Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Trumba is a US event calendar and registration service operated by Trumba Corporation in Seattle. The embedded calendar widget displays event listings and accepts registrations directly inside the host site through an iframe loaded from trumba.com. It is widely used by universities, museums, local governments and faith communities. Trumba sets first party session cookies, processes registration details (name, email, sometimes payment) in the United States, and requires GDPR consent and an EU US transfer mechanism for European visitors.
Trumba is a hosted event calendar and event registration platform operated by Trumba Corporation, a Seattle based US company majority owned by Spectrum Equity. It is used by universities, museums, local governments, faith communities, libraries and event organisers to publish event listings, accept registrations, manage waitlists, send confirmation emails and collect payments. Trumba is embedded into the host website as an iframe (Spud, Promotion Spud or Combo Spud) loaded from calendar.trumba.com or www.trumba.com, with a small JavaScript wrapper for resize and event subscription.
The Trumba iframe sets first party cookies on the trumba.com domain to maintain the registration session: ASP.NET_SessionId for the server side session, TrumbaCalendarUser to remember the visitor across pages of the calendar, and a CSRF token for protected forms. When the visitor submits a registration, Trumba processes the data entered in the form (typically name, email address, postal address, phone number, organisation, optional special needs and payment data when the event is paid). Trumba also logs the visitor IP and user agent in its server logs.
The Trumba iframe is a third party embed loaded from a domain controlled by Trumba Corporation. Its initial network request transmits the referrer URL, the user agent and the IP address to a US recipient and sets cookies on the visitor terminal. Both elements trigger Article 5(3) of the ePrivacy Directive: the iframe must not load before the visitor has accepted the corresponding consent category. When the calendar is used for actual registrations, the controller relationship is shared: the website operator is the controller of the registration data, Trumba acts as a processor for the technical operation of the registration platform, and a Data Processing Addendum under Article 28 GDPR is required.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Trumba iframe until the visitor accepts the third party embed category in the CMP. A placeholder explaining that the Trumba calendar is hosted in the United States and listing the data shared (referrer, IP, cookies) is best practice and required by the CNIL for embedded content. Inside Trumba, configure the registration form to collect only the data strictly necessary for the event (data minimisation, Article 5(1)(c) GDPR), and disable optional marketing checkboxes by default to comply with the prohibition of pre ticked boxes.
Trumba processes all data in the United States. Trumba Corporation is certified under the EU US Data Privacy Framework since September 2023, which is the primary transfer mechanism. Customers should also sign the Trumba DPA, which includes the EU Standard Contractual Clauses 2021/914 as a fallback, and document a Transfer Impact Assessment. Given that the data typically includes name, email, postal address and sometimes payment, the TIA should evaluate the risk of US surveillance access for a personal data set that allows direct identification.
Concrete steps: 1) gate the Trumba iframe behind your CMP and only load it on third party embed consent; 2) replace the iframe with a placeholder before consent that names Trumba and the transfer to the United States; 3) configure the registration form to capture only strictly necessary data; 4) disable any pre ticked optional marketing checkbox; 5) sign the Trumba DPA with SCCs and verify DPF certification; 6) document the TIA; 7) list Trumba in your Article 30 record; 8) update the privacy notice with the controller, the processor (Trumba Corporation), the purposes, the retention, the recipients and the rights of registrants.
Websites using Trumba must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Trumba is used for registrations that handle large numbers of participants, special categories of data (e.g. health events) or payment information. Document: the categories of data captured by the registration form (name, email, postal address, payment), the recipients (Trumba Corporation, Spectrum Equity sub processors, payment processor), the retention of registration records, the international transfer to the United States, the lawful transfer mechanism (DPF or SCCs) and the contractual safeguards (DPA). For display only calendar embeds, a DPIA is generally not required but consent for the iframe still is.
Sample consent text
We embed event calendars and registration forms from Trumba, operated by Trumba Corporation (Seattle, USA). Trumba loads in an iframe from trumba.com, sets first party session cookies and processes any registration data you submit in the United States under the EU US Data Privacy Framework. The Trumba calendar will only load if you accept the corresponding cookie category.
