Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
GrowthBook is an open source feature flagging and A/B testing platform that runs experiments without requiring third-party cookies. Available as a self-hosted solution or as a managed cloud service with EU data residency on paid plans, it integrates with existing analytics warehouses (BigQuery, Snowflake, Redshift) so personal data never has to leave your infrastructure.
GrowthBook is an open source feature flagging and A/B testing platform created in 2020 to give product and growth teams a privacy-friendly alternative to legacy experimentation tools. It is distributed under an MIT license for the SDKs and a commercial source-available licence for the core, and can be installed on premise, on Kubernetes, or used through a managed cloud service. Where most experimentation suites store all event data on the vendor side, GrowthBook keeps the analysis on the customer''s own data warehouse: BigQuery, Snowflake, Redshift, ClickHouse, Postgres, MySQL, Databricks, and others. The product is used to ship features behind flags, run controlled experiments, gradually roll out releases, and run multivariate tests without leaking visitor data to a third party.
By default, the GrowthBook JavaScript and front-end SDKs do not write any cookie. Visitor assignment to a test variant is computed deterministically from a hashed attribute that the integrator supplies (user ID, account ID, anonymous device ID, or any custom identifier). When the optional Sticky Bucketing feature is enabled, GrowthBook can persist the variant assignment in localStorage or in a first-party cookie named gbuuid so a returning visitor keeps the same variant across sessions. Experiment exposure events are typically forwarded to the operator''s analytics warehouse, not to GrowthBook''s servers, which means the personal data footprint depends on what identifiers the integrator chooses to send.
Under the ePrivacy Directive, any storage of or access to information on the visitor''s terminal that is not strictly necessary requires prior consent. A/B testing for marketing optimisation is not strictly necessary, so the gbuuid cookie or any localStorage entry written by GrowthBook for sticky bucketing falls under the consent requirement. Pure server-side feature flags that never touch the browser storage and do not profile users can sometimes rely on legitimate interest, provided that a Legitimate Interest Assessment is documented. The CNIL, the BfDI in Germany, and the AEPD in Spain have all clarified that A/B testing tools writing identifiers must obtain consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For client-side experiments, the GrowthBook SDK must be loaded only after the visitor has accepted the relevant consent category, typically Statistics or Marketing. Most consent management platforms can gate the SDK script via a data-category attribute or by deferring initialisation until a consent event is fired. For server-side flags that do not personalise content based on personal data, the SDK can run unconditionally as long as no identifying attribute is forwarded to the warehouse before consent is given. Recording the consent decision alongside experiment exposure is a good practice that helps demonstrate accountability.
GrowthBook Cloud runs on AWS. The default region is in the United States, which means SDK telemetry, dashboard usage data, and any personal data sent to GrowthBook traverse the US. Pro and Enterprise plans offer EU data residency on AWS Frankfurt, which keeps the metadata inside the EEA. GrowthBook is certified under the EU, US Data Privacy Framework and signs Standard Contractual Clauses (modules 2 and 3) for transfers that fall outside the framework. Self-Hosted deployments avoid the question entirely: the operator picks the cloud provider and region. A Transfer Impact Assessment is recommended when relying on the DPF.
Add GrowthBook to the record of processing activities and to the cookie policy under the Statistics or Marketing category. Sign a Data Processing Agreement with GrowthBook Inc. for the Cloud version. Configure SDK initialisation to wait for the consent event, prefer the EU region for production, and avoid sending raw email addresses or other direct identifiers as targeting attributes (use hashed values instead). Set a reasonable retention period for assignment events in the warehouse, document the legal basis per experiment, and review the configuration whenever a new SDK version is deployed.
Websites using GrowthBook must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when GrowthBook is used to run behavioural experiments on identified users, when experiments target special categories of data (health, religion, political opinions), or when results are combined with profiling data from other tools. For self-hosted deployments running pure feature flags without user-level tracking, a DPIA is generally not required. Document the experiments register, retention periods for assignment events, and the data warehouse access controls. The cookieless architecture and optional EU data residency materially reduce the risk profile compared with classic A/B testing tools.
Sample consent text
We use GrowthBook to run product experiments and feature tests on our website. GrowthBook can assign you to a test variant using a hashed identifier so we can measure which version performs best. Experiment data is stored in our own analytics warehouse [in the EU]. Do you accept the use of GrowthBook for A/B testing and personalisation purposes?
Third-party domains contacted
growthbook.iocdn.growthbook.ioapp.growthbook.ioapi.growthbook.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| gbuuid | first-party | 1 year | Optional cookie written when the Sticky Bucketing feature is enabled. Stores a pseudonymous visitor identifier so the same visitor is consistently assigned to the same experiment variant across page views and sessions. |
GrowthBook collects user analytics data — you legally need a consent banner. Try FlowConsent free.
By default, the GrowthBook SDKs do not write any cookies. When the optional Sticky Bucketing feature is enabled, GrowthBook persists the visitor's variant assignment in localStorage or in a first, party cookie named gbuuid (typically with a 1, year duration). Apart from that one optional cookie, GrowthBook performs no client, side storage on its own.
Yes for client, side experiments. Any A/B test that writes a cookie or localStorage entry, or that personalises content based on a profile, requires prior consent under the ePrivacy Directive. Pure server, side feature flags that do not profile users may rely on legitimate interest with a documented LIA. The CNIL and most EU DPAs treat A/B testing as a non, exempt use case.
Consent (GDPR Article 6(1)(a)) is the standard legal basis for behavioural experimentation and personalisation. Legitimate interest (Article 6(1)(f)) can support purely operational feature flags such as gradual rollouts and kill switches, with a Legitimate Interest Assessment. Strictly necessary processing applies only when flags are used to deliver a service explicitly requested by the user without tracking.
It depends on the deployment. GrowthBook Cloud is hosted on AWS in the US by default, so SDK telemetry transits through the United States. EU data residency on AWS Frankfurt is available on Pro and Enterprise plans. Self, Hosted deployments stay in the region the operator chooses. GrowthBook Inc. is certified under the EU, US Data Privacy Framework and signs Standard Contractual Clauses.
Not for typical implementations. A DPIA becomes recommended when GrowthBook runs experiments on identified users, when special categories of data (health, religion, political views) are involved, or when results are combined with profiling data from other tools. Self, hosted feature flagging without user, level tracking has a low residual risk and does not normally require a DPIA.
Load the SDK only after consent for client, side experiments, choose the EU data residency region for production, send hashed identifiers rather than raw emails, and store experiment exposure events in a warehouse you control. Sign a DPA with GrowthBook Inc. for Cloud, and document each experiment in your record of processing activities with its legal basis and retention period.
Yes. PostHog (open source product analytics with feature flags), Flagsmith (open source flags with EU hosting), Unleash (open source self, hostable platform), Statsig and LaunchDarkly are common alternatives. For pure A/B testing, Kameleoon and AB Tasty are EU, headquartered options. The right choice depends on whether you need analytics integration, EU hosting, or a fully self, hosted stack.
Add an entry under the Statistics or Marketing category listing GrowthBook as the controller, the purpose (A/B testing and feature experimentation), the data collected (hashed visitor identifier, experiment exposure events), the retention period, and a link to GrowthBook's privacy policy. Mention the gbuuid cookie when Sticky Bucketing is enabled, and disclose the EU or US data location of the deployment.