Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Duda is a website builder targeted at agencies and SaaS resellers. Provides a drag and drop editor, dynamic content, multi site management, an integrated CRM and a marketplace of widgets. Strictly necessary cookies; consent required for native analytics, visitor tracking and installed widgets.
Duda is a website builder designed for agencies, SaaS resellers and large publishers managing many sites. The product line covers the editor, the staging environment, the white label client preview, dynamic content for multilingual or location based pages, an integrated CRM that captures form leads, a widget builder, an email marketing module and a marketplace of third party widgets. Duda is the engine behind several SaaS website plans bundled with marketing automation tools.
Strictly necessary: DUDA_SESSION (session, editor and viewer session), dudamobile_token (1 year, mobile site detection), _dd_session (session, edit mode token), DUDA_AB_TEST (90 days, internal A/B test split). With Duda Visitor Tracking activated: duda_visitor (1 year, anonymous visitor identifier), duda_pageview (session, page view counter for native analytics). Third party widgets installed from the App Store add their own cookies (Google Analytics, Meta Pixel, Hotjar, Calendly, etc.).
The strictly necessary cookies are exempt under ePrivacy art. 5(3) and rely on legitimate interest (GDPR art. 6(1)(f)). The Duda native analytics, the visitor tracking and the form submission flow that feeds the Duda CRM require consent under GDPR art. 6(1)(a). Email marketing campaigns sent through the Duda Email Marketing module need a separate consent under the ePrivacy direct marketing rules and the local opt out rules. The Duda widgets marketplace surfaces a privacy section but does not automatically gate widgets behind a CMP.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Duda delivers sites through CloudFront, with EU edge nodes that serve European visitors closer to their location. The site content, the CRM database, the analytics records and the customer billing are stored in the United States by default; EU storage is available on the higher plans contractually. The corporate platform, the customer support and the engineering team operate from the US, Israel and India. Duda is certified under the EU US Data Privacy Framework, with 2021 SCCs as fallback.
Sign the Duda Data Processing Addendum, request the EU storage region on the higher plans, gate every visitor tracking, native analytics and widget behind a CMP via the Duda cookie banner widget or your own CMP, document the form submission flow with a clear consent text for the email marketing list, set the strictest retention for the Duda CRM and document the chain in your record of processing under GDPR art. 30.
Websites using Duda must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when the Duda native analytics, the visitor tracking module or the Duda CRM are activated, because they build a profile of website visitors and link it to email and phone identifiers when forms are submitted. The DPIA should document the EU edge delivery option, the US storage default, the retention of visitor profiles and CRM records, the integration with third party widgets and the legal basis for marketing emails sent via the Duda Email Marketing module.
Sample consent text
Our website is built with Duda. Strictly necessary cookies (DUDA_SESSION, dudamobile_token, _dd_session) keep the editor and the site working. With your consent we activate the Duda native analytics, the visitor tracking, the Duda CRM and any widget that loads tracking pixels. Site delivery is on CloudFront with an EU edge option, and the management layer runs in the United States under the EU US Data Privacy Framework. You can accept, refuse or withdraw at any time.
Third-party domains contacted
duda.comultiscreensite.comcdn-website.comstatic.cdn-website.comlirp.cdn-website.comdudamobile.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| DUDA_SESSION | First party (Duda) | Session | Editor and viewer session token used by the Duda platform |
| dudamobile_token | First party (Duda) | 1 year | Stores whether the visitor should be served the mobile or desktop version of the Duda site |
| _dd_session | First party (Duda) | Session | Identifies the edit mode session in the Duda editor |
| DUDA_AB_TEST | First party (Duda) | 90 days | Used by the Duda A/B testing module to keep the visitor in the same variant |
| duda_visitor | First party (Duda Visitor Tracking, optional) | 1 year | Anonymous visitor identifier used by the Visitor Tracking module when activated |
| duda_pageview | First party (Duda Visitor Tracking, optional) | Session | Page view counter used by the native analytics module |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Strictly necessary: DUDA_SESSION (session), dudamobile_token (1 year, mobile detection), _dd_session (session, edit mode), DUDA_AB_TEST (90 days, A/B testing). With Visitor Tracking: duda_visitor (1 year, anonymous identifier), duda_pageview (session). Installed widgets add their own cookies (GA, Meta Pixel, Hotjar, Calendly).
Strictly necessary cookies do not need consent. Consent is required for the Duda native analytics, the Visitor Tracking module, the email marketing list and every widget that loads tracking pixels. The Duda cookie banner widget can be used to gate them.
Legitimate interest (GDPR art. 6(1)(f)) and the ePrivacy art. 5(3) exemption for the session cookies. Contract (art. 6(1)(b)) for form submissions you fulfil. Consent (art. 6(1)(a)) for analytics, visitor tracking, marketing automation and CRM follow up beyond the form.
Yes by default. Site content, CRM and analytics data are stored in US AWS regions. EU storage is available on higher plans. Duda is certified under the EU US Data Privacy Framework with SCCs 2021 as fallback.
Recommended when Duda Visitor Tracking, native analytics or the CRM with email marketing is activated, because they build a profile of website visitors. The DPIA should describe storage region, retention, third party widgets and the email marketing legal basis.
Sign the DPA, request EU storage on higher plans, gate Visitor Tracking, native analytics and widgets behind a CMP, configure the Duda Cookie Banner Widget for the banner, document the email marketing consent in the form fields, set CRM retention to the minimum and document the chain in your record of processing.
EU first website builders: Strikingly (EU plan), Webflow (US with EU edge), Squarespace (US), Wix (Israel with EU storage), Jimdo (Germany), 1&1 IONOS MyWebsite (Germany), Hostinger Website Builder (Lithuania), WordPress.com (US with global infrastructure), Sitebuilder.com. Jimdo and 1&1 IONOS are the most EU centric agency friendly builders.
List Duda as a sub processor, declare the strictly necessary cookies and the consent based cookies separately, mention the US storage default and the EU storage option, reference the Data Privacy Framework certification, link to the Duda Privacy Policy and provide a DSAR contact.