Third-party domains contacted
trumba.comwww.trumba.comcalendar.trumba.comspuds.trumba.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ASP.NET_SessionId | HTTP cookie (first party on trumba.com) | Session | Stores the ASP.NET server session identifier used by the Trumba application to maintain the visitor state across page navigations in the calendar iframe. |
| TrumbaCalendarUser | HTTP cookie (first party on trumba.com) | 1 year | Remembers the calendar visitor across pages and sessions to enable features like My Calendar, registration history and personalised event reminders. |
| __RequestVerificationToken | HTTP cookie (first party on trumba.com) | Session | Anti CSRF token issued by Trumba to protect registration and form submissions against cross site request forgery attacks. |
| TrumbaCookieConsent | HTTP cookie (first party on trumba.com) | 1 year | Records whether the visitor has acknowledged the Trumba native cookie notice inside the calendar iframe. |
Trumba places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Trumba iframe sets first party cookies on the trumba.com domain: ASP.NET_SessionId for the server side session, TrumbaCalendarUser to remember the visitor across calendar pages, and a CSRF token to protect registration forms. These cookies are session scoped or short lived and bound to the Trumba domain, but they qualify as third party tracking technology from the perspective of the embedding site because they are read by Trumba Corporation.
Yes. The Trumba iframe is a third party embed loaded from a US controlled domain. Its initial network request transmits the referrer, the IP and the user agent to Trumba and sets cookies on the visitor terminal, both of which trigger Article 5(3) of the ePrivacy Directive. Prior, explicit consent under Article 6(1)(a) GDPR is required before the iframe loads, even when it is used in display only mode without registrations.
The display of the calendar requires consent (Article 6(1)(a) GDPR) as a third party embed. The processing of the registration data itself is based on contractual necessity (Article 6(1)(b)) for what is strictly required to deliver the event, plus consent (Article 6(1)(a)) for any optional marketing or follow up communications. An Article 28 GDPR Data Processing Addendum with Trumba Corporation as the processor is mandatory for the registration data.
Yes. All Trumba data is processed in the United States. Trumba Corporation has been certified under the EU US Data Privacy Framework since September 2023, which is the primary transfer mechanism. The Trumba DPA additionally includes the EU Standard Contractual Clauses 2021/914 as a fallback. Customers must document a Transfer Impact Assessment given that registration data typically allows direct identification.
A DPIA is recommended when Trumba is used for registrations involving a large number of participants, special categories of data (e.g. health, religious or political event registrations) or payment data. For a display only calendar with no registration, a DPIA is generally not required but the consent for the iframe still is. Document the purposes, recipients, retention and transfer mechanism in the Article 30 record.
Gate the Trumba iframe behind your CMP and only load it on third party embed consent. Replace the iframe with a placeholder before consent that names Trumba and the US transfer. Configure the registration form to collect only strictly necessary data, disable pre ticked optional checkboxes, sign the Trumba DPA, document the TIA, list Trumba in your Article 30 record and update the privacy notice with controller, processor, purposes, retention, recipients and rights.
For event calendar publishing: Localist (US, but with EU residency options), Modern Tribe Events Calendar Pro (open source, self hostable in any EU region), Tockify (Canada, with EU adequacy), Plain Events (Germany) and Eventcube (United Kingdom). For event registration with payment: Eventbrite (US, similar US transfer issues), Weezevent (France), Yurplan (France), AmiAmi (France) and Heroes Run by Sportlink (Netherlands).
Add an entry naming Trumba Corporation (Seattle, USA) as the processor, the purpose (event calendar embedding and event registration), the legal basis (consent for the iframe, contract for the registration), the categories of data (referrer, IP, session cookies, name, email, postal address, payment data if applicable), the retention, the international transfer to the US under the DPF or SCCs, the recipients and a direct link to the Trumba privacy policy.