Does your website use third-party services? Get GDPR compliant in minutes.

Gnuboard

What does gnuboard do?

Korean open source PHP based community CMS that powers bulletin boards, member areas and small online stores, popular in the Korean web ecosystem.

What gnuboard is

gnuboard is a free open source community CMS built around bulletin boards, written in PHP. The project is maintained by SIR.kr in Korea and is widely used to run forums, member areas, school sites and small ecommerce in the Korean speaking web. The platform is self hosted: the operator is the data controller.

Cookies and data

A vanilla gnuboard install sets a PHP session cookie (PHPSESSID), a CSRF token and an optional auto login cookie (gb_auto_login) when the visitor ticks the remember me box. Anonymous visitors browse without persistent identifiers. Third party trackers are only loaded when the operator installs plugins or themes that include them.

GDPR and ePrivacy posture

Session and CSRF cookies are strictly necessary under recital 66 of ePrivacy. The auto login cookie requires explicit consent (the remember me checkbox). Third party logins (Kakao, Naver), embedded comment boards and analytics plugins require Article 5(3) consent and may also imply transfers to Korea or the United States.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Hosting and transfers

Self host gnuboard on a hosting provider of your choice. South Korea benefits from a GDPR adequacy decision since 2021 for the private sector, so hosting in Korea is acceptable. Document any third party processor (CDN, mail relay, login provider) in your RoPA.

Implementation steps

Document PHPSESSID, CSRF and gb_auto_login in your cookie register, gate non essential plugins behind a CMP, sign DPAs with login providers and analytics processors, keep PHP and gnuboard up to date, and provide a clear privacy notice in line with Article 13 GDPR.

GDPR consent category

Other

Websites using gnuboard must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Art. 6(1)(f) GDPR) for the strictly necessary CMS session, security and CSRF cookies. Consent (Art. 6(1)(a)) for the auto login cookie, third party logins (Kakao, Naver) and any analytics or advertising plugins added by the operator.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, UK GDPR, South Korean PIPA when the operator is established in Korea

DPIA considerations

A DPIA is generally not required for a vanilla gnuboard install. It becomes relevant when the operator activates third party logins (Kakao, Naver), member email marketing at scale or analytics plugins that profile visitors.

Sample consent text

This site runs on gnuboard. With your consent, optional plugins (Kakao login, Naver Analytics, comment widgets) may set cookies and process your data on third party servers.

Technical details

Tracking methodPHP based open source bulletin board and CMS that runs server side. Sets first party PHP session cookies for authenticated users, plus a long lived auto login cookie. Visitor pages are server rendered without behavioural tracking by default.

Server locationOperator chosen (gnuboard is self hosted, typically on a Linux PHP server controlled by the site owner; the project is maintained by SIR.kr in Korea)

Cookieless tracking availableYes

Third-party domains contacted

sir.krgnuboard.com

Cookies placed

Name	Type	Duration	Purpose
PHPSESSID	first_party	Session	Strictly necessary PHP session cookie used to keep authenticated users logged in.
gb_csrf_token	first_party	Session	CSRF token used by gnuboard forms to protect against cross site request forgery attacks.
gb_auto_login	first_party	30 days	Long lived auto login cookie set when the visitor explicitly chooses remember me at sign in.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

What cookies does gnuboard set?

PHPSESSID (session), a CSRF token and an optional auto login cookie (gb_auto_login) when the visitor checks remember me. No tracking or advertising cookies are set by the core CMS.

Is consent required for gnuboard?

Strictly necessary cookies (session, CSRF) are exempt. The auto login cookie requires explicit consent through the remember me checkbox. Optional plugins (Kakao login, Naver Analytics) require Article 5(3) consent.

What is the legal basis for processing on a gnuboard site?

Legitimate interest (Art. 6(1)(f) GDPR) for strictly necessary cookies and access logs. Consent (Art. 6(1)(a)) for auto login, third party logins and analytics plugins.

Does gnuboard transfer data to a third country?

gnuboard itself does not transfer data. Hosting in South Korea is covered by GDPR adequacy since 2021. Plugins (Kakao login, Naver Analytics) may imply transfers and require their own SCCs or rely on adequacy.

Do I need a DPIA for gnuboard?

Generally no for a vanilla install. Yes when third party logins, behavioural analytics or large scale member email marketing are activated.

How do I implement gnuboard compliantly?

Keep PHP and gnuboard up to date, document the strictly necessary cookies, gate optional plugins behind a CMP, sign DPAs with login and analytics processors and provide a clear privacy notice.

What are the alternatives to gnuboard?

Other community focused CMS include Discourse, phpBB, Vanilla Forums, Flarum, NodeBB and WordPress with bbPress.

How do I update my cookie policy when running gnuboard?

List PHPSESSID and CSRF as strictly necessary, gb_auto_login as functional with consent, then every plugin cookie with name, purpose, retention and processor.

Get compliant — Try FlowConsent free

Free plan · 10-min setup