Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Grafana is the leading open source observability and dashboarding platform, originally created in Stockholm and now developed by Grafana Labs (HQ in New York City). It connects to time series databases (Prometheus, InfluxDB, Loki, Tempo) to display metrics, logs, and traces. Most deployments are internal engineering tools with no end user exposure, but Grafana Faro adds a JavaScript SDK that brings Real User Monitoring to public websites and requires its own GDPR analysis.
Grafana is the most widely used open source observability and dashboarding platform. Created by Torkel Odegaard in Stockholm in 2014, it is now developed by Grafana Labs (HQ in New York). It connects to dozens of data sources (Prometheus, InfluxDB, Elasticsearch, Loki, Tempo, ClickHouse, Postgres) to display metrics, logs, traces and alerts in unified dashboards.
Grafana is most commonly an internal tool for engineering and operations teams. The end user facing component is Grafana Faro, a JavaScript SDK and backend that bring Real User Monitoring and frontend error tracking to public websites and applications.
Self-hosted Grafana runs on customer infrastructure (Kubernetes, VMs, on premises). No data leaves the customer environment for the Grafana application itself; GDPR concerns reduce to the underlying data sources and any reverse proxy in front.
Grafana Cloud is the SaaS offering operated by Grafana Labs. EU customers can choose Frankfurt or Sweden as primary region. Data residency in the EU is contractually committed for those regions, but Grafana Labs corporate functions (support, billing, security operations) may still be performed from the US.
When deployed on a public website, Grafana Faro captures visitor IP, User Agent, page URL, JavaScript errors, performance metrics, and (optionally) user interactions and session replays. This brings it into the same regulatory scope as Sentry, Datadog RUM or Raygun: legitimate interest can be defensible for basic error monitoring, but consent is the safer basis for RUM with user identifiers.
Configure Faro to anonymise IP, mask sensitive fields and limit retention. Avoid sending special category data through Faro custom attributes.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Grafana Labs Inc. is a US controller. For Grafana Cloud, a signed DPA is required, with SCCs covering any access from the US for support purposes. The Frankfurt or Sweden region keeps the bulk of customer data in the EU, but the publisher should perform a TIA documenting access patterns by Grafana Labs staff.
For self-hosted Grafana, transfers depend on the underlying infrastructure choice. No additional transfer takes place via the Grafana application itself.
Custom Grafana dashboards may aggregate personal data from various sources (logs containing user IDs, metrics labelled with email addresses, etc.). In healthcare, HR or financial contexts, dashboards can inadvertently expose special category data. Use Grafana Enterprise role based access control and audit logs to restrict who can see which dashboards.
Avoid embedding identifying values in metric label names (use IDs that are hashed or pseudonymised).
For Grafana Cloud: sign the Grafana Labs DPA, choose Frankfurt or Sweden, list Grafana Labs in your RoPA. For Grafana Faro on public sites: defer the SDK until consent (if RUM with identifiers is enabled), anonymise IP, scrub PII from error reports. For self-hosted: secure the dashboards with RBAC and audit logs, and protect the underlying data sources separately.
Document the dashboards that may contain personal data and their access rules in your security policy. Review at least annually as data sources evolve.
Websites using Grafana must obtain user consent under GDPR regulations.
DPIA considerations
Grafana itself is generally a low risk observability tool. Key DPIA considerations: (1) self-hosted Grafana runs entirely on customer infrastructure with no external processing, so GDPR concerns are limited to whatever data the underlying time series databases contain; (2) Grafana Cloud (SaaS) processes dashboard configuration, logs, metrics, and trace data on Grafana Labs infrastructure; EU customers should select Frankfurt or Sweden to limit transfers; (3) Grafana Faro is the frontend observability SDK; when deployed on public pages it captures visitor IP, User Agent, page interactions, and JavaScript errors, requiring its own DPIA and lawful basis analysis (legitimate interest or consent depending on configuration); (4) custom dashboards may aggregate personal data from various sources, including special category data in healthcare or HR contexts; (5) Grafana Labs employee access to Grafana Cloud data is governed by the DPA and SCCs.
Sample consent text
We use Grafana Faro to monitor the frontend performance and errors on this website. With your consent, Grafana Faro captures technical telemetry (anonymised IP, browser, page interactions, JavaScript errors) and sends it to our observability backend hosted in the European Union. We do not use this data for advertising or behavioural profiling. You can opt out at any time in our preferences page.
Third-party domains contacted
grafana.comgrafana.netgrafana-cloud.comhgrun.comfaro-collector-prod-eu-west-2.grafana.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| grafana_session | Functional | Session | Authenticated session cookie for the Grafana dashboard. Set on the Grafana hostname for logged in users (typically internal engineering staff). |
| grafana_remember_me | Functional | 30 days | Persistent login token for the Grafana dashboard when the user selects the Remember me option. |
| grafana_csrf | Functional | Session | CSRF protection token for the Grafana dashboard. |
| faro_session_id | Functional | Session | When Grafana Faro is deployed on public pages, a session identifier may be stored in localStorage (not strictly a cookie) to correlate frontend telemetry events. |
Grafana collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Grafana itself uses functional cookies on the Grafana dashboard (grafana_session for the admin / engineering user session, grafana_remember_me for persistent login, csrf token cookies). These are server-side cookies set on the Grafana hostname for authenticated users. Public end users do not interact with Grafana unless Grafana Faro is deployed on the website. Faro itself is largely cookieless and uses the fetch API.
Not for internal Grafana dashboards used by employees: those are necessary for the operation of an internal tool. For Grafana Faro on public websites, the cookies and tracking are non-essential and fall under Art. 5(3) ePrivacy when they include user identifiers or RUM. Defer the Faro SDK until consent in that case.
For internal employee dashboards: legitimate interest (Art. 6(1)(f) GDPR) for operational monitoring, with appropriate employment law and works council compliance for sensitive metrics. For Grafana Faro on public sites: legitimate interest for basic error monitoring or consent (Art. 6(1)(a) GDPR) for RUM with identifiers.
For self-hosted Grafana: no, unless your underlying infrastructure does. For Grafana Cloud: it depends on the region chosen. Frankfurt or Sweden keep customer data in the EU. The US region transfers data under SCCs and the EU US Data Privacy Framework. Grafana Labs corporate staff may access data from the US for support.
For internal Grafana with anonymised or pseudonymised metrics: usually no. For Grafana Cloud with personal data flows: a risk assessment is recommended, full DPIA if employees are profiled or if personal customer data flows through the dashboards. For Grafana Faro on public traffic: DPIA following the same logic as Sentry or other RUM tools.
For Grafana Cloud: sign the Grafana Labs DPA, select Frankfurt or Sweden, list Grafana Labs as a processor in your RoPA, enable RBAC, audit logs and SSO. For Grafana Faro: defer the SDK until consent, anonymise IP, scrub PII from error reports, document the lawful basis. For self-hosted: secure the dashboards and the underlying data sources separately.
Open source dashboards: Kibana (Elastic), Apache Superset, Metabase, Redash. Commercial observability: Datadog, New Relic, Dynatrace, Splunk, Honeycomb, Lightstep, Coralogix. The Grafana differentiator is the open source nature, the integration with Prometheus, and the self-hosted option that avoids transfer issues entirely.
For internal Grafana dashboards used by employees, document the tool in your internal employee privacy notice and works council agreement. For Grafana Cloud, include Grafana Labs Inc. as processor in your customer facing privacy policy. For Grafana Faro on public sites, list the relevant cookies / localStorage entries and the lawful basis.