Privacy policy clauses for Gatsby
Gatsby is a React-based static site generator that builds fast, secure websites by pre-rendering pages at build time rather than serving dynamic content. Websites use Gatsby to improve performance, security, and user experience while reducing server infrastructure requirements.
Free scan · No signup · Results in 60 seconds
When does Gatsby trigger privacy obligations?
When Gatsby Triggers Privacy Obligations
Gatsby itself—a React-based static site generator—does not inherently collect, process, or transmit personal data. Installing Gatsby on your infrastructure creates no mandatory privacy obligations by the framework alone.
However, obligations arise immediately when you:
- –Add third-party plugins or integrations (e.g., analytics, CMS connectors, forms). At that moment, you become a data controller or processor depending on the plugin's data flows. GDPR Article 4(7) and CCPA Section 1798.100 apply if the plugin collects personal data from EU or California residents respectively.
- –Enable server-side rendering (SSR) or serverless functions in Gatsby Cloud or self-hosted backends. This may process IP addresses, cookies, or request headers—triggering GDPR Article 13 (fair processing notice) and CCPA Section 1798.100 (consumer disclosure) obligations.
- –Integrate Gatsby with a CMS (Contentful, WordPress, Strapi) that handles user login data or stores personal information. You must ensure a Data Processing Agreement (DPA) is in place under GDPR Article 28.
First concrete step: Audit every plugin and backend integration in your `gatsby-config.js` and identify which process personal data. Document your data flows in a Data Processing Impact Assessment (DPIA) if GDPR applies (Article 35 threshold: automated decision-making or large-scale processing).
