Does Kysely need to be disclosed in our privacy policy?

Yes. Kysely processes application data from your SQL database, so it qualifies as a technology affecting data handling that should be documented. Under GDPR Article 13 and CCPA §1798.100, you must disclose technologies that interact with personal data. Since Kysely's data collection depends on your database schema, specify what personal data your application stores and how Kysely queries it.

What data does Kysely collect?

Kysely itself collects no data independent of your application. It only processes whatever data exists in your connected SQL database—determined entirely by your schema and application logic. If your database contains customer names, emails, or other personal information, Kysely will access that data when executing queries you define.

Does Kysely require a cookie consent banner?

No. Kysely does not use cookies, tracking pixels, or browser-based storage mechanisms. It operates server-side as a query builder and requires no end-user consent for its operation. However, your overall website may require consent management for other technologies.

Who processes data when using Kysely, and where is it stored?

Kysely is self-hosted—your organization retains complete control as both data controller and processor. No third-party vendors access data through Kysely itself. Data remains in your own SQL database infrastructure, whether on-premises or in your cloud provider's account.

Database & ORM

Privacy policy clauses for Kysely

Kysely is a type-safe TypeSQL query builder for TypeScript applications that enables developers to construct database queries with compile-time type checking. Websites use Kysely to safely query and manage data stored in connected SQL databases while maintaining code reliability.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Kysely collects

Your privacy policy must disclose each of the following data types when you use Kysely.

Application data stored in connected SQL database

When does Kysely trigger privacy obligations?

Installation Triggers

Kysely itself—a TypeScript query builder—does not collect, transmit, or process personal data. However, it *immediately* triggers compliance obligations the moment you use it to query a database containing personal data.

The Critical Distinction

Kysely is self-hosted. It runs in your application code and never sends data to Kysely's servers. The compliance trigger is not Kysely's presence, but the data you store in and retrieve from your connected SQL database. If your schema includes names, emails, IP addresses, user IDs, location data, or other identifiers, GDPR Article 4(1), CCPA Section 1798.100, and equivalent regulations in your jurisdiction classify that stored data as personal data you control.

First Concrete Step

Once Kysely queries personal data, you must:

1. Map your database schema to identify what personal data you hold (names, emails, etc.)

2. Document your lawful basis for processing it under GDPR Article 6 or CCPA's consumer rights (Section 1798.100 et seq.)

3. Update your privacy notice to disclose which data categories you collect, why, and how long you retain them—

Common compliance pitfalls

Pitfall 1: Confusing Kysely with a Data Processor

Many founders mistakenly believe Kysely requires a Data Processing Agreement (DPA) or vendor risk review. Kysely is not a processor—it's your application code. No DPA with "Kysely" is necessary. However, if your SQL database is hosted on AWS, Google Cloud, Supabase, or another cloud provider, *that vendor* is your processor under GDPR Article 28. Founders often skip DPA negotiation with the *actual* host because they focus on Kysely instead. This leaves a critical compliance gap: GDPR Article 28(3) and CCPA Section 1798.140(w) both require written contracts with processors before they touch your personal data. Consequence: regulatory findings of unauthorized processing; fines up to €10 million or 2% of global revenue under GDPR.

Pitfall 2: Not Disclosing Query Scope in Privacy Notices

Because Kysely is internal, founders often omit it from privacy disclosures entirely—correctly, since it's not a third party. But they then fail to disclose *what* personal data they actually query and store. For example, a SaaS app may say "we store user emails" but not explain that Kysely queries emails, IP addresses, and user behavior logs every time a user logs in. GDPR Article 13 and CCPA Section 1798.100 both require disclosure of the *specific* data categories collected. Vague notices ('we collect information to improve service') do not satisfy this. Consequence: DPA enforcement actions alleging lack of transparency; consent challenges if you rely on consent as lawful basis.

Pitfall 3: Missing Retention Schedules for Queried Data

Kysely makes it easy to build queries that select and filter old data. Founders often query historical data (past login records, deleted user profiles still in the database) without a documented retention or deletion policy. GDPR Article 5(1)(e) and CCPA Section 1798.105 both require you to delete personal data when no longer necessary. If Kysely queries and retains data indefinitely because no deletion logic was implemented, you violate retention requirements. Consequence: data subject deletion requests go unfulfilled; regulatory findings of indefinite retention; fines for failure to honor erasure rights.