Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Tilda Publishing is a popular Russian and global website builder. It hosts user sites and sets multiple cookies for editor sessions, visitor analytics and integrated forms, with servers in the European Union, the United States and Russia.
Tilda Publishing is a hosted website builder created in Russia in 2014 and now used by hundreds of thousands of creators, small businesses, agencies and media projects worldwide. It offers a visual block editor, ready made templates, e commerce features, integrated forms with a lightweight CRM, hosting and a custom domain option. The service is fully managed by Tilda, which acts as a processor for the operator publishing the site and as a controller for its own editor accounts and platform analytics.
On the editor side, Tilda sets session and login cookies, a CSRF token and preference cookies. On published sites, it sets first party cookies for visitor analytics, page personalisation and form anti spam, and may load the Tilda analytics tag, embedded chat widgets and form widgets that exchange data with Tilda servers. Form submissions, e commerce orders, integrated CRM contacts, IP addresses, user agents and analytics events are stored on the Tilda backend.
Analytics, personalisation and chat cookies are not strictly necessary to deliver the page, so Article 5(3) ePrivacy requires prior informed consent before they are written. Form submissions and CRM data fall under the GDPR, with Tilda as a processor and the publisher as the controller. Anti spam cookies and load balancing cookies can be considered strictly necessary, while embedded third party trackers (Google Analytics, Yandex Metrica, Facebook Pixel) require their own consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
A Tilda hosted site must include a cookie banner that blocks analytics and marketing tags until consent is given, with refusal as easy as acceptance. Forms must include a separate clear and granular consent for the use of contact details, and the privacy notice must name Tilda as the hosting and processing partner, list the storage region and the integrations that share data with third parties. Visitors must be able to exercise their access, rectification, erasure and objection rights.
Tilda runs servers in the European Union, in the United States and historically in Russia. Depending on the account region and the chosen plan, visitor and form data may be processed in any of these locations. Transfers to the US rely on standard contractual clauses and, where Tilda is certified, on the EU US Data Privacy Framework. Transfers to Russia have no adequacy decision, require additional safeguards under Chapter V GDPR, and have to be assessed against the EU sanctions context.
Pick an EU plan when targeting EU visitors, sign the Tilda data processing agreement, gate Tilda analytics and third party trackers behind a consent banner, configure short retention windows for form data, document the transfer impact assessment when EU data are processed in the US or in Russia, restrict editor access with strong passwords and two factor authentication, document the processing in the Article 30 records and update the privacy and cookie policy with a clear mention of Tilda, the storage region, the cookies set and the retention.
Websites using Tilda Publishing must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever a Tilda hosted site processes contact form data at scale, uses the integrated CRM, embeds analytics for marketing purposes or targets EU visitors from a Russian located account. Document the categories of data collected via forms, the storage region of the project, the involvement of third party integrations (Mailchimp, Sendgrid, Google Analytics) and the legal basis used for each processing.
Sample consent text
This website is published with Tilda. It sets editor and visitor cookies, may load Tilda analytics and integrated forms, and routes your form submissions through Tilda servers that may be located in the European Union, the United States or Russia. We need your consent for analytics and marketing cookies. You can accept, refuse or withdraw your consent at any time.
Third-party domains contacted
tilda.cctilda.wstildacdn.comtildacdn.netstatic.tildacdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tildauid | http_persistent | 1 year | Persistent visitor identifier used by Tilda for visitor analytics on the published site. |
| tildasid | http_session | Session | Session identifier used to group visitor events during a single browsing session. |
| tilda_login | http_persistent | 30 days | Keeps the Tilda editor authenticated in the administration backend between visits. |
| tildaesid | http_session | Session | Editor session identifier used by the Tilda block editor to keep the project state. |
| tilda_ab | http_persistent | 90 days | Stores the A B test variant assigned to the visitor for page personalisation. |
| tilda_cs | http_persistent | 6 months | Stores the consent choices made by the visitor on the Tilda hosted cookie banner. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
On the editor side, Tilda sets session and login cookies, a CSRF token and preference cookies. On published sites, it sets first party cookies for visitor analytics, page personalisation and form anti spam, plus the cookies of any integrated chat or third party tracker.
Yes for visitor analytics, personalisation, chat and any third party tracking cookies. These are not strictly necessary and Article 5(3) ePrivacy requires opt in consent. Strictly necessary cookies for hosting, security and form anti spam may be set without consent.
Consent under Article 6(1)(a) GDPR for analytics and marketing cookies on published sites. Legitimate interest under Article 6(1)(f) GDPR for security and anti spam cookies. Performance of a contract under Article 6(1)(b) GDPR for editor accounts and the website builder service.
Possibly. Tilda operates servers in the EU, in the US and historically in Russia. Transfers to the US rely on SCCs and the EU US Data Privacy Framework where applicable. Transfers to Russia have no adequacy decision, require additional safeguards under Chapter V GDPR and must be assessed in the EU sanctions context.
A DPIA becomes recommended when forms process large volumes of personal data, when the integrated CRM is used for marketing, when the project targets EU visitors from a Russian located account or when sensitive categories of data are collected. Use Article 35 GDPR criteria to assess the risk.
Choose an EU plan when targeting EU visitors, sign the Tilda data processing agreement, install a cookie banner that blocks analytics and marketing tags until consent, enable two factor authentication on editor accounts, set short retention for form data, document a TIA for US or Russian processing and update the privacy and cookie policy accordingly.
Comparable hosted website builders include Webflow, Wix, Squarespace, Readymag, Framer and self hosted options like WordPress with a page builder, Ghost or Statamic. EU based or EU hosted alternatives simplify the transfer analysis and may suit privacy sensitive projects better.
List the Tilda first party cookies with purpose and duration, mention the integrated forms and chats, identify Tilda as the hoster and processor, indicate the storage region (EU, US or Russia), describe the safeguards used for any international transfer, link to the Tilda privacy notice and explain how visitors can refuse or withdraw consent and request deletion.