Do I need to disclose Unleash in my privacy policy?

Yes. Unleash processes user context data to evaluate feature flags, which constitutes data processing under GDPR and CCPA. You must disclose that you use feature flags for experimentation and feature management, explain what user context data is collected, and describe the purpose. Transparency is required even for self-hosted instances.

What specific data does Unleash collect?

Unleash collects user context for flag evaluation (such as user ID, custom attributes, and segment information), feature toggle states, and usage metrics about which flags were evaluated and their outcomes. The exact data depends on your implementation—you control what context you send to Unleash for flag evaluation decisions.

Does Unleash require a cookie consent banner?

Unleash itself does not use cookies. However, if you're self-hosting, you control all data handling. If using a hosted version, check your provider's terms. Since Unleash relies on server-side flag evaluation rather than client-side tracking, cookie consent is typically not required specifically for Unleash, though you may need it for other analytics tools.

Who processes data collected by Unleash and where is it stored?

When self-hosted, you are the data controller and processor—data never leaves your infrastructure. Unleash is open-source and does not transfer data to third parties by default. If using a managed Unleash service, the service provider becomes your data processor, and you should review their data processing agreement and server locations for GDPR/CCPA compliance.

Feature Flags & Experimentation

Privacy policy clauses for Unleash

Unleash is an open-source feature management platform that controls which features are visible to users through feature flags and toggles. Websites use it to gradually roll out new features, run experiments, and manage feature availability without redeploying code.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Unleash collects

Your privacy policy must disclose each of the following data types when you use Unleash.

User context for flag evaluation

Feature toggle state

Usage metrics

When does Unleash trigger privacy obligations?

Installation triggers immediate obligations

The moment Unleash SDK is integrated into your product, you begin collecting user context data for flag evaluation—this includes identifiers, IP addresses, custom attributes, and behavioral signals needed to determine which feature flags each user sees. This data flow is active on every user interaction.

### GDPR applicability

If your users include anyone in the EU/EEA, GDPR Article 13 (transparency) and Article 6 (lawful basis) apply immediately. User context data is personal data under GDPR Article 4(1). You must establish a lawful basis—typically user consent under Article 6(1)(a) or legitimate interest under Article 6(1)(f)—*before* the SDK transmits context data to Unleash (even if self-hosted, internal processing requires a lawful basis).

### CCPA applicability

If you operate a for-profit business collecting personal information from California residents, CCPA Section 1798.100 grants users the right to know what data you collect. Unleash's user context collection is

Privacy policy clauses for Unleash

What data Unleash collects

When does Unleash trigger privacy obligations?

Installation triggers immediate obligations

Common compliance pitfalls

Pitfall 1: Omitting Unleash from privacy disclosures

Pitfall 2: Confusing "self-hosted" with "no GDPR/CCPA obligations"

Pitfall 3: Collecting excessive user context attributes without consent

Legal note

Sample privacy policy clause

What regulators look for

Primary audit focus

Frequently asked questions

Do I need to disclose Unleash in my privacy policy?

What specific data does Unleash collect?

Does Unleash require a cookie consent banner?

Who processes data collected by Unleash and where is it stored?

Don't ship without Bandit.