Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ClickUp is a US SaaS productivity and project management platform operated by Mango Technologies, Inc. (San Diego). It is used internally by teams for tasks, docs, sprints, goals, time tracking and chat. On public websites it may appear as embedded ClickUp Forms, embedded dashboards or share links. ClickUp processes customer data on US AWS infrastructure with no EU only residency option as of 2025, so European organisations should pay particular attention to the transfer assessment.
ClickUp is a SaaS productivity and project management platform operated by Mango Technologies, Inc. (San Diego, California). Founded in 2017 by Zeb Evans, it has grown into one of the largest all in one productivity tools, used by tens of thousands of organisations for tasks, docs, sprints, goals, OKRs, time tracking, chat and dashboards. ClickUp is delivered as a hosted web and mobile application with iOS, Android and desktop clients. On a public website, ClickUp appears either as an internal SaaS used by employees, or as embedded forms, public dashboards and share links exposing some content to external audiences.
For internal workplace use, ClickUp processes employee personal data: names, work email, profile photo, IP address, login times, task content (titles, descriptions, comments, attachments), time tracking, mentions, custom fields and any data the employees choose to add. The operator is the controller, ClickUp is the processor. For public website use (ClickUp Forms embedded on a marketing page, public dashboards shared via a link), ClickUp loads scripts and sets cookies on the clickup.com domain, plus tracks submission events.
For workplace use, the operator processes employee data under GDPR with the legal basis depending on the activity (contract necessity for service delivery, legitimate interest for security and audit). ClickUp acts as a processor under its DPA. For embedded forms or dashboards on public pages, ePrivacy Art. 5(3) requires consent before the ClickUp scripts and cookies load. The submission of a ClickUp Form by a website visitor is its own processing activity with its own lawful basis (typically consent for marketing forms, contract necessity for support requests).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
ClickUp processes customer data on AWS infrastructure in the United States. No EU only residency option is available as of 2025. ClickUp self certifies under the EU US Data Privacy Framework and offers Standard Contractual Clauses. European operators should run a Transfer Impact Assessment focused on US CLOUD Act and FISA 702 exposure, document the mitigations (encryption at rest, MFA, RBAC, limited admin access, audit logs) and consider whether the residual risk is acceptable for their sector. Public sector and healthcare deployments should evaluate EU based alternatives.
ClickUp integrates with Slack, Microsoft Teams, Google Drive, OneDrive, GitHub, GitLab, Jira, Figma, Salesforce, HubSpot, Zapier and many more. Each integration creates an additional data flow that must be documented in the record of processing. Operators should review which integrations are enabled, whether they propagate personal data, what the partner''s data residency is, and whether the consent or contract basis from ClickUp extends to the partner.
Sign ClickUp''s DPA and SCCs. Document ClickUp as a processor in the record of processing, listing data categories, retention, integrations and the US transfer mechanism. Run a Transfer Impact Assessment with documented mitigations. For embedded forms or dashboards on public pages, gate them behind a CMP and list clickup.com cookies in the cookie policy. Inform employees about the use of ClickUp in their workplace privacy notice and consult the works council where required. For high sensitivity contexts, evaluate EU based alternatives.
Websites using ClickUp must obtain user consent under GDPR regulations.
DPIA considerations
ClickUp processing depends on use case: workplace use by employees (internal users of the platform) and public website embeds (ClickUp Forms, public dashboards). DPIA considerations: (1) for workplace use, ClickUp processes employee personal data (names, emails, profile photos, IP, task content, mentions, time tracking) on US infrastructure; (2) the US CLOUD Act and FISA 702 exposure is the main concern, since ClickUp is a US company with no EU only residency option as of 2025; (3) German DSK and French CNIL have raised concerns about US workplace tools without EU residency for sensitive sectors (public sector, healthcare); (4) for embedded forms on public pages, ClickUp sets cookies on the clickup.com domain which require consent under ePrivacy; (5) ClickUp's integration ecosystem (Slack, Google Drive, GitHub, etc.) extends data flows beyond ClickUp itself. A DPIA is recommended for any deployment processing sensitive employee data or for public sector use.
