Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Bunny.net is a Slovenian content delivery network with an EU first edge network of 119 points of presence, optional EU only delivery, edge storage and a privacy first video stream product. No cookies are set by default and the company has no US parent company.
Bunny.net is a content delivery network and edge platform operated by BunnyWay d.o.o., a Slovenian company. The product line includes the Bunny CDN with 119 points of presence, Bunny Edge Storage (object storage in 9 regions), Bunny Stream (video CDN with HLS and DRM), Bunny Shield (WAF and bot mitigation), Bunny Optimizer (image optimisation), Bunny DNS and Bunny Fonts (privacy first Google Fonts mirror with EU only delivery). Bunny is widely considered the most EU centric major CDN.
Bunny.net offers EU only delivery and storage regions: traffic, cache and logs stay inside the European Economic Area. Bunny Edge Storage is available in Falkenstein (Germany), Stockholm (Sweden), London (UK), Los Angeles, New York, Singapore, Sao Paulo, Sydney and Johannesburg, with EU only and global pricing tiers. Because Bunny is a Slovenian company with no US parent company and no US legal presence at the corporate level, the US CLOUD Act does not apply: a US warrant cannot compel Bunny to disclose European customer data.
The Bunny CDN sets no cookies by default. Edge Rules and Bunny Shield can set strictly necessary security cookies (bunny_*) under the ePrivacy art. 5(3) exemption. The optional Bunny Analytics module exposes traffic counters at the edge without setting any visitor identifier on the device, so it usually qualifies for the CNIL audience measurement exemption when no cross site joining occurs. For Bunny Stream, cookies are limited to playback state and quality, set only when the player loads on the customer site.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For each request Bunny processes the visitor IP (truncated for analytics, retained full for security up to 24 hours), the user agent, the URL and the referer. The processing is governed by the standard Bunny Data Processing Addendum which references GDPR art. 28 and includes EU only sub processor commitments on demand. Logs are retained for the period the customer chooses, from 24 hours up to 1 year, and can be shipped to the customer S3 compatible bucket through Log Forwarding.
Choose the EU only delivery tier, pick Falkenstein or Stockholm as the primary Edge Storage region, sign the Bunny DPA, enable the privacy friendly Bunny Analytics if you do not already use a separate analytics tool, replace Google Fonts with Bunny Fonts (CDN compatible drop in), configure Edge Rules to truncate the IP in the logs, and document Bunny as a sub processor in your record of processing alongside the EU only commitment.
Websites using Bunny.net must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the Bunny CDN, which is a technically necessary delivery intermediary fully inside the EU. A DPIA is recommended only when the customer activates Bunny Analytics with persistent visitor identification or when Bunny Shield is used as the main bot protection layer. The DPIA should then document the cookie set, the retention of the logs (configurable from 24 hours to 1 year) and the customer side configuration of Edge Rules.
Sample consent text
Our website is delivered through Bunny.net, a European content delivery network headquartered in Slovenia. Bunny.net does not set any cookie by default and does not transfer your data outside the European Economic Area unless we explicitly enable the global delivery tier. If we activate Bunny Analytics or Bunny Shield protection cookies, this notice is updated accordingly.
Third-party domains contacted
b-cdn.netbunny.netbunnycdn.comfonts.bunny.netiframe.mediadelivery.netvideo.bunnycdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| none by default | First party (Bunny CDN) | N/A | The Bunny CDN sets no cookies by default. Only Edge Rules or Bunny Shield set strictly necessary security cookies when activated |
| bunny_shield_* | First party (Bunny Shield, optional) | Up to 1 day | Bot detection and rate limiting state when Bunny Shield is activated |
| bvp_session | First party (Bunny Stream player, optional) | Session | Tracks the current video playback session when the Bunny Stream player is embedded |
| bvp_resume | First party (Bunny Stream player, optional) | 7 days | Stores the resume point for the visitor in the Bunny Stream player |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
By default Bunny.net sets no cookies. Edge Rules and Bunny Shield may set strictly necessary security cookies (bunny_session, bunny_shield_*) under the ePrivacy art. 5(3) exemption. The Bunny Stream player sets bvp_session (playback state) and bvp_resume (resume point) only when the customer embeds the video player.
No for the standard CDN, since no cookies are set. Yes only if you enable Bunny Analytics with persistent visitor identification (rare) or Bunny Stream which sets playback cookies on consent. Edge security cookies are exempt.
Article 6(1)(b) GDPR (contract, the visitor requested the page) and art. 6(1)(f) (legitimate interest in delivery). For Bunny Stream playback cookies and Bunny Analytics with identification: article 6(1)(a) consent. Article 28 GDPR governs the processor relationship.
No by default if the EU only delivery tier is selected. Bunny is a Slovenian company with no US parent company, so the US CLOUD Act does not apply. With the global delivery tier traffic may transit non EU points of presence but storage remains in the chosen region.
Rarely. Not for the standard CDN inside the EU. Recommended when Bunny Analytics with persistent identifier or Bunny Shield with advanced bot detection is activated. The DPIA should document log retention, the global vs EU only choice and any Edge Rule modifying personal data.
Sign the Bunny DPA, choose the EU only delivery tier and Falkenstein or Stockholm storage, replace Google Fonts with Bunny Fonts, configure log retention to the minimum needed, document Bunny as a sub processor and surface the EU only commitment in the privacy notice.
For an EU first CDN: Gcore (Luxembourg), KeyCDN (Switzerland), CDN77 (Czech Republic). For more global with EU residency: Cloudflare (EU Regional Services), Fastly, CloudFront. Bunny remains the clearest EU only option at the corporate level alongside Gcore.
State that the CDN is operated by BunnyWay d.o.o. (Slovenia), confirm the EU only delivery tier, declare any strictly necessary security cookies if activated, mention that no transfers outside the EU occur, link to the Bunny Trust Center and note the absence of US CLOUD Act exposure as a positive guarantee.