Do I need to disclose LaunchDarkly in my privacy policy?

Yes. LaunchDarkly processes user context data to evaluate feature flags and assign users to experiment groups, making it a data processor under GDPR and CCPA. Disclosure is legally required when you collect user identifiers (keys, emails, names) and send them to LaunchDarkly for flag evaluation or experimentation purposes.

What specific data does LaunchDarkly collect about users?

LaunchDarkly collects user context attributes including unique user keys, email addresses, names, and custom attributes you configure. It also records feature flag evaluation results and experiment group assignments. You control what attributes are sent; LaunchDarkly recommends minimizing personally identifiable information where possible.

Does LaunchDarkly use cookies that require a cookie banner?

LaunchDarkly does not set its own cookies. However, if you embed LaunchDarkly client-side SDKs and collect user identifiers or other personal data for flag evaluation, you may need consent under GDPR or CCPA depending on your legal basis. Review your consent framework based on whether you're relying on consent or legitimate interest.

Who processes the data and where is it stored?

LaunchDarkly Inc., a United States-based company, acts as your data processor. User context data is transmitted to LaunchDarkly servers in the US for flag evaluation and experiment analytics. LaunchDarkly is SOC 2 Type II certified. Review their privacy policy at https://launchdarkly.com/policies/privacy/ and ensure a Data Processing Agreement (DPA) is in place for GDPR compliance.

Feature Flags & Experimentation

Privacy policy clauses for LaunchDarkly

LaunchDarkly is a feature management and experimentation platform that allows websites to control which features are visible to users, run A/B tests, and collect experiment results. It evaluates feature flags server-side or client-side to enable dynamic feature rollouts and user segmentation.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data LaunchDarkly collects

Your privacy policy must disclose each of the following data types when you use LaunchDarkly.

User context attributes (key, email, name)

Feature flag evaluation results

Experiment group assignments

Custom event data for experiments

When does LaunchDarkly trigger privacy obligations?

Data Flow Activation

The moment you integrate LaunchDarkly's SDK into your application, user context attributes (key, email, name, and any custom attributes you define) are transmitted to LaunchDarkly's servers in the United States for flag evaluation. This happens on every page load or app session where a user is identified. This data flow—not a privacy policy alone—triggers obligations.

Regulatory Thresholds

GDPR (EEA users): If any of your users are in the EEA, GDPR Article 4(1) classifies user context data as personal data. You must have a lawful basis (Article 6) for sending it to LaunchDarkly. Consent under Article 7 is one option; legitimate interest (Article 6(1)(f)) requires a documented balancing test. You also need a Data Processing Agreement (DPA) with LaunchDarkly under Article 28(3).

Privacy policy clauses for LaunchDarkly

What data LaunchDarkly collects

When does LaunchDarkly trigger privacy obligations?

Data Flow Activation

Regulatory Thresholds

First Concrete Step

Where data goes

Common compliance pitfalls

### Forgetting to Disclose the Data Transfer to a US Processor

### Sending Unnecessary PII in User Context

### Missing or Unsigned Data Processing Agreement

Legal note

Sample privacy policy clause

What regulators look for

DPA and ICO Audit Focus

Data Residency and Transfer Mechanisms

Consent and Legitimate Interest

Frequently asked questions

Do I need to disclose LaunchDarkly in my privacy policy?

What specific data does LaunchDarkly collect about users?

Does LaunchDarkly use cookies that require a cookie banner?

Who processes the data and where is it stored?

Don't ship without Bandit.