Do I need to disclose Netlify Functions in my privacy policy?

Yes. Netlify Functions processes data on your behalf as a third-party service provider, making it a data processor under GDPR and CCPA. You must disclose that user data (including request payloads and metadata) may be processed through Netlify Functions and explain the purpose of that processing. This transparency is required by privacy regulations regardless of whether you collect sensitive data.

What data does Netlify Functions collect and process?

Netlify Functions collects function invocation payloads (data sent to the function), request metadata (IP addresses, user agents, headers), and deploy/build logs. Any personal information included in form submissions, API requests, or function parameters will be processed by Netlify. You should audit your functions to identify if personally identifiable information (PII) is being transmitted or logged.

Do Netlify Functions require a cookie consent banner?

No. Netlify Functions do not set cookies themselves. However, if your website uses cookies for other purposes (analytics, marketing, etc.), those require separate consent. The function invocation itself does not trigger additional cookie consent requirements beyond what your site already implements.

Who processes data from Netlify Functions and where is it stored?

Netlify Inc., a United States-based company, processes data from Netlify Functions as your data processor. Data is processed and stored in the US. Netlify maintains SOC 2 Type II compliance. For EU users, ensure you have appropriate data transfer mechanisms (such as Standard Contractual Clauses) in place, as the US lacks an adequacy decision under GDPR.

Cloud & Backend

Privacy policy clauses for Netlify Functions

Netlify Functions is a serverless computing service that allows websites to run backend code without managing servers. It executes custom functions in response to user requests, enabling dynamic features like form processing, API integrations, and authentication workflows.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Netlify Functions collects

Your privacy policy must disclose each of the following data types when you use Netlify Functions.

Function invocation payloads

Deploy and build logs

Request metadata

When does Netlify Functions trigger privacy obligations?

Netlify Functions trigger privacy obligations the moment you deploy a function that processes user data. Here's what activates compliance requirements:

Data flow trigger: When a Netlify Function receives a request payload containing user information (emails, IPs, form submissions, authentication tokens), you are collecting and processing personal data. This happens automatically—Netlify also captures request metadata and function invocation logs, which may contain PII even if your function code doesn't explicitly extract it.

GDPR (if you have EU users): Processing any personal data of EU residents triggers GDPR obligations regardless of where your server is located. Article 13 requires you to provide privacy information *at point of collection*—meaning before the function processes the data. You must document a lawful basis (Article 6) for processing and establish a Data Processing Agreement (DPA) with Netlify Inc. as your processor under Article 28.

CCPA (if you have California users):

Privacy policy clauses for Netlify Functions

What data Netlify Functions collects

When does Netlify Functions trigger privacy obligations?

Where data goes

Common compliance pitfalls

Logging PII without retention policies

Missing or vague Data Processing Addendum

Failing to disclose function-specific processing in privacy policies

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose Netlify Functions in my privacy policy?

What data does Netlify Functions collect and process?

Do Netlify Functions require a cookie consent banner?

Who processes data from Netlify Functions and where is it stored?

Don't ship without Bandit.