orchestrates data fetching, state and rendering.
The default WeWeb runtime sets only strictly necessary cookies for authentication, session and CSRF protection. Any analytics, marketing or chat behaviour comes from explicitly enabled plugins (Google Analytics, Meta Pixel, Mixpanel, Intercom, Crisp, etc.). Each plugin loads its own scripts and cookies once activated by the builder, and those rules of consent therefore apply.
The strictly necessary runtime can rely on legitimate interest or contract performance, depending on the use case. As soon as any non strictly necessary plugin is enabled, Article 5(3) of the ePrivacy Directive applies and prior consent is required. Under the GDPR, the operator of the published app is controller and WeWeb SAS acts as processor, with a Data Processing Agreement signed at sign up.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
WeWeb stores project metadata and customer data on AWS EU regions. Cloudflare is used as global CDN and may route traffic through US edge nodes. Transfers are covered by Standard Contractual Clauses under Article 46(2)(c) GDPR and, where Cloudflare is certified, by the EU US Data Privacy Framework.
Inventory every WeWeb plugin enabled on the published app, classify each as strictly necessary or requiring consent, integrate a consent manager that blocks non strictly necessary plugins before opt in, sign the WeWeb DPA, list WeWeb and Cloudflare in your record of processing, and inform users in your privacy notice.
Websites using WeWeb must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when a WeWeb published app processes sensitive data, when it connects to external data sources outside the EEA, or when it integrates third party plugins for analytics, marketing or chat. Map every plugin, document the data flow and review the sub processor list.
Sample consent text
This site is powered by WeWeb, a no code app builder hosted in the European Union. WeWeb itself only uses strictly necessary cookies. Additional plugins for analytics, marketing or chat are loaded only after you accept the corresponding consent category.
Third-party domains contacted
weweb.ioapp.weweb.iocdn.weweb.ioapi.weweb.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ww_session | HTTP | Session | Strictly necessary session cookie used by the WeWeb runtime to maintain the user session. |
| ww_csrf | HTTP | Session | CSRF protection token used by WeWeb forms and authenticated routes. |
| ww_auth | HTTP | 30 days | Authentication token stored for the WeWeb authentication plugin when remember me is enabled. |
| ww_locale | HTTP | 1 year | Stores the preferred language of the WeWeb published app. |
WeWeb collects user analytics data — you legally need a consent banner. Try FlowConsent free.
By default the WeWeb runtime only writes strictly necessary cookies (ww_session, ww_csrf, ww_auth, ww_locale). Any other cookie comes from a plugin explicitly enabled by the builder and follows the rules of that specific tool.
Not for the strictly necessary runtime. Consent becomes mandatory as soon as a non strictly necessary plugin is enabled (analytics, marketing, chat), because Article 5(3) of the ePrivacy Directive then applies.
Legitimate interest or contract performance for the strictly necessary runtime, consent for any non strictly necessary plugin. The exact basis depends on the activated plugins and the purpose of the published app.
WeWeb hosts data on AWS EU regions. Cloudflare CDN may route traffic through US edge nodes; transfers are framed by Standard Contractual Clauses under Article 46(2)(c) GDPR and, where Cloudflare is certified, by the EU US Data Privacy Framework.
A DPIA is recommended when the published app processes sensitive data, when external data sources sit outside the EEA or when third party plugins for marketing or chat are enabled.
Audit every plugin enabled on the app, integrate a CMP that blocks non strictly necessary plugins before opt in, sign the WeWeb DPA, list WeWeb and Cloudflare in your record, and document data flows from the published app to external backends.
Other no code or low code app builders include Bubble, Softr, Webflow (no native authentication), Retool, Toolkit and FlutterFlow. For EU hosting choose providers with European data residency.
Mention WeWeb SAS as processor, the strictly necessary cookies set by the runtime, the plugins enabled on the app, the data flows to external data sources, the international transfers via Cloudflare and the consent withdrawal mechanism.