Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Netlify is a cloud platform that hosts JAMstack websites, static and serverless applications and runs them on a global edge network with built in continuous deployment, edge functions and form handling. Netlify is operated by Netlify Inc. in the United States. From a GDPR perspective Netlify acts mostly as a hosting processor that handles visitor IP addresses and request metadata, and does not set marketing cookies in the visitor browser by default.
Netlify is one of the pioneers of the JAMstack hosting category. It builds a site from a Git repository, distributes the resulting static assets through its global edge network, hosts serverless and edge functions (Netlify Functions, Netlify Edge Functions) and offers built in services for forms, identity and image optimisation. Netlify is widely used for Next.js, Gatsby, Hugo, Astro, Eleventy and Nuxt websites, both for marketing pages and for full SaaS applications.
Netlify processes the visitor IP address, request URL, HTTP method, headers (User Agent, Referer and forwarded cookies), TLS handshake parameters, derived geolocation and execution metadata when Functions handle the request. Access logs and function logs are stored for a defined retention period. Netlify Analytics, when enabled, reads aggregated request data from the edge servers without setting cookies in the browser. Netlify Forms stores form submissions in the dashboard for the customer to review.
IP addresses processed by Netlify are personal data under the GDPR. Netlify is a processor for the customer and a controller for limited operational purposes. Pure hosting and CDN delivery do not write information on the visitor device, so the ePrivacy consent rule is not triggered and explicit consent is not required for the hosting itself. Netlify Analytics is server side and cookieless, which makes it broadly compatible with legitimate interest, but it must still be listed in the privacy notice. Netlify Identity, Netlify Forms and any custom JavaScript loaded through Netlify may require their own legal basis.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Netlify operates a global edge network with points of presence in Europe, but the control plane, customer support and account data remain in the United States. Transfers rely on the Netlify Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, with TLS 1.3, encryption at rest, SOC 2 Type II, ISO 27001 and HIPAA controls for enterprise customers. Netlify Functions can be deployed in EU regions to limit personal data flows.
Sign the Netlify Data Processing Addendum, document Netlify as a processor in your record of processing activities, mention Netlify Inc., the United States destination and the SCC and DPF safeguards in the privacy notice, and configure short retention for access and function logs. Deploy Netlify Functions in EU regions where possible, gate any non essential script loaded through Netlify behind a consent management platform, and review Netlify Forms submissions for personal data handling and retention.
Websites using Netlify must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for a standard marketing or informational website on Netlify. A DPIA is recommended when the application performs systematic profiling, when Netlify Identity stores authenticated user data, when forms collect sensitive data or when the site targets regulated sectors such as health or financial services.
Sample consent text
This website is hosted on Netlify, a cloud platform operated by Netlify Inc. (USA). Netlify routes your requests through a global edge network and processes your IP address and request metadata. By accepting, you allow this transfer to Netlify servers, including in the United States, under EU Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
netlify.comnetlify.appnetlifyusercontent.comnetlifycontent.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _nf_uuid | Strictly necessary | 1 year | Set on password protected Netlify previews. Stores a unique identifier so that the access check is not repeated on every navigation. |
| nf_jwt | Strictly necessary | Session or until logout | Stores the JSON Web Token issued by Netlify Identity or by Netlify access control for password protected previews. |
| _nf_identity_id | Functional (Netlify Identity) | 1 year | Set when Netlify Identity is configured on the site. Stores a pseudonymous identifier for the authenticated user. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
On a public website hosted on Netlify, no marketing or analytics cookies are set by default. Netlify may set strictly necessary cookies on password protected previews (_nf_uuid, nf_jwt) and on the Netlify admin domain. Netlify Identity, when enabled, sets a session cookie (_nf_jwt) for authenticated users.
No consent is required for hosting and content delivery via Netlify, because no information is stored or read on the visitor device. Consent becomes required when the hosted application itself sets non essential cookies, loads third party trackers or uses Netlify Identity for authentication on a public marketing flow.
For hosting and CDN delivery, the legal basis is legitimate interest under Article 6(1)(f) GDPR. For Netlify Identity, the legal basis is the performance of a contract with the authenticated user under Article 6(1)(b) GDPR. Netlify Analytics, being server side and cookieless, also relies on legitimate interest.
Netlify signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Supplementary measures include TLS 1.3, encryption at rest, SOC 2 Type II, ISO 27001 and HIPAA controls for enterprise customers, plus the option to pin Netlify Functions to EU regions.
A DPIA is not required for a standard marketing website. A DPIA is recommended when Netlify hosts an application that performs systematic profiling, when Netlify Identity manages large volumes of authenticated users, when Netlify Forms collects sensitive data or when the site serves regulated sectors.
Sign the Netlify Data Processing Addendum, pin functions to EU regions where possible, limit access and function log retention, document Netlify as a processor in your record of processing activities, mention Netlify Inc. and the United States destination in the privacy notice, and gate any non essential script behind a consent management platform.
European or self hostable alternatives include Cloudflare Pages with EU data residency, Coolify (self hosted, open source), Dokku (self hosted), Scaleway Serverless (France), Clever Cloud (France), OVHcloud Web PaaS (France) and Render with EU regions. Self hosting a static site on a regional Kubernetes cluster is also an option.
List Netlify Inc. as the processor in charge of hosting, mention that the public website does not load Netlify cookies, describe Netlify Analytics if enabled (server side, cookieless), explain that data including IP addresses may be transferred to the United States under SCCs and the EU US Data Privacy Framework and link to the Netlify Privacy Policy.