Do I need to disclose Webflow in my privacy policy?

Yes. Because Webflow collects user data on your behalf as a processor, you must disclose this in your privacy policy. You should identify Webflow Inc. as a third-party service provider and explain what data it collects (form submissions, IP addresses, and page views). This transparency is required under GDPR, CCPA, and similar privacy laws.

What data does Webflow collect from website visitors?

Webflow collects form submissions (when users complete contact forms or input fields), IP addresses (for identifying visitor location and preventing abuse), and page views (for basic analytics). The specific data collected depends on which Webflow features you enable on your site, such as contact forms or analytics tracking.

Do I need a cookie consent banner for Webflow?

Webflow itself does not use cookies for tracking, so a banner is not required specifically for Webflow's core functionality. However, if you enable third-party integrations (like Google Analytics) through Webflow, those services may use cookies and require consent notices depending on your jurisdiction.

Who processes data collected through Webflow, and where is it stored?

Webflow Inc., a United States-based company, acts as your data processor. Data collected through Webflow is transferred to and processed in the United States. If your users are in the EU, you should have a Data Processing Agreement (DPA) with Webflow in place to ensure GDPR compliance, including mechanisms like Standard Contractual Clauses for lawful data transfers.

CMS

Privacy policy clauses for Webflow

Webflow is a visual website builder and content management system (CMS) that allows businesses to design, build, and manage websites without writing code. Websites hosted on Webflow collect user data through forms, analytics, and site interactions to enable core functionality and service improvement.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Webflow collects

Your privacy policy must disclose each of the following data types when you use Webflow.

Form submissions

IP address

Page views

When does Webflow trigger privacy obligations?

Obligation triggers

Webflow's core data collection—form submissions, IP addresses, and page views—creates controller obligations the moment your site goes live. Here's what activates compliance requirements:

Form submissions trigger GDPR Article 13/14 (information to be provided) and CCPA Section 1798.100 (right to know) obligations immediately. Any web form collecting personal data (names, emails, phone numbers) requires you to disclose what you collect, why, and for how long—*before* the user submits. CCPA applies if you operate a for-profit business collecting California residents' data; GDPR applies if you collect from EU residents, regardless of where you're based.

IP address collection by Webflow happens automatically during page views. Under GDPR Article 5(1)(a) (lawfulness), you must have a legal basis (consent, contract, legitimate interest) documented *before* collection starts. Under the ePrivacy Directive Article 5(3), you need explicit consent for non-essential tracking cookies—though Webflow shows no documented cookies, IP logging itself may constitute tracking depending on your use case.

Privacy policy clauses for Webflow

What data Webflow collects

When does Webflow trigger privacy obligations?

Obligation triggers

Where data goes

Common compliance pitfalls

Pitfall 1: No privacy policy disclosure of Webflow IP logging

Pitfall 2: Missing DPA with Webflow before using forms

Pitfall 3: Miscategorizing consent for form submission vs. analytics

Sample privacy policy clause

What regulators look for

Audit priorities

Frequently asked questions

Do I need to disclose Webflow in my privacy policy?

What data does Webflow collect from website visitors?

Do I need a cookie consent banner for Webflow?

Who processes data collected through Webflow, and where is it stored?

Don't ship without Bandit.