Does your website use third-party services? Get GDPR compliant in minutes.

Kiprotect

What does KIProtect (Klaro and Kodex) do?

KIProtect is a German privacy engineering company that publishes the open source Klaro consent management platform and the Kodex data anonymisation toolkit. Klaro stores user consent locally in a single first party cookie, Kodex applies pseudonymisation, tokenisation and differential privacy on structured data inside the customer infrastructure.

What KIProtect Klaro and Kodex are

KIProtect GmbH is a Berlin based privacy engineering company. Its two flagship products are Klaro, an open source consent management platform distributed under a BSD licence, and Kodex, a pseudonymisation and anonymisation toolkit for structured data. Klaro is embedded into the customer website as a small JavaScript bundle, Kodex is integrated as a library or service inside data pipelines.

Cookies and data collected

Klaro stores the consent decision in a single first party cookie or localStorage item called klaro, containing a JSON object that lists the services the user has accepted or declined. No tracking identifier, no fingerprint and no behavioural data are collected by the CMP itself. Kodex never touches the browser, it processes records server side and outputs pseudonymised or anonymised values.

GDPR and ePrivacy implications

Klaro is the mechanism used to comply with Art. 7 GDPR and Art. 5(3) of the ePrivacy Directive, it does not itself require consent. Kodex helps fulfil the data minimisation principle in Art. 5(1)(c) GDPR and the data protection by design obligation in Art. 25 GDPR. Properly applied, Kodex can move a dataset out of scope of the GDPR by producing fully anonymous output.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent requirements

The Klaro cookie qualifies as strictly necessary under section 25(2) TTDSG and the corresponding national transpositions of the ePrivacy Directive, so it can be set before consent. Every service that Klaro gates, such as analytics, advertising or social plugins, must remain blocked until the user clicks accept in the consent banner.

Data transfers

By default no personal data leaves the customer infrastructure. Klaro is hosted on the customer domain or on a CDN under the customer control, Kodex runs on premise or in the cloud region chosen by the customer. KIProtect GmbH is established in Germany and any limited support flows stay inside the EEA.

Practical compliance steps

Configure Klaro to block every non essential service before consent, declare each service in the privacy policy, log consent server side if your jurisdiction requires demonstrable proof, and document the Kodex anonymisation parameters in the record of processing activities. Review the configuration every time a new third party tag is added to the site.

GDPR consent category

Essential

Websites using KIProtect (Klaro and Kodex) must obtain user consent under GDPR regulations.

Legal basisThe Klaro consent cookie itself is strictly necessary under Art. 6(1)(f) GDPR and section 25(2) TTDSG because it stores the user choice required to comply with the cookie law. The Kodex anonymisation pipeline typically relies on Art. 6(1)(c) GDPR (legal obligation to apply data minimisation) or Art. 6(1)(f) GDPR (legitimate interest in protecting personal data).

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive (Cookie Law), TTDSG, ISO 27001

DPIA considerations

A formal DPIA is rarely required for Klaro because it acts as a privacy control rather than a data collection tool, the only personal data processed is the consent decision itself. A DPIA is recommended when Kodex is used on special category data under Art. 9 GDPR, on large scale behavioural datasets, or as part of an automated decision pipeline under Art. 22 GDPR. Document the purposes, the anonymisation parameters, and the residual reidentification risk.

Sample consent text

We use the Klaro consent manager to record your cookie preferences. The klaro cookie is strictly necessary and is set without consent under section 25(2) TTDSG and Art. 6(1)(f) GDPR. You can review or withdraw your choices at any time from the privacy settings link in the footer.

Technical details

Tracking methodClient side JavaScript consent management platform (Klaro CMP) plus optional Kodex data anonymisation toolchain. Klaro stores consent decisions in a first party cookie or localStorage item named klaro, no analytics identifiers are set by the CMP itself. The Kodex SDK runs server side for pseudonymisation, tokenisation and differential privacy of structured data.

Server locationGermany (KIProtect GmbH, Berlin). Klaro is open source and runs entirely on the customer infrastructure, no calls to KIProtect servers are made at runtime. Kodex can be self hosted on premise or in any cloud region the customer chooses, KIProtect SaaS offerings are hosted in Frankfurt on European providers.

Cookieless tracking availableYes

Third-party domains contacted

kiprotect.comklaro.kiprotect.comheyklaro.com

Cookies placed

Name	Type	Duration	Purpose
klaro	first party	120 days (configurable)	Stores the user consent decision as a JSON object listing each service that has been accepted or declined.
klaro-anonymous	first party	session	Optional anonymous identifier used when the customer enables server side consent logging without cookies.

KIProtect (Klaro and Kodex) is an essential service, but transparency matters. Manage all your consent with FlowConsent.

Get started free Scan your site

Frequently asked questions

What cookies does Klaro set?

Klaro sets a single first party cookie or localStorage item called klaro that stores the consent decision as a JSON object listing each service the user has accepted or declined. No tracking identifier and no behavioural data are collected by the CMP itself.

Does the Klaro cookie itself require consent?

No. The klaro cookie is strictly necessary because it stores the user choice required to comply with the cookie law, so it is exempt from consent under section 25(2) TTDSG and equivalent provisions of the ePrivacy Directive.

What legal basis applies to Klaro and Kodex?

The Klaro cookie relies on Art. 6(1)(f) GDPR (legitimate interest in complying with the cookie law). Kodex anonymisation typically relies on Art. 6(1)(c) GDPR (legal obligation to apply data minimisation) or Art. 6(1)(f) GDPR when used to protect personal data in analytics.

Are data transferred outside the EU?

No. Klaro is a static JavaScript bundle hosted on the customer domain and Kodex runs inside the customer infrastructure, so no personal data reach KIProtect by default. KIProtect GmbH is established in Germany and any limited support data stays inside the EEA.

Is a DPIA required?

Generally no for Klaro alone, since it processes only the consent decision. A DPIA is recommended when Kodex is used on special category data, on large scale behavioural datasets, or as part of an automated decision under Art. 22 GDPR. Document purposes, anonymisation parameters and residual reidentification risk.

How do I implement Klaro correctly?

Declare every third party service in the Klaro configuration, set required to true only for genuinely strictly necessary tags, block all other scripts before consent, log consent server side if proof is required, and refresh the configuration whenever a new tracker is added to the site.

What are the alternatives to Klaro?

Other open source or commercial CMPs include Orejime, Cookiebot, Didomi, OneTrust, Usercentrics, Axeptio and Tarte au Citron. Klaro stands out because it is self hosted, has no telemetry, ships under a permissive licence and is published by a German privacy engineering company.

Do I need to mention Klaro in my cookie policy?

Yes. List the klaro cookie under strictly necessary cookies, explain that it stores the consent decision, document its duration (default 120 days) and refer to it as the mechanism used to comply with Art. 7 GDPR and the ePrivacy Directive.

Get compliant — Try FlowConsent free

Free plan · 10-min setup