Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentWebflow is a US-based SaaS website builder and managed hosting platform used to design, build, and host websites without writing code. It processes visitor connection data on AWS infrastructure in the United States. As a hosting provider, Webflow acts as a data processor under a Data Processing Addendum. Its own platform cookies are strictly necessary for site functionality; no consent is required for the hosting layer itself.
Webflow is a SaaS visual website builder and managed hosting platform founded in 2013 and headquartered in San Francisco, California. It allows designers and developers to build responsive websites using a visual interface that generates clean HTML, CSS, and JavaScript, without requiring manual coding. Webflow also provides a built-in CMS, an e-commerce module, and a Memberships feature for gated content. Hosted sites run on Webflow's managed infrastructure, built on AWS and distributed via the Fastly CDN.
When a visitor accesses a Webflow-hosted site, their HTTP request is handled by Fastly CDN edge nodes globally and routed to AWS us-east-1 origin servers. Webflow processes visitor IP addresses and HTTP request metadata (User-Agent, referrer, request path) in server access logs for security, abuse prevention, and infrastructure reliability purposes. These logs are retained for up to 30 days. Webflow does not use this data for advertising or user profiling. No third-party tracking scripts are injected by Webflow itself; any tracking on the site is added by the operator.
Under the GDPR, the operator (the Webflow customer who built the site) is the data controller, and Webflow is the data processor. Webflow provides a Data Processing Addendum (DPA) that governs this relationship and covers international data transfers via Standard Contractual Clauses (SCCs). All infrastructure is located in the United States, which constitutes a restricted transfer under GDPR Chapter V. Operators must reference this transfer in their privacy notice and ensure the Webflow DPA is signed. Webflow does not currently offer EU data residency.
When the Webflow Memberships feature is enabled, Webflow collects and stores member personal data directly: email address, name, password hash, and authentication tokens. This data is stored on Webflow US infrastructure and creates a more direct data processing relationship with end users. Operators using Memberships must explicitly disclose this processing in their privacy notice, ensure members are informed about the US data transfer, and provide appropriate mechanisms for data subject rights (access, deletion, portability). The risk profile of a Memberships-enabled site is higher than a standard static site.
Websites using Webflow must obtain user consent under GDPR regulations.
DPIA considerations
Webflow is a managed hosting and website building platform, not a tracking or advertising service. Key DPIA considerations: (1) Webflow Inc. is a US company and all visitor connection data (IP addresses, HTTP headers, server logs) is processed on AWS us-east-1 infrastructure in the United States; this constitutes a restricted transfer under GDPR Chapter V, covered by SCCs in the Webflow Data Processing Addendum; (2) Webflow acts as a data processor for the operator, processing data solely according to operator instructions; it does not use visitor data for its own advertising purposes; (3) Webflow server logs retain visitor IP addresses for up to 30 days for security and abuse prevention purposes; operators should account for this in their privacy notice; (4) if Webflow Memberships is enabled, additional personal data is collected and stored (email, name, authentication tokens) and processed in the US; this increases the risk level and may trigger DPIA requirements; (5) Webflow does not offer EU data residency as of 2025; operators with strict EU data localisation requirements should evaluate alternative hosting providers. Overall risk is medium for standard sites and higher for Membership-enabled sites.
Third-party domains contacted
webflow.comassets.website-files.comuploads-ssl.webflow.comglobal-uploads.webflow.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __wf_auth | Strictly Necessary | Session | Set only on sites with Webflow Memberships. Stores the authenticated member session token to keep the user logged in across pages. |
| wf_logout | Strictly Necessary | Session | Used to handle post-logout redirect URLs on Webflow Membership sites. Cleared immediately after the redirect is processed. |
| AWSALB | Strictly Necessary | 7 days | AWS Application Load Balancer cookie for session stickiness. Routes repeated requests from the same visitor to the same backend server during a session. |
| AWSALBCORS | Strictly Necessary | 7 days | Same as AWSALB but set with SameSite=None for cross-origin requests. Required for proper load balancer routing in CORS contexts. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Get started freeFrom a GDPR perspective, Webflow is a managed hosting and website building platform, not a tracking or advertising service. When you use Webflow to host a site, Webflow acts as a data processor on your behalf. It processes visitor connection data (IP addresses, HTTP request metadata) solely for infrastructure and security purposes. Webflow does not inject tracking scripts, does not build visitor profiles, and does not use visitor data for its own advertising. Any tracking on a Webflow-hosted site comes from scripts added by the operator, not from Webflow itself.
Yes. Webflow Inc. is a US company and all hosted sites run on AWS infrastructure in the United States, distributed via Fastly CDN edge nodes worldwide. Every visitor HTTP request ultimately reaches US-based origin servers, and Webflow retains server logs including IP addresses for up to 30 days. This constitutes a restricted data transfer under GDPR Chapter V. Webflow covers this transfer with a Data Processing Addendum (DPA) including Standard Contractual Clauses (SCCs). Operators must disclose this transfer in their privacy notice.
For standard static sites, Webflow sets no tracking cookies. It may set a small number of strictly necessary technical cookies for specific features: __wf_auth (session duration) is set only on sites with Webflow Memberships enabled, storing the authenticated member session token; wf_logout (session duration) is used to handle post-logout redirects on Membership sites; and AWSALB or similar load balancer cookies may be set transiently by the AWS infrastructure for session stickiness during requests. None of these require user consent as they are strictly necessary for the requested service.
Webflow provides the tools to operate a GDPR-compliant website, but compliance depends on how the operator configures and uses the platform. Webflow itself offers a Data Processing Addendum with SCCs covering US data transfers, retains logs for limited periods, has no advertising purpose, and acts as a data processor. Operators must: sign the Webflow DPA, disclose the US data transfer in their privacy notice, configure any additional analytics or advertising services with appropriate consent management, and handle data subject requests for any personal data Webflow stores on their behalf (particularly for Membership sites).
No. As of 2025, Webflow does not offer a EU data residency option. All hosted sites and associated data are processed on AWS infrastructure in the United States. Operators with strict EU data localisation requirements, such as those in regulated sectors (healthcare, finance, public sector), should evaluate whether Webflow meets their specific compliance obligations or whether an EU-hosted alternative is necessary. Webflow covers the transfer with SCCs, but cannot guarantee that visitor data never leaves the US infrastructure.
Webflow is a data processor. The operator (the Webflow customer who built and published the site) is the data controller, responsible for determining the purposes and means of processing visitor data. Webflow processes data solely on the operator's behalf and according to their instructions, as described in the Data Processing Addendum. This is a more favourable arrangement for operators than services like Meta Pixel, where Meta acts as an independent data controller for its own purposes. However, operators remain fully responsible for any other services (analytics, advertising, etc.) they add to their Webflow site.
Webflow provides basic traffic analytics in the site dashboard, derived from server-side request logs. These are aggregated, do not use cookies, and are not shared with visitors. They do not require visitor consent. For more detailed analytics, operators typically add third-party tools (Google Analytics, Plausible, Fathom, etc.) to their Webflow site, which must be configured with appropriate consent management. Webflow does not bundle any third-party analytics by default.
Enabling Webflow Memberships significantly increases the data processing scope. Webflow stores member personal data directly on its US infrastructure: email address, display name, password hash, authentication tokens, and membership status. Operators must: update their privacy notice to disclose this processing and the US data transfer; provide members with data subject rights mechanisms (access, deletion, portability); ensure the Webflow DPA covers this additional processing; and consider whether a DPIA is required given the direct storage of identifiable personal data on a US platform. The risk profile of a Memberships site is materially higher than a standard static site.