Does MikroORM need to be disclosed in our privacy policy?

Yes. MikroORM processes application data stored in your connected database, including any personal information your users provide. Under GDPR and CCPA, you must disclose all tools that handle personal data. List MikroORM in your technology stack and explain that it manages data persistence between your application and database.

What data does MikroORM collect or process?

MikroORM itself collects no data directly. It processes whatever application data your website stores in the connected database—including user accounts, profiles, transactions, or other personal information. The scope depends entirely on your database schema and what information you've defined as entities in MikroORM.

Does MikroORM require a cookie consent banner?

No. MikroORM does not set or use cookies. It is a server-side ORM that operates between your application code and database. However, your website may use other technologies that do require consent, so audit your full tech stack independently.

Who is the data processor for MikroORM?

MikroORM is self-hosted open-source software. No third-party processor is involved. Data remains under your control on your own infrastructure or cloud provider. You are the sole controller and processor—MikroORM simply provides the technical mechanism to persist data.

Database & ORM

Privacy policy clauses for MikroORM

MikroORM is a TypeScript data-mapper ORM that manages how applications interact with databases using the unit of work pattern. Websites use it to map application objects to database records, simplifying data persistence and retrieval while maintaining clean code architecture.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data MikroORM collects

Your privacy policy must disclose each of the following data types when you use MikroORM.

Application data stored in connected database

When does MikroORM trigger privacy obligations?

MikroORM itself does not collect, transmit, or process personal data—it is a self-hosted database abstraction layer. Compliance obligations are triggered when you define and persist entity classes that contain PII (names, emails, IP addresses, user IDs, etc.) in your connected database.

The moment you add MikroORM to handle customer or user records, you become a data controller under GDPR Article 4(7) (if you have EU residents) or a business under CCPA Section 1798.140(ag) (if you have California residents). No threshold exists; one EU user's email triggers GDPR. For payment or health data, heightened obligations apply immediately.

First concrete step: Audit your entity definitions. List every property in your MikroORM entities (User, Order, Profile, etc.) and flag which ones are personal data. Then:

1. Document your lawful basis (GDPR Article 6) or justify collection under CCPA—consent is the safest default.

2. Draft or update your privacy policy to disclose what entity types you store and why (e.g., "We use MikroORM to manage user accounts in our PostgreSQL database").

3. Implement access controls in your application layer—MikroORM has no built-in encryption or role-based query filtering; you must enforce data minimization in code.

Privacy policy clauses for MikroORM

What data MikroORM collects

When does MikroORM trigger privacy obligations?

Common compliance pitfalls

Treating MikroORM as a "privacy-neutral" tool

Forgetting DPA requirements for third-party dependencies

Retaining soft-deleted or archived records indefinitely

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Does MikroORM need to be disclosed in our privacy policy?

What data does MikroORM collect or process?

Does MikroORM require a cookie consent banner?

Who is the data processor for MikroORM?

Don't ship without Bandit.