Sample consent text
For our workplace operations we use ClickUp (Mango Technologies, Inc., San Diego) as our project management and productivity platform. Your task content, comments, time tracking and profile information are stored on ClickUp's US infrastructure. We have signed Standard Contractual Clauses and rely on the EU US Data Privacy Framework. If you encounter an embedded ClickUp Form or dashboard on our public website, ClickUp sets cookies on clickup.com for which you can refuse consent in our cookie settings.
Third-party domains contacted
clickup.comapp.clickup.comapi.clickup.comcdn.clickup.comstatic.clickup.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cu_unifid | Functional / Marketing | 1 year | Set by ClickUp on clickup.com. Unique device identifier used by ClickUp to recognise the same browser across visits and to attribute conversions on ClickUp marketing pages. |
| cu_session | Strictly Necessary / Functional | Session | Set by ClickUp on clickup.com. Session state cookie used to keep the user logged in to the ClickUp web application during the session. |
| _clck | Marketing | 1 year | Set by Microsoft Clarity loaded by ClickUp on clickup.com. Stores a Clarity user identifier used by ClickUp for product analytics and behavioural insights. |
| _clsk | Marketing | 24 hours | Set by Microsoft Clarity loaded by ClickUp on clickup.com. Stores session level analytics data including page views and interactions used by ClickUp for product analytics. |
| _ga, _gid | Marketing / Analytics | 2 years / 24 hours | Set by Google Analytics 4 loaded by ClickUp on the clickup.com marketing pages. Used by ClickUp for traffic and conversion analytics. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
ClickUp sets several cookies on the clickup.com domain when its scripts load: cu_unifid (a unique device identifier), cu_session (session state), _clck and _clsk (Microsoft Clarity analytics), various _ga and _gid (Google Analytics on ClickUp marketing pages), and advertising cookies. For embedded ClickUp Forms on the operator's website, the operator's domain may also receive a tracking cookie set via subdomain.
For internal workplace use, consent is not the primary basis (contract necessity or legitimate interest typically applies for employer/employee). For embedded ClickUp Forms or dashboards on public pages, the cookies set on clickup.com are not strictly necessary and ePrivacy Art. 5(3) requires prior consent before the embed loads.
Contract necessity (Art. 6(1)(b)) for ClickUp use by employees as part of their job. Legitimate interest (Art. 6(1)(f)) for security and audit. Consent (Art. 6(1)(a)) for cookies set by embedded ClickUp components on public pages.
Yes. ClickUp processes all customer data on AWS US infrastructure with no EU only residency option as of 2025. ClickUp self certifies under the EU US Data Privacy Framework and offers SCCs. A Transfer Impact Assessment is required, with documented mitigations.
A DPIA is recommended for any deployment processing sensitive employee data (HR, health, financial), for public sector use, or for large scale internal use. Even for standard workplace use, the lack of EU residency and the US CLOUD Act exposure are significant factors that benefit from a documented assessment.
Sign ClickUp's DPA and SCCs. Document ClickUp in the record of processing as a processor for workplace data. Run a Transfer Impact Assessment focused on US CLOUD Act and FISA 702. For public website embeds (Forms, dashboards), gate them behind a CMP. Inform employees in the workplace privacy notice and consult the works council where required. Review integrations to ensure each one has its own DPA where applicable.
Other project management and productivity SaaS include Asana (US, with EU residency on Enterprise), Monday.com (Israel/US), Notion (US), Trello (Atlassian, Australia/US), Jira (Atlassian), Linear (US), Basecamp (US), Wrike (US). EU based alternatives include Stackfield (Germany), Awork (Germany), MeisterTask (Germany) and Taiga (Spain, open source). EU options simplify the transfer assessment for European organisations.
In the workplace privacy notice, name ClickUp as a processor with the data categories processed, the legal basis, the retention period and the US transfer mechanism. For public website embeds, list clickup.com cookies in the cookie policy under functional or marketing. Document the integrations (Slack, Drive, etc.) as separate processing flows where they propagate personal data.