Does your website use third-party services? Get GDPR compliant in minutes.

Cloudinary

What does Cloudinary do?

Cloudinary is an image and video management platform widely used to host, transform, optimise, and deliver media assets via its global CDN. The visitor browser fetches media from a Cloudinary URL (res.cloudinary.com by default, or a customer subdomain) and Cloudinary applies on-the-fly transformations (resize, format conversion, AI background removal). Cloudinary does not set cookies in the visitor browser by default.

What Cloudinary is

Cloudinary is an image and video management platform founded in 2012, with headquarters in Santa Clara, California, and major R&D operations in Israel. It serves as a managed asset CDN: developers upload media to Cloudinary, then deliver it via URLs that include transformation parameters (resize, crop, format conversion, AI features). Cloudinary is widely used in e-commerce, media, and SaaS applications, with millions of websites worldwide.

What data Cloudinary processes

For each media request: visitor IP, user agent, referrer, URL, transformation parameters, and response metadata. The asset content itself is stored in Cloudinary buckets and processed during transformations. AI features (object recognition, automatic tagging, content moderation, background removal) analyse the image content with machine learning models. Cloudinary does not set cookies in the visitor browser; tracking is server-side only.

GDPR and ePrivacy implications

IP addresses are personal data. The processing relies on legitimate interest (Art. 6(1)(f)) as a necessary technical component of website delivery. The ePrivacy consent requirement does not apply because Cloudinary does not store or read information on the device. The asset content itself is processed by Cloudinary as a processor under the customer Cloudinary DPA.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

International data transfers

By default, Cloudinary processes assets in the United States. Enterprise customers can request EU residency on Frankfurt (eu-cloudinary infrastructure). Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and on the EU-US Data Privacy Framework certification. A Transfer Impact Assessment is recommended, especially for sensitive content (member photos, identity documents).

Practical compliance steps

Sign the Cloudinary DPA, request EU residency on Enterprise plans, use signed URLs for private assets, configure auto-delete policies for user uploaded media that should not be retained, document Cloudinary in your RoPA as a processor, restrict AI feature use to documented purposes, and mention Cloudinary in the privacy notice with the chosen region.

GDPR consent category

Other

Websites using Cloudinary must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Art. 6(1)(f) GDPR) for the CDN delivery role; contract performance (Art. 6(1)(b)) for the asset management functionality

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, CCPA

DPIA considerations

Cloudinary processes the visitor IP and request metadata to deliver and transform media. Key DPIA considerations: (1) IP addresses are personal data, processed under legitimate interest; (2) US default residency triggers a transfer assessment, while EU residency on Frankfurt is available for Enterprise customers; (3) AI features (object recognition, content moderation, background removal) may process image content with sensitive personal data; (4) signed URLs and access controls should be used for private media (member photos, document uploads); (5) the asset content itself can be highly personal (user-uploaded photos, ID documents), which raises the stakes of any data breach.

Sample consent text

Our website uses Cloudinary, an image and video CDN, to deliver and transform our media assets. Cloudinary processes your IP address and request metadata to serve the media. By default, the infrastructure is in the United States; we have configured the EU region where contractually available. Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. Cloudinary does not set cookies in your browser.

Technical details

Tracking methodImage and video asset CDN: URLs hosted on res.cloudinary.com (or a customer subdomain) deliver and transform media on the fly. No JavaScript tracker in the visitor browser by default.

Server locationUnited States by default (Cloudinary Ltd. is headquartered in Santa Clara, California; subsidiaries in Israel and Singapore). EU region (eu-cloudinary, Frankfurt) is available for Enterprise customers.

Cookieless tracking availableYes

Data transferred outside the EUCloudinary processes the visitor IP and request metadata to deliver the requested media transformation. The default infrastructure is in the United States; EU residency is available for Enterprise customers and routes media through eu-cloudinary.com on Frankfurt. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and on the EU-US Data Privacy Framework certification of Cloudinary Inc.

Third-party domains contacted

cloudinary.comwww.cloudinary.comres.cloudinary.comapi.cloudinary.comeu-res.cloudinary.commedia-library.cloudinary.com

Cookies placed

Name	Type	Duration	Purpose
No cookies set by Cloudinary	N/A	N/A	Cloudinary is a server-side asset CDN and does not write cookies to the visitor browser. Any cookie received from a Cloudinary URL is set by the customer origin application served behind the CDN.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Does Cloudinary set cookies?

No. Cloudinary is a server-side asset CDN and does not set cookies in the visitor browser. Any cookie received from a Cloudinary URL is set by the customer origin application, not by Cloudinary.

Does Cloudinary require user consent?

No. The ePrivacy consent requirement does not apply because Cloudinary does not store or read information on the device. Processing of the visitor IP for media delivery relies on legitimate interest under Art. 6(1)(f) GDPR.

What is the legal basis for using Cloudinary?

Legitimate interest (Art. 6(1)(f) GDPR) for media delivery as a necessary technical component. Contract performance (Art. 6(1)(b)) for the asset management workflows in the controller dashboard.

Does Cloudinary transfer data to the United States?

By default yes. Cloudinary infrastructure is in the United States unless EU residency (Frankfurt) is contractually requested on an Enterprise plan. Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.

Do I need a DPIA for Cloudinary?

For ordinary marketing or product imagery, no. For platforms that handle user-generated content (member photos, identity documents, medical images), a short DPIA is recommended to document access controls, retention, and AI feature usage.

How do I implement Cloudinary compliantly?

Sign the Cloudinary DPA, request EU residency on Enterprise where applicable, use signed URLs for private assets, enforce strict upload validation, set retention policies for user-uploaded media, document Cloudinary in your RoPA, and mention Cloudinary with the chosen region in your privacy notice.

What are the alternatives to Cloudinary?

EU-friendly alternatives include Imgix (US, EU PoPs), Bunny Optimizer (Slovenia), Storyblok Image Service (Switzerland), Uploadcare (Estonia), Sirv (UK), Image Engine, ImageKit, Twicpics (France), and self-hosted options like Imgproxy or libvips behind your own CDN.

How do I update the cookie policy for Cloudinary?

Cloudinary does not set cookies, so no cookie policy entry is needed. Mention Cloudinary in the privacy notice under technical subprocessors, with the chosen region (US default or EU Frankfurt), the DPA reference, and the SCCs/DPF transfer mechanism.

Get compliant — Try FlowConsent free

Free plan · 10-min setup