Do we need to disclose Prisma ORM in our privacy policy?

Yes. Prisma ORM must be disclosed because it processes personal data stored in your database according to your schema. Under GDPR and CCPA, any tool that accesses or manages personal information requires transparent documentation in your privacy policy, including how data flows through the system and who controls it.

What data does Prisma ORM collect?

Prisma ORM itself does not collect data independently. Instead, it processes whatever personal data your application stores in your connected database based on your Prisma schema. This may include email addresses, names, phone numbers, addresses, or other PII you've defined. You must audit your schema to identify all personal data fields.

Does Prisma ORM require a cookie consent banner?

No. Prisma ORM does not use cookies or client-side tracking. It operates server-side only and requires no consent banner. However, if your application uses cookies for other purposes, those must still be disclosed separately in your cookie policy.

Who processes data in Prisma ORM and where is it stored?

Prisma ORM is self-hosted, meaning your organization controls the data processor role. Data is stored in your own database infrastructure (PostgreSQL, MySQL, SQLite, etc.) under your management. No third-party processors are involved unless you use a managed database service, which would require separate disclosure.

Database & ORM

Privacy policy clauses for Prisma ORM

Prisma ORM is a type-safe database toolkit that developers use to manage application data through a schema-first approach. It acts as an intermediary between your application and database, handling data queries and storage without collecting data independently.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Prisma ORM collects

Your privacy policy must disclose each of the following data types when you use Prisma ORM.

Application data stored in connected database

When does Prisma ORM trigger privacy obligations?

Installation and Schema Definition

Prisma ORM is triggered the moment you define your first schema and connect it to a database—even in development. Unlike client-side SDKs, Prisma ORM does not transmit data to Prisma Inc. servers by default; it is self-hosted. However, your privacy obligations begin immediately because Prisma ORM is the access layer to any personal data your schema defines.

Regulatory Triggers

GDPR (EU, UK, EEA): Triggered if any data subject in scope (EU residents) is stored in your Prisma schema. If your schema includes email, name, IP address, user ID, or other identifiers, you are a data controller. You must document a lawful basis (Article 6), carry out a Data Protection Impact Assessment (DPIA) if processing is high-risk (Article 35), and ensure any database processor has a Data Processing Agreement (DPA, Article 28).

CCPA (California): Triggered if you collect personal information (as defined in CCPA Section 1798.100) from California residents and your business meets thresholds (revenue >$25M, data of 100K+ consumers, or 50%+ revenue from selling data). Your Prisma schema must map to CCPA categories (identifiers, commercial activity, biometric, etc.).

Industry-specific: If your schema contains health data (HIPAA, USA) or payment card data (PCI-DSS), heightened obligations apply immediately.

First Concrete Step

Common compliance pitfalls

Pitfall 1: Treating Prisma as "Data-Safe" Because It's Self-Hosted

The mistake: Founders assume that because Prisma ORM does not send data to third-party servers, they have no privacy obligations. This is false. Prisma ORM is a direct access layer to your database; every field you define in your schema is data you control and must protect.

Why it happens with Prisma ORM: The marketing narrative around "self-hosted" and "you own your data" creates a false equivalence with privacy compliance. Self-hosting means Prisma Inc. is not a processor, but you remain the controller, responsible for GDPR Article 5 (lawfulness, fairness, transparency), retention policies, and data subject rights.

Consequence: Missing data subject access requests (SARs), failing to delete data on request, and inadequate privacy notices. Regulators will fine the controller (you), not Prisma.

Pitfall 2: Not Updating Privacy Policy After Adding Fields to Schema

The mistake: A Prisma schema starts minimal (email, password). Six months later, you add phone, address, and location. The privacy policy still lists only "email and password." GDPR Article 13/14 and CCPA Section 1798.100 require disclosing what categories of personal data you collect.

Why it happens with Prisma ORM: Schema changes feel like engineering work, not policy work. No automated warning triggers when you add a new field.

Consequence: Non-compliance with transparency obligations. A data subject can claim you never disclosed collection of their phone number. DPAs treat this as unfair processing (GDPR Article 5(1)(a)).

Pitfall 3: Missing or Vague Data Processing Agreements with Database Hosts

The mistake: Your Prisma schema runs on AWS RDS or a managed database provider. You have no signed DPA with that host. GDPR Article 28 requires one.

Why it happens with Prisma ORM: Prisma ORM abstracts the database layer. Developers think "Prisma handles it," not realizing Prisma is a query builder, not a data processor agreement.

Consequence: GDPR non-compliance. Even if your host offers a DPA (most do), unsigned it is worthless in audit. Fines can exceed 4% of revenue.

Privacy policy clauses for Prisma ORM

What data Prisma ORM collects

When does Prisma ORM trigger privacy obligations?

Installation and Schema Definition

Regulatory Triggers

First Concrete Step

Common compliance pitfalls

Pitfall 1: Treating Prisma as "Data-Safe" Because It's Self-Hosted

Pitfall 2: Not Updating Privacy Policy After Adding Fields to Schema

Pitfall 3: Missing or Vague Data Processing Agreements with Database Hosts

Legal note

Sample privacy policy clause

What regulators look for

GDPR Authorities (DPAs)

FTC (USA) and State AGs (CCPA, CCPA-like)

Key Enforcement Signals

Frequently asked questions

Do we need to disclose Prisma ORM in our privacy policy?

What data does Prisma ORM collect?

Does Prisma ORM require a cookie consent banner?

Who processes data in Prisma ORM and where is it stored?

Don't ship without Bandit.