Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Buy Me a Coffee is a US based platform that lets creators accept one off tips, monthly memberships and extra paid posts through an embeddable widget. The button.js script and the embed iframe load from buymeacoffee.com and Cloudflare, write functional and analytics cookies, and route payments through Stripe and PayPal. Because the embed is non essential and transfers data to the United States, EU publishers should load it only after consent and document the international transfer.
Buy Me a Coffee, often shortened to BMC, is a US based creator support platform incorporated as Buy Me a Coffee Inc. in San Francisco, California. Creators (writers, illustrators, podcasters, open source maintainers) set up a public page, then either link to it or embed a yellow Buy Me a Coffee button or a more advanced widget on their own site. Visitors can send a one off tip, become a monthly member, buy a single paid post or pay for an extra such as access to a private community.
BMC handles the public page, the payment flow, supporter messages and the dashboard. Payments are routed to Stripe (the default in most countries) or PayPal. The creator''s site only needs to load the button.js script or to drop an iframe; everything else happens on buymeacoffee.com.
When the BMC button or widget is embedded on a third party site, button.js is fetched from cdnjs.buymeacoffee.com. As soon as the iframe to buymeacoffee.com is opened, Cloudflare bot management cookies (__cf_bm, _cfuvid) and BMC functional cookies (_bmc_session, csrf token) are set on the buymeacoffee.com domain. If the supporter clicks the button, a checkout iframe loads Stripe.js or the PayPal SDK, which set their own cookies (m, __stripe_mid, __stripe_sid, paypal_*).
BMC also uses analytics and product tooling on its own domain, typically Google Analytics 4, Microsoft Clarity, HubSpot and Segment. These cookies are not set on the creator''s domain but apply to anyone visiting buymeacoffee.com through the embed.
Embedding the BMC widget triggers Art. 5(3) ePrivacy because the iframe sets cookies that are not strictly necessary to deliver a service the user has explicitly requested. The widget is loaded on every page where it is dropped, before any action by the visitor. Loading the button without consent is therefore non compliant in France, Germany, Spain, Italy and most EU member states.
Once the supporter actively clicks to send a tip or to subscribe, the payment processing relies on contract performance (Art. 6(1)(b) GDPR) and on Stripe or PayPal as separate processors. The creator remains the controller of supporter data presented in the BMC dashboard.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU traffic, the BMC embed should be blocked until the visitor has accepted at least the functional category in your CMP. A common pattern is to replace the embed with a static yellow placeholder that opens the BMC public page in a new tab on click, until consent is given. Alternatively, you can route everything to a direct link such as buymeacoffee.com/yourname and avoid the embed entirely.
All BMC processing happens on AWS US regions. The BMC DPA incorporates the European Commission Standard Contractual Clauses and references the EU US Data Privacy Framework. Stripe is established in Ireland for EU customers but transfers to the US under SCCs; PayPal Luxembourg processes EU payment data under its own DPF certification.
A Transfer Impact Assessment is sensible for high volume creators and must cover US surveillance laws (FISA 702, EO 12333) and the residual risk despite the DPF.
Sign the Buy Me a Coffee DPA. Add BMC as a third party in your CMP and gate the embed behind functional consent. List Buy Me a Coffee, Stripe and PayPal in your privacy notice and Article 30 record. Document the international transfer to the United States with SCCs and DPF. Keep supporter messages and payment metadata access limited to authorised team members in the BMC dashboard.
Websites using Buy Me a Coffee must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a simple Buy Me a Coffee widget on a personal site. It can become relevant for publishers managing large supporter bases (newsletters with thousands of paying members) combined with extensive analytics and profiling on the same site.
Sample consent text
We use Buy Me a Coffee (Buy Me a Coffee Inc., United States) to let visitors send tips and subscribe to memberships. The widget sets functional and analytics cookies, opens an iframe to buymeacoffee.com and routes payments through Stripe and PayPal. International transfers to the US are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
buymeacoffee.comwww.buymeacoffee.comcdnjs.buymeacoffee.comimg.buymeacoffee.comjs.stripe.comq.stripe.comm.stripe.comwww.paypal.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie set on buymeacoffee.com to distinguish legitimate users from bots. Strictly necessary to deliver the widget but considered third party from the integrating site's perspective. |
| _cfuvid | third_party | Session | Cloudflare visitor identifier used to apply rate limits to bot mitigation rules on buymeacoffee.com. |
| _bmc_session | third_party | 2 weeks | BMC functional session cookie on buymeacoffee.com used to keep a supporter logged in and to remember the in progress checkout. |
| _bmc_csrf | third_party | Session | CSRF protection token for BMC API calls during the tip or membership flow. |
| __stripe_mid | third_party | 1 year | Stripe machine identifier used for fraud prevention during the BMC checkout. |
| __stripe_sid | third_party | 30 minutes | Stripe session identifier used for fraud detection during the BMC checkout. |
| m | third_party | 2 years | Stripe device fingerprint cookie used for risk scoring on payment forms. |
| paypal_* | third_party | Up to 3 years | PayPal authentication and risk cookies loaded if the supporter chooses PayPal at checkout. |
Buy Me a Coffee uses cookies for user preferences — inform visitors with a consent banner.
When the BMC iframe loads, Cloudflare bot management cookies __cf_bm and _cfuvid are set on buymeacoffee.com, plus BMC functional cookies (_bmc_session, a CSRF token, an auth token if the supporter is logged in). The checkout step loads Stripe.js or the PayPal SDK, which adds __stripe_mid, __stripe_sid, m, paypal_* cookies on their respective domains.
Yes. The widget sets non strictly necessary cookies before any action from the visitor, so Art. 5(3) ePrivacy requires prior consent in the EU. Use a CMP to block the embed until the visitor accepts at least the functional category, or replace the embed with a static button that links to the BMC public page in a new tab.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for loading the widget and its cookies. Contract performance (Art. 6(1)(b) GDPR) for processing the actual tip or membership once the supporter checks out. Legal obligation (Art. 6(1)(c)) for tax record keeping on received payments.
Yes. BMC is incorporated in the United States and hosts all data on AWS US regions. EU and UK supporter data is transferred to the US under the EU Standard Contractual Clauses and the EU US Data Privacy Framework. Stripe and PayPal apply their own transfer mechanisms.
A DPIA is not normally required for low traffic creator sites with a simple BMC widget. It can become relevant for large publishers running BMC alongside extensive analytics, profiling and email marketing on the same audience.
Sign the BMC DPA, gate the widget behind functional consent in your CMP, use a placeholder until consent is given, list BMC, Stripe and PayPal in your privacy notice and Article 30 record, document the US transfer with SCCs and DPF, and avoid exposing supporter messages in public dashboards.
EU friendly alternatives include Ko fi (UK), Liberapay (France, non profit), Patreon (US), Tipeee (France), Steady (Germany) and direct Stripe Checkout or Stripe Payment Links. EU based options score better on transfer risk and on local payment methods.
List Buy Me a Coffee, Cloudflare, Stripe and PayPal as third parties in your cookie policy with their categories and durations. In your privacy notice, describe the embed, the iframe to buymeacoffee.com, the US transfer with SCCs and DPF and the role of Stripe and PayPal as separate processors.