Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Ko fi is a UK based creator support platform operated by Ko fi Labs Ltd in Edinburgh that lets creators receive one off tips, monthly memberships, commission requests and small shop sales. The widget loaded from storage.ko-fi.com writes Ko fi functional and analytics cookies, opens an iframe to ko-fi.com and routes payments through Stripe and PayPal. Because the UK has an EU adequacy decision and the data is hosted on Azure UK, Ko fi is one of the lower risk donation platforms for EU creators, though consent is still required for the embed.
Ko fi is a creator support platform operated by Ko fi Labs Ltd, a British company headquartered in Edinburgh, Scotland. The product targets artists, writers, podcasters, streamers and open source maintainers. Creators set up a public Ko fi page, then either link to it or embed a floating button, modal panel or full widget on their own site. Visitors can send a one off tip, become a monthly member, request a commission or buy a small digital or physical item from the creator''s Ko fi shop.
Ko fi competes directly with Buy Me a Coffee (US), Patreon (US), Tipeee (France) and Liberapay (France). Its main differentiators in Europe are the UK headquarters, the UK adequacy decision under the GDPR and a flat 5 percent platform fee on memberships and shop sales (tips are free).
When the Ko fi widget is embedded on a third party site, the widget v2.js loader is fetched from storage.ko-fi.com. As soon as the iframe to ko-fi.com is opened, Ko fi sets first party cookies on ko-fi.com (kofi_session for the supporter session, a CSRF token, kofi_locale to remember language and currency, and a small attribution cookie). If the supporter chooses to tip or subscribe, the Stripe checkout step loads __stripe_mid and __stripe_sid; PayPal flows add paypal_* cookies. On ko-fi.com itself, Ko fi uses analytics tools such as Google Analytics 4 and Cloudflare bot management.
Loading the Ko fi widget puts non strictly necessary cookies on the visitor''s device before any action, which triggers Art. 5(3) ePrivacy and requires prior consent in the EU. Once the supporter actively initiates a tip or a membership, the processing of the payment data relies on contract performance (Art. 6(1)(b) GDPR). The UK adequacy decision under Art. 45 GDPR means that the underlying transfer of data to UK based Ko fi is treated like an intra EEA flow.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU traffic the widget should be gated behind a CMP. A common pattern is to display a static Ko fi button that opens the public Ko fi page in a new tab until consent is given, then load the full widget after the visitor accepts the functional category. Once on ko-fi.com, the supporter is subject to Ko fi''s own privacy notice and cookie controls.
Ko fi processes supporter data on Microsoft Azure UK South and UK West. The UK is covered by an EU adequacy decision under Art. 45 GDPR, so the transfer is treated equivalently to a transfer within the EEA. Payments through Stripe and PayPal involve onward transfers, which both processors cover with their own SCCs and EU US Data Privacy Framework certifications.
Sign the Ko fi DPA from the creator dashboard. Gate the widget behind a CMP toggle. Mention Ko fi, Stripe and PayPal in your privacy notice and Article 30 record. The UK adequacy decision keeps the main transfer low risk, but document the onward transfers to Stripe and PayPal in the US. Update your terms to clarify that refunds and disputes go through Ko fi.
Websites using Ko-fi must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for a Ko fi widget on a creator's site. It can become appropriate for large media operations using Ko fi memberships and shops alongside extensive analytics and profiling on the same audience.
Sample consent text
We use Ko fi (Ko fi Labs Ltd, United Kingdom) to receive tips and memberships. The Ko fi widget sets functional cookies, opens an iframe to ko-fi.com and routes payments through Stripe and PayPal. The UK benefits from an EU adequacy decision and supporter data is hosted on Microsoft Azure UK.
Third-party domains contacted
ko-fi.comstorage.ko-fi.comcdn.ko-fi.comjs.stripe.comwww.paypal.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| kofi_session | third_party | 2 weeks | Ko fi functional session cookie set on ko-fi.com to keep an authenticated supporter session and an in progress tip or checkout. |
| kofi_locale | third_party | 1 year | Functional cookie used by Ko fi to remember the supporter's language and currency preference between visits. |
| kofi_csrf | third_party | Session | CSRF protection token for Ko fi API calls during the tip, membership or shop flow. |
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie set on ko-fi.com to distinguish humans from automated traffic. |
| __stripe_mid | third_party | 1 year | Stripe machine identifier loaded during the Ko fi Stripe checkout step for fraud prevention. |
| __stripe_sid | third_party | 30 minutes | Stripe session identifier loaded during the Ko fi Stripe checkout step for fraud detection. |
Ko-fi uses cookies for user preferences — inform visitors with a consent banner.
When the Ko fi widget loads it sets first party Ko fi cookies on ko-fi.com (kofi_session, kofi_locale, an attribution cookie and a CSRF token) and Cloudflare bot management cookies (__cf_bm, _cfuvid). The Stripe checkout step adds __stripe_mid and __stripe_sid; PayPal flows add paypal_* cookies.
Yes. The widget loads non strictly necessary cookies before any visitor action, so Art. 5(3) ePrivacy requires prior consent in the EU. Until consent is given replace the widget with a static button that links to the public Ko fi page in a new tab.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for the widget cookies. Contract performance (Art. 6(1)(b)) for the tip, membership or shop purchase. Legal obligation (Art. 6(1)(c)) for VAT and tax record keeping on the creator's side.
Primarily no. Ko fi Labs Ltd processes data in the United Kingdom, which has an EU adequacy decision under Art. 45 GDPR. Onward transfers happen when payments go through Stripe and PayPal, who apply their own SCCs and EU US Data Privacy Framework certifications.
Not for a single creator running a tip jar and small shop. A DPIA can be appropriate for large media operations using Ko fi memberships and shop alongside extensive analytics and profiling on the same audience.
Sign the Ko fi DPA, gate the widget behind a CMP toggle, list Ko fi, Stripe and PayPal in your privacy notice and Article 30 record, mention the UK adequacy decision and the Stripe and PayPal sub processors, and update your terms so refunds and disputes go through Ko fi.
EU friendly alternatives include Liberapay (France, non profit), Tipeee (France), Steady (Germany), Patreon (US), Buy Me a Coffee (US), Stripe Checkout / Payment Links for self managed setups and Lemonway for French creators that need MoR style support.
List the Ko fi, Cloudflare, Stripe and PayPal cookies in your cookie policy with their categories and durations. In your privacy notice describe Ko fi as your creator support platform, the UK based processing, the UK adequacy decision and the onward transfer to Stripe and PayPal in the US under SCCs and DPF.