Do I need to disclose Sequelize in my privacy policy?

Yes. Sequelize processes and stores application data in your connected SQL database, and your privacy policy must disclose how personal information is collected, stored, and managed. You should specify which data fields in your Sequelize models contain personally identifiable information (PII) and describe retention practices, as Sequelize itself does not anonymize or encrypt data by default.

What data does Sequelize collect and process?

Sequelize does not collect data independently. Instead, it processes application data that your system stores in a connected SQL database (MySQL, PostgreSQL, SQLite, or MSSQL). The specific data collected depends entirely on your Sequelize model definitions—any field you define in your models, including names, emails, phone numbers, or other PII, will be processed and stored by Sequelize.

Does Sequelize require cookie consent banners?

No. Sequelize itself does not set, store, or use cookies. However, your application may use cookies alongside Sequelize for session management, authentication, or analytics. If your site uses cookies, you must disclose this separately and obtain appropriate consent under GDPR or CCPA regulations.

Who processes data collected by Sequelize, and where is it stored?

Sequelize is self-hosted; your organization acts as the data processor and controller. Data is stored only in the SQL database you configure (on your servers or infrastructure provider). No third-party data processors are involved in Sequelize's operation unless you use a managed database service like AWS RDS or Azure SQL, in which case that provider's privacy terms apply.

Database & ORM

Privacy policy clauses for Sequelize

Sequelize is a promise-based Object-Relational Mapping (ORM) library for Node.js that enables developers to interact with SQL databases using JavaScript. Websites use Sequelize to simplify database operations, manage data models, and ensure structured data handling without writing raw SQL queries.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Sequelize collects

Your privacy policy must disclose each of the following data types when you use Sequelize.

Application data stored in connected database

When does Sequelize trigger privacy obligations?

Installation Triggers PII Audit Obligations

Sequelize itself is self-hosted and collects no telemetry or cookies. However, installing Sequelize immediately creates a data processing obligation because you are now architecting how user data flows into and out of your connected database. The trigger is not Sequelize's code—it is your model definitions.

### First Concrete Step: Inventory PII in Models

Audit every Sequelize model definition for personally identifiable information (name, email, phone, IP address, user IDs linked to individuals, location data, payment details). Under GDPR Article 4(1), personal data is any information relating to an identified or identifiable natural person. Sequelize has no built-in PII detection; you must manually classify which fields qualify.

### Which Regulations Apply

GDPR (EU/EEA users): Applies immediately if you store any data about EU residents. You must document a lawful basis (Article 6) and update your privacy notice (Article 13/14) with specifics: data categories, retention periods, and third parties (if any).

CCPA (California users): Applies if you collect personal information and meet the threshold (annual gross revenues >$25M, OR buy/receive personal information of 100,000+ consumers/households, OR derive 50%+ revenue from selling consumers' personal information).

Common compliance pitfalls

Pitfall 1: Failing to Disclose Specific Data Fields in Privacy Policies

The Mistake: Teams add Sequelize models for customer email, phone, billing address, and IP address but write a generic privacy policy stating "we collect user data." GDPR Article 13 and CCPA Section 1798.100 require specific enumeration of data categories collected.

Why It Happens with Sequelize: Sequelize makes it frictionless to add new fields (timestamps, metadata, third-party IDs) to models without updating documentation. A developer adds a `lastLoginIP` or `inferred_country` field to a User model and forgets it is PII.

Consequence: Regulators treat vague disclosures as unfair/deceptive. GDPR fines (up to 4% of annual turnover) and CCPA statutory damages ($100–$750 per consumer per incident) apply. Enforcement actions by ICO, CNIL, California AG target this specific gap.

Pitfall 2: No Data Processing Agreement (DPA) When Using Database Hosting as a Separate Service

The Mistake: You self-host Sequelize but connect it to a managed database service (AWS RDS, Azure Database, Heroku Postgres) and assume no DPA is needed because "Sequelize is self-hosted."

Why It Happens with Sequelize: Sequelize is the ORM layer; the database provider is the infrastructure. Teams conflate the two. Sequelize handles queries, but the database provider processes (stores, backs up, replicates) the actual personal data.

Consequence: GDPR Article 28 requires a signed Data Processing Agreement with any processor handling personal data on your behalf. Missing DPA = breach of contract + regulatory penalty. Auditors flag this immediately.

Pitfall 3: Hardcoding Retention Logic Without Clear Documentation

The Mistake: Add a Sequelize hook (e.g., `beforeDestroy`) to auto-delete old records, but do not document the retention schedule in your privacy notice or data retention policy.

Why It Happens with Sequelize: Sequelize hooks are powerful and easy to implement; compliance documentation feels separate. A developer deletes records after 90 days but never tells the privacy officer.

Consequence: GDPR Article 5(1)(e) requires storage limitation; CCPA requires deletion upon consumer request. Undisclosed deletion schedules expose you to complaints and fines for failing to honor access/deletion rights.

Privacy policy clauses for Sequelize

What data Sequelize collects

When does Sequelize trigger privacy obligations?

Installation Triggers PII Audit Obligations

Common compliance pitfalls

Pitfall 1: Failing to Disclose Specific Data Fields in Privacy Policies

Pitfall 2: No Data Processing Agreement (DPA) When Using Database Hosting as a Separate Service

Pitfall 3: Hardcoding Retention Logic Without Clear Documentation

Legal note

Sample privacy policy clause

What regulators look for

DPA Audit Priorities for Sequelize Users

Frequently asked questions

Do I need to disclose Sequelize in my privacy policy?

What data does Sequelize collect and process?

Does Sequelize require cookie consent banners?

Who processes data collected by Sequelize, and where is it stored?

Don't ship without Bandit.