Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Jitsi is an open source video conferencing platform that runs in the browser via WebRTC and can be self hosted for full data sovereignty.
Jitsi is an open source video conferencing stack maintained by 8x8 and the community. The most visible component is Jitsi Meet, a fully browser based experience built on WebRTC, complemented by Jitsi Videobridge (media relay), Jicofo (conference focus) and Prosody (XMPP signalling). Anyone can self host the entire stack or use the public meet.jit.si service.
A Jitsi call processes the participants'' audio and video, IP addresses, browser identifiers, display names, chat messages, screen shares and any uploaded files. Local storage is used to remember device preferences, language, last meeting name and to cache the participant ID. When recordings or live streaming are enabled, the resulting media files become long lived personal data.
Embedding a Jitsi iframe or loading the external API script on your site causes the browser to download JavaScript from your Jitsi server (or meet.jit.si) and to write to localStorage. Under Art. 5(3) of the ePrivacy Directive, accessing or storing data on the user device requires prior consent unless it is strictly necessary. Real time communications between users is not strictly necessary for browsing your page, so consent is the correct basis.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For a Jitsi widget embedded on a marketing or blog page, collect explicit consent before the iframe loads. For a paid video conferencing product where Jitsi powers the calls, contract performance (Art. 6(1)(b) GDPR) is usually the right basis. Recording a meeting introduces an additional purpose and a stronger duty to inform every participant, including those who join later.
A self hosted Jitsi cluster placed in EU datacenters (Hetzner, OVHcloud, Scaleway, Infomaniak, NetCup, internal infrastructure) keeps signalling and media inside the EU. The public meet.jit.si service is operated by 8x8 from a US headquartered company; even with EU media servers, transfers may occur and need to be covered by the EU US Data Privacy Framework or Standard Contractual Clauses.
Self host on EU infrastructure when possible. Turn off external services in config.js (callstats, third party analytics, gravatar). Disable third party logging like Sentry and Matomo unless you control them. Use short room names that are not user identifiers. Enforce TLS for every component, store recordings in EU object storage with encryption and short retention, and offer a microphone or camera off by default for joiners.
Websites using Jitsi must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Jitsi handles patient consultations, legal hearings, employee performance reviews or any sensitive conversation; when sessions are recorded; or when transcripts are stored. Self hosting in the EU with disabled telemetry and short retention reduces the risk profile.
Sample consent text
We use Jitsi to power live video meetings. When you join a call your browser exchanges audio, video, IP address and a participant identifier with the Jitsi server. We need your consent before the meeting starts. Decline if you prefer to read the page without launching a call.
Third-party domains contacted
meet.jit.si8x8.vcweb-cdn.jitsi.netJitsi uses cookies for user preferences — inform visitors with a consent banner.
Jitsi Meet uses localStorage and sessionStorage rather than classical cookies for participant identifiers, language and device preferences. A reverse proxy or load balancer in front of Jitsi may add session cookies.
Yes, when you embed Jitsi as a third party widget you need prior consent because the script and the iframe write to localStorage and process audio, video and IP addresses. Inside a paid product where Jitsi is core, contract performance applies.
Consent (Art. 6(1)(a) GDPR) for embedded widgets on a content site. Contract performance (Art. 6(1)(b) GDPR) for video conferencing products. Recordings always require explicit information and often explicit consent.
A self hosted Jitsi cluster in the EU has no US transfer. meet.jit.si is operated by 8x8, a US company; even when media flows through EU bridges, control plane data may reach the US and must be covered by the EU US Data Privacy Framework or Standard Contractual Clauses.
Recommended when Jitsi is used for sensitive contexts (medical, legal, HR, education of minors), when sessions are recorded or live streamed, when transcripts are stored, or when the audience is large.
Self host on EU infrastructure, disable third party services in config.js, turn off telemetry, enforce TLS, store recordings encrypted with a short retention, default to disabled camera and microphone, and provide a clear privacy notice to participants before they join.
EU based alternatives include BigBlueButton (EU community), Galène, Element Call (Matrix), Whereby (Norway, hosted), Tixeo (France, end to end encrypted), Visio CNED and Rendez Vous from the French government's Tchap stack.
List the localStorage and sessionStorage entries written by Jitsi (jitsi.user.id, callStatsUserName, language, recentRooms and similar) under a "functional" or "interactive content" category, along with the data sent to the Jitsi server and the legal basis.