Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Redis is an open source in memory data store used as a cache, message broker and session store on the server side.
Redis (Remote Dictionary Server) is an open source, in memory data store used as a cache, key value database, session store, message broker and rate limiter. It is widely deployed behind web applications to reduce database load and accelerate responses. Common managed offerings include Redis Cloud, Amazon ElastiCache for Redis, Google Cloud Memorystore and Azure Cache for Redis.
Like any cache Redis stores whatever your application puts into it. In typical use this includes session payloads, JWT or OAuth tokens, password reset codes, cached user profiles, shopping carts, rate limit counters keyed by IP address and queued background jobs. Even with short TTLs, this can constitute personal data while it sits in memory.
The GDPR applies as soon as Redis holds personal data, even briefly. You must have a legal basis, secure access, restrict who can connect, and ensure that backups and replication respect the same protections. The ePrivacy Directive applies to the cookies and similar technologies set in the browser, not to Redis directly; however, when Redis stores a session identifier that ties back to a strictly necessary cookie, the cookie still benefits from the exemption to consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No browser consent is required to operate a Redis cache because the storage happens on the server. The legal basis is usually contract performance (Art. 6(1)(b) GDPR) when Redis backs session and login flows, or legitimate interest (Art. 6(1)(f) GDPR) for caching, rate limiting and fraud prevention. Personal data must still be minimised and protected.
Redis Cloud, Amazon ElastiCache for Redis, Google Cloud Memorystore and Azure Cache for Redis are operated by US headquartered providers. Even with EU regions, US cloud act risk exists and you need to anchor transfers under the EU US Data Privacy Framework or Standard Contractual Clauses with a transfer impact assessment. European alternatives include Scaleway Managed Redis, OVHcloud and self hosted Redis on EU sovereign infrastructure.
Enable TLS for client and replication traffic, require authentication, isolate Redis in a private network, set conservative TTLs, avoid persistence (RDB/AOF) for sensitive data when not necessary, encrypt persistence files at rest if you keep them, restrict the FLUSHALL and KEYS commands, monitor for unauthorised access, and document Redis in your records of processing activities.
Websites using Redis must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Redis caches large volumes of personal data, holds authentication tokens for sensitive systems, or feeds profiling pipelines. Memory only caches with short TTLs and no persistence reduce the risk profile significantly.
Sample consent text
No browser consent is required because Redis runs server side. Disclose in your privacy policy that you use a cache layer for performance, list what categories of personal data may transit through it, and state the retention.
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. Redis is a server side in memory store and never writes browser cookies. The application that uses Redis may set session cookies, but those are technical cookies governed separately.
Browser consent is not required. As long as Redis only holds operational data needed to deliver the service, a GDPR legal basis such as contract performance or legitimate interest is enough.
Contract performance (Art. 6(1)(b) GDPR) when Redis backs login sessions or shopping carts; legitimate interest (Art. 6(1)(f) GDPR) for performance caching, rate limiting and abuse detection.
Self hosted Redis in the EU does not transfer data. With Redis Cloud, Amazon ElastiCache, Google Memorystore or Azure Cache for Redis, transfers may occur even with an EU region; cover them with the EU US Data Privacy Framework or Standard Contractual Clauses.
A DPIA is typically not needed for a generic cache, but it is recommended when Redis holds authentication tokens for sensitive systems, large volumes of personal data, or data feeding profiling pipelines.
Bind Redis to a private network, require authentication, enable TLS, set conservative TTLs, restrict dangerous commands, encrypt persistence files, take encrypted backups in the same region, and document the role of Redis in your records of processing activities.
Valkey is an open source fork of Redis governed by the Linux Foundation. KeyDB, Dragonfly and Memcached are other in memory stores. For European managed hosting, Scaleway, OVHcloud and Clever Cloud all expose compatible options.
You usually do not list Redis in the cookie policy because it sets no browser cookies. Mention in the privacy policy that you operate a server side cache, describe the categories of personal data it may hold and the retention period.