Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
imgix is a US-based image transformation CDN that resizes, crops, formats, and optimises images on the fly. Developers point their image sources (S3, GCS, web folder) at imgix and serve images via URL parameters that drive transformations. imgix delivers via Fastly with global PoPs including the EU. It does not set cookies in the visitor browser and does not run any client-side tracker by default.
imgix is a US image transformation CDN founded in 2012 by Zebrafish Labs, Inc. (San Francisco). Developers attach an imgix source (S3 bucket, Google Cloud Storage, web folder) and serve images via URLs that include query parameters describing the desired transformation (resize, crop, format, quality, blur, color adjustments). imgix delivers via the Fastly CDN with PoPs across the EU, the US, Asia, and Oceania.
For each image request: visitor IP, user agent, referrer, URL with transformation parameters, response metadata. imgix does not set cookies in the visitor browser and does not run any client-side tracker by default. The image content itself is processed during transformation; for private images, signed URLs and Web Folder sources with restricted access can be used.
IP addresses are personal data and are processed under legitimate interest (Art. 6(1)(f)) as part of the image delivery infrastructure. The ePrivacy consent requirement does not apply because imgix does not store or read information on the device. The image content can be personal data if the publisher serves user-uploaded photos.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Visitors are served from the nearest Fastly PoP (EU PoPs for EU visitors), so the delivery path stays in the EU for most EU visitors. However, the rendering infrastructure, dashboard, billing, and support are operated from the United States by Zebrafish Labs. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and on the EU-US Data Privacy Framework certification.
Sign the imgix DPA, document the SCCs and the DPF in your privacy notice, use signed URLs for private images, document imgix in the RoPA as a processor, and mention the EU edge delivery alongside the US rendering origin in your transparency communication.
Websites using Imgix must obtain user consent under GDPR regulations.
DPIA considerations
imgix processes the visitor IP and request metadata to deliver the transformed image. Key DPIA considerations: (1) IP addresses are personal data, processed under legitimate interest; (2) the operator is US-based (Zebrafish Labs), triggering a transfer assessment even though delivery uses EU PoPs; (3) the image content itself can be personal data when the publisher serves user-uploaded photos; (4) signed URLs should be used for private images; (5) imgix does not introduce any tracking pixel or analytics on the visitor side.
Sample consent text
Our website uses imgix, a US-based image transformation CDN, to deliver our images. imgix processes your IP address and request metadata to serve the correct image and applies on-the-fly transformations (resize, format, optimisation). Delivery uses Fastly EU PoPs; transfers to US infrastructure rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. imgix does not set cookies in your browser.
Third-party domains contacted
imgix.comwww.imgix.comimgix.net*.imgix.netdashboard.imgix.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies set by imgix | N/A | N/A | imgix is a server-side image transformation CDN and does not write cookies to the visitor browser. Any cookie received from an imgix URL is set by the customer origin application served behind imgix. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. imgix is a server-side image CDN and does not write cookies to the visitor browser. Any cookie received from an imgix URL is set by the customer origin application served behind imgix.
No. The ePrivacy consent requirement does not apply because imgix does not store or read information on the device. Processing of the visitor IP for image delivery relies on legitimate interest under Art. 6(1)(f) GDPR.
Legitimate interest (Art. 6(1)(f) GDPR) for the image transformation and delivery as a necessary technical component of website rendering.
Yes, for the rendering origin, dashboard, billing, and support; delivery itself uses the nearest Fastly PoP (EU PoPs for EU visitors). Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework certification.
For ordinary product or marketing imagery, no. For platforms serving user-uploaded images (profile photos, ID documents, medical images), document a short DPIA covering signed URLs, access controls, and the US transfer mechanism.
Sign the imgix DPA, use signed URLs for private images, document imgix in your RoPA, mention imgix and the US/EU edge architecture in the privacy notice, and exclude truly sensitive imagery from any third-country processing flow.
EU-friendly alternatives include Bunny Optimizer (Slovenia), Twicpics (France), Cloudinary EU (Frankfurt), Uploadcare (Estonia), ImageKit, Sirv (UK), Storyblok Image Service (Switzerland), and self-hosted options like Imgproxy or libvips behind a EU CDN.
imgix does not set cookies, so no cookie policy entry is needed. Mention imgix in the privacy notice under technical subprocessors, with the dual EU edge delivery / US rendering note, the SCCs and DPF references.