Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Discourse is the leading modern open source forum platform, written in Ruby on Rails and used by thousands of communities worldwide, from open source projects to consumer brands and developer relations teams. It can be self hosted under a free GPL v2 license or used as a managed hosting service from Civilized Discourse Construction Kit, Inc., which offers EU hosting in Ireland. From a privacy perspective it is one of the cleaner community platforms: minimal cookies, no third party trackers by default and a clear data export tool.
Discourse is an open source forum platform created in 2013 by Jeff Atwood (co founder of Stack Overflow) and developed by Civilized Discourse Construction Kit, Inc. It is written in Ruby on Rails and shipped as a Docker container that is easy to self host. Major open source projects, developer communities and consumer brands run their forums on Discourse, often as a replacement for phpBB, vBulletin or Vanilla Forums. The platform is licensed under GPL v2 and the source code is freely available on GitHub; the same code base powers the managed Discourse hosting service offered by CDCK, Inc.
For visitors who only read, Discourse sets minimal cookies: _t (authentication when logged in), _forum_session (Rails session), session_id and a few CSRF tokens. For members, Discourse stores name, email, IP address, preferences, posts, drafts, badges and notification preferences. The platform optionally uses oneboxes to render inline previews of pasted links, which fetch the target URL server side and may load remote images. No third party analytics, marketing or advertising tags are loaded by default; the administrator can opt in to Google Analytics or Plausible through site settings.
The session cookies Discourse sets are strictly necessary for authentication and exempt from consent. The processing of member data has the contract with the user as primary legal basis, with legitimate interest covering abuse prevention. Discourse exposes a built in Export your data and a Delete account flow that satisfy Articles 15 and 17 of the GDPR. The main ePrivacy considerations come from oneboxes that embed YouTube, X, Twitch or Imgur content, which then bring their own cookies and trackers.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Not for the default forum experience. Discourse can run without any consent banner because the cookies it sets are strictly necessary. Consent becomes relevant once the administrator enables an analytics plugin (Google Analytics, Matomo, Plausible) or third party embeds. In that case the consent banner should gate those features. Discourse ships a default settings page that helps administrators configure a GDPR friendly setup.
For self hosted Discourse in an EU region, no transfer to a third country occurs. For Discourse hosting, customers can pick the EU region (Ireland on Digital Ocean) so that persistent data stays in the EU. CDCK, Inc. (USA) remains the controller of the platform and accesses tenant data for support and security; transfers rely on the Discourse DPA, the EU US Data Privacy Framework and EU SCCs.
Self host Discourse in an EU data centre, or pick the EU region of Discourse hosting; document the forum in the Article 30 record; sign the Discourse DPA if you use the managed service; expose the data export and account deletion features prominently in your privacy notice; review enabled oneboxes and embeds and gate them behind consent if they load third party content; configure user retention and trust levels to reduce the dataset over time.
Websites using Discourse must obtain user consent under GDPR regulations.
DPIA considerations
Standalone Discourse rarely needs a DPIA. When the forum hosts sensitive discussions (health, religion, politics), uses AI moderation features or activates many oneboxes that load third party content, document a DPIA covering content categories, sub processors and any analytics enabled.
Sample consent text
Our community runs on Discourse. To browse and post you receive a session cookie. We do not place third party tracking cookies. Some posts may embed external media (YouTube, X) that load only after you accept.
Third-party domains contacted
<forum_domain>discourse.orgdiscourse-cdn.commeta.discourse.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _t | first party | 1 year | Long lived authentication cookie that keeps the user logged in to Discourse. |
| _forum_session | first party | Session | Rails session cookie used to manage the current user session. |
| session_id | first party | Session | Internal session identifier used for CSRF protection and session continuity. |
| destination_url | first party | Short lived | Stores the destination URL to redirect to after login when the user accesses a protected page anonymously. |
| authentication_data | first party | Short lived | Holds OAuth or SSO data temporarily during a third party login flow. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The forum sets _t (authentication when logged in), _forum_session (Rails session), session_id and CSRF tokens. No third party tracking cookies are set by default. Optional analytics plugins can add cookies that require consent.
Not for the default configuration: all cookies are strictly necessary. You will need a banner if you enable Google Analytics or other trackers via plugins, or if you allow oneboxes that load third party media on view.
Contract performance for forum members, legitimate interest for visitors browsing public content and for abuse prevention. Consent is the basis for optional analytics or marketing integrations.
Self hosted Discourse in the EU stays in the EU. Discourse hosting offers an EU region (Ireland). The US transfer in the hosted model is covered by the EU US Data Privacy Framework and SCCs in the Discourse DPA.
Rarely on a standard community forum. A DPIA is justified when the forum hosts sensitive discussions, uses AI moderation or activates many third party embeds. Document the data flows in your Article 30 record at minimum.
Choose an EU host, configure email and password securely, expose the built in data export and account deletion to users, sign the Discourse DPA in managed mode, and review every plugin or onebox for third party data flows.
Flarum (open source PHP), NodeBB (open source Node.js), Vanilla Forums (commercial), Lemmy (federated open source), Mastodon for discussion oriented communities, Slack or Mattermost for chat oriented teams. Most can be self hosted in the EU.
List _t, _forum_session and session_id under Strictly Necessary with provider Civilized Discourse Construction Kit, Inc., USA (or self hosted), purpose authentication and session, retention session to a few weeks. Mention oneboxes and any optional analytics integrations separately.