Privacy policy clauses for Nginx
Nginx is an open-source web server and reverse proxy that handles incoming requests to websites and applications. It processes traffic, manages connections, and forwards requests to backend servers. Most websites use Nginx to efficiently serve content and balance server loads.
Free scan · No signup · Results in 60 seconds
What data Nginx collects
Your privacy policy must disclose each of the following data types when you use Nginx.
When does Nginx trigger privacy obligations?
When Nginx Triggers Obligations
Nginx begins collecting data the moment it starts accepting HTTP requests: every connection generates an IP address in access logs and captures request headers (User-Agent, Referer, Host, etc.). For most indie founders running self-hosted Nginx, this is *your* data processing, not a third party's — you own the server, you own the logs.
GDPR applies if: you process any EU resident data (including their IP addresses). GDPR Article 4(1) defines personal data broadly; an IP address is personal data under CJEU case law (Breyer v. Germany, 2016). There is no "small business exemption." If your site is accessible to the EU and you log IPs, you are a controller under GDPR Articles 5–7. Your first concrete step: add a privacy notice disclosing IP logging (GDPR Article 13/14) and document your legal basis for processing (typically "legitimate interest" under Article 6(1)(f), which must be justified in a Legitimate Interest Assessment).
CCPA applies if: you operate a for-profit site/app accessible to California residents and you meet the revenue, data volume, or sale threshold (CCPA Section 1798.100). IP address and request headers are "personal information" under CCPA Section 1798.140(o). Your obligation: disclose collection of this data in your privacy policy and honor user rights to know, delete, and opt-out (if applicable).
