Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Puter.js is the JavaScript SDK for Puter, a browser based cloud operating system. The SDK gives any web page access to Puter's cloud storage (puter.fs), key value store (puter.kv), authentication and AI APIs (puter.ai) through a single script tag. When a publisher embeds it, every API call sends data to Puter Technologies Inc. servers in the United States and most calls require the visitor to authenticate with their Puter account, so GDPR consent and US transfer assessments are unavoidable.
Puter.js is the official JavaScript SDK of Puter, an open source cloud operating system that runs in a browser tab. The SDK lets any web page call Puter''s file system (puter.fs), key value store (puter.kv), authentication, payments and AI APIs (puter.ai) without running its own backend. A single script tag from js.puter.com is enough to start using paid AI models on the user''s Puter credit rather than the publisher''s.
The SDK uses cookies (puter_auth for the long lived token, puter_session for the active tab, __cf_bm for Cloudflare bot management, puter_consent for the SDK''s built in prompt) on puter.com subdomains. It sends the visitor''s IP, User, Agent, every API payload (file content, KV value, AI prompt) to Puter servers in the United States. If the visitor signs in, Puter knows their email and any usage they make of the API across every site that uses Puter.js.
Loading Puter.js sends device data to a US controller and prompts the user to sign in to Puter, so consent under Article 5(3) ePrivacy is required before the SDK runs. Once the visitor has a Puter account, the publisher is no longer the only controller for any data the user pushes to Puter, the relationship becomes controller, to, controller and must be reflected in the privacy notice. Where Puter.js is used to call AI models, the prompt and any image upload are forwarded to AI sub, processors with their own retention.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All Puter.js traffic is processed by Puter Technologies Inc. in the United States. AI calls are routed to models from OpenAI, Anthropic, Together, Replicate or Stability, the list is documented in the Puter docs and changes regularly. Sign the Puter DPA, attach Standard Contractual Clauses, verify the current EU, US Data Privacy Framework status of Puter and each AI sub, processor, and run a Transfer Impact Assessment for each model that operates from outside the EEA.
Gate the Puter.js script behind your CMP consent. Document Puter Technologies Inc. and each AI sub, processor in the privacy notice. Run a DPIA whenever your embed surfaces user generated content to Puter AI or whenever minors might use the feature. Configure short retention in the user''s Puter account where you control the upload. Provide a non, cloud fallback so the page still works when the user refuses consent.
Websites using Puter.js must obtain user consent under GDPR regulations.
DPIA considerations
Puter.js carries three distinct processing flows that should be analysed separately. (1) Cloud storage (puter.fs) and KV (puter.kv) calls send arbitrary file contents and key, value pairs to the US, with retention controlled by the user's Puter account; risk depends on what the publisher writes there. (2) Authentication asks the visitor to log into Puter, creating a personal account tied to a US controller, the publisher should be aware that they may be inducing a cross, controller relationship without clear notice. (3) AI calls (puter.ai.chat, puter.ai.txt2img, puter.ai.img2txt) ship the prompt and any uploaded image to Puter's LLM and image model partners, which may include OpenAI, Anthropic and others, each with its own retention and training policy. A DPIA is recommended for any embed that surfaces user, generated content to Puter AI and mandatory when minors or sensitive data are involved.
Sample consent text
Some features of this page are powered by Puter.js, the JavaScript SDK of Puter (Puter Technologies Inc., United States). When you use those features, your data (file content, prompts you type, images you upload) is sent to Puter servers in the United States and, where applicable, forwarded to Puter's AI sub, processors. Transfers rely on Standard Contractual Clauses. You can refuse the Puter features in the cookie banner and we will display a non, cloud version of the page.
Third-party domains contacted
puter.comapi.puter.comjs.puter.comstatic.puter.computer.siteCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| puter_auth | Functional | 30 days | Authentication token issued by Puter when the visitor signs into their Puter account through the SDK. Required for any cloud storage or AI call. |
| puter_session | Strictly necessary | Session | Short, lived session identifier used by Puter API endpoints to bind the current browser tab to the active account. |
| __cf_bm | Strictly necessary | 30 minutes | Cloudflare bot management cookie placed on the Puter CDN to filter automated traffic. |
| puter_consent | Strictly necessary | 6 months | Stores whether the visitor has accepted the Puter terms in the SDK's built, in consent prompt. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
puter_auth (30 days, account token), puter_session (session), __cf_bm (Cloudflare bot management) and puter_consent (6 months, SDK consent). All on puter.com subdomains.
Yes. The SDK contacts a US controller, may set a long lived auth cookie, and forwards user inputs to AI sub, processors. Prior consent under Article 5(3) ePrivacy is required and the user must understand they may be redirected to sign in to Puter.
Consent for the SDK loading and for the AI calls. Contract performance can support the cloud storage flow once the user has explicitly logged in. Document the controller, to, controller relationship for any data the user uploads to their Puter account.
Yes. Puter Technologies Inc. is US based and uses AWS us, east, 1 plus Cloudflare. AI calls go to additional US AI vendors. SCCs apply through the Puter DPA; check the EU, US Data Privacy Framework status of Puter and each AI sub, processor.
Yes for any embed that pushes user generated content to Puter AI, that involves minors, or that handles sensitive data. Smaller, non, AI cloud storage embeds can rely on a balancing test plus a clear notice.
CMP gate on the script. Privacy notice listing Puter Technologies Inc. and each AI sub, processor. Non, cloud fallback for refused consent. Short retention. DPIA for AI surfaces or minors. Avoid sending sensitive data unless absolutely necessary.
Yes : Mistral La Plateforme for AI inference, Scaleway Object Storage for storage, Hetzner Cloud or Clever Cloud for full self, hosting, Nextcloud for a user, owned file system. The mix matches Puter.js in pieces but does not provide a single drop in browser SDK.
List puter_auth, puter_session, __cf_bm and puter_consent with domain, duration and purpose. Add Puter Technologies Inc. and Cloudflare to the recipient list. List each AI sub, processor (OpenAI, Anthropic, etc.) with its destination country.