Streaming live at 10am (PST)

Webflow & GDPR | Hosting in EU + Privacy Statement needed

Details requested, waiting anxiously on this.


YES! I’ve got mail in my inbox with all the details! Including a DPA to be signed.


E-mail Content:

Tired of these GDPR update emails yet? Hang in there, the flood is almost over!

We’re writing to let you know we’ve updated our Terms of Service and Privacy Policies, in part to comply with new Global Data Protection Regulation (aka, the GDPR). These changes will take affect on May 25, 2018.

And yes, you read that right: we now have 2 Privacy Policies. But never fear: we’re sticking with our plain-English versions for those who don’t hold doctorates in jurisprudence.

Here’s a quick look at the key changes:
We now have 2 privacy policies: one global policy, and another for the EU, EEA, and Switzerland
If the two policies conflict in any way, the EU, EEA, and Swiss Privacy Policy takes precedence for people in those areas.

We’ve added a Cookie Policy
So you can read all about how we use those little user-experience-improving bits of data. Rest assured, no cookies were harmed in the making of this policy. Except for that whole plate our team ate at 3 a.m. this morning.

More info on your data and your rights to it
We’re providing even more info about what data we collect through Webflow, and what rights you have over your personal information.

Details on your responsibilities for sites you create with Webflow
Section 7 of our Terms of Service lists your responsibilities around data gathered from website visitors (aka, “end users”) on your sites. So definitely read up on that.

We created a Data Protection Agreement
If you might be collecting personal data from EU, EEA, and/or Swiss website visitors (for example, via form submissions), we now have a Data Protection Agreement available for signature.

Your public profile is now opt-in
To date, using Webflow meant you also had a public profile to help you showcase your work and attract more clients. You’ve always had control over the content of that profile, but now you can choose whether or not you want it to display at all. If you want to keep your profile, you don’t have to do a thing. If you want to opt out, update your profile settings.
And just by way of reminder: you can always opt out of our marketing emails from your account settings, or the unsubscribe links in all our marketing emails.

As with every terms and policy update, your continued use of Webflow means you agree to these updates, so be sure to give them a read! If you have any questions, just reply to this email. We’ll be happy to help.

Happy reading! :upside_down_face:
The Webflow Team

First step in the right direction. @cyberdave or andybody… please let us now how form data and end-user IP storage on your servers will be handled in future? This can’t be our own problem as data controller because we can’t prevent that you will get this informations from the end-user. Please please please clearify.
There is nothing about this topics in the TOS, privacy policy or dpa.

1 Like

@callmevlad has issued a further post - hopefully clears up some more detail for those in this thread:


Hi, what I meant are the various law firms or companies (Trusted Shops for example) that provide you with up to date llegal text and advice for you data protection disclaimer, often bundled with an insurance policy against the bad cops, meaning their lawyers will handle any claims against your website…

1 Like

@StuM thanks for the link to Vlads respond about how visitor traffic is handled in the webflow hosting. The link doesn’t work anymore though (

I’m urgently researching information on that subject, since my company might get into legal problems because of the webflow hosting and I need to know how webflow treats data from visitors.

Is there a new source of information or why was the post deactivated for the general user?

I’d suggest contacting webflow support for this one. I remember they have a full process for this and to be fully gdpr compliant I think there are agreements required between them and you. Including the privacy statements. I don’t remember all the details and for what I’ve done I’ve not needed it. So I never revisted it. When it first came out though it was confusing and convoluded. I’m guessing they have streamlined the process.


1 Like

I’ve gone to
This is for a data processing agreement (DPA) which is one of the more important things you need to have for the GDPR.

Furthermore i’ve linked to which also has some insights into the privacy and data handling.

Still there is a possible issue about the location of the servers that hold the ‘user-data’.
As far as i know, it’s not 100% clear where the servers are, or more specific on which server your data is. Generally i’ve settled and communicated to my clients it’s still US regulations even if the servers ‘might’ be in the EU for example. With an extra link to the DPA i signed with Webflow did suffice for now.

Hope you can find some more info on the supplied links.

Also mention-able and in line with the GDPR:

  • disable view of form submissions and user data for the site designer
  • option to move site to separate account for a client only
  • option for enabling IP anonymization for Google Analytics
  • option for 2FA
  • option for removal of database entries and personal data

Thanks a lot for both of your fast replies and help @jbleroux & @icexuick.

I’ll have to take care of signing the DPA with webflow for my own company still.
Doing research at the moment too though for a webshop we are about to build with Webflow and I have to make sure, that our client doesn’t get into legal trouble by running a Webflow Ecommerce website. Especially since customers are going to leave very critical information about themselves when purchasing a product.

So looks like I have to go and put some extra energy into modifying our privacy statement, that the shop won’t get targeted. Thanks for the tips @icexuick that will help quite a bit.

1 Like

All my customers are US Only. Do I need a GDPR statement in case an EU person or entity lands on my site?

@rjbiccum yup, every website that can be accessed by an EU resident has to comply. The people who made the law clearly don’t quite get how the internet works :joy:


Add a popup with a button to continue to the site with: “I hereby confess that i’m an US citizen and not from any other country” :stuck_out_tongue_closed_eyes:

Anybody any new insights on the GDPR or relevant/big cases/sued companies?
Here in The Netherlands it’s almost off the (news)radar and in my local vicinity there have not been any ‘problems’ for business.

Usually SSL/GDPR and privacy statement are things that make a company look more professional and also that https:// sites get ‘improved’ rating/value in search-engines is often enough to do the works.

But still a lot of companies underestimate the (full) idea of it: They think that adding SSL and making visitor tracking anonymous and removing some form fields with personal data is it.

Just visited the dentist and the whole waiting room could hear the girl at the desk (on the phone) talking loudly with a patient and she was repeating all kinds of personal data. That’s essentially also GDPR.

Well… the aim of the GDPR is well intended. The actual (real) impact and practicality are still something else.

1 Like

Hello All,

I still do get some questions about the data location and ownership.

For the EU businesses that want to be GDPR compliant, they need 100% guarantee that the data is stored in the EU and that they are 100% owner of this data.

So since a couple of years we (kinda) know there are Webflow dataservers in the EU, but they possibly also exist in the US as well. That should/might not be a problem, but as far as i know, there isn’t this 100% guarantee that the US could confiscate data (under rules in f.e. the US Privacy Shield).

Can someone tell me more about this? Is there a way to get this done, perhaps written in a new DPA between Webflow and the Webflow User/Designer? Or perhaps this could even be done on a per project/website basis? (select which websites need this).

Even though GDPR’s main aim is to take careful actions with data and processing and you need to be able to prove that you’re working carefully with (user)data, not per se that every inch/corner of (f.e.) your website is 100% ‘watertight’ - still some clients in the EU want this.

Hopefully someone can help me out with these final steps in getting/making Webflow the, possibly best, solution to have both awesome and GDPR compliant websites in the EU.


Important read on this is:

I interpret this as: Having data (also) in the US will not fully comply to the GDPR. The privacy laws in the US are still not as they should be, and so data privacy in the US still is not good enough.

How can EU users of Webflow make use of this awesome platform and also comply to the GDPR data privacy rules?


There was an update on this in the form of a ruling of the European Court of Justice and it does not look good for current setup, as far as i can tell.

To comply to the GDPR, things with the Privacy Shield are (by far) not good enough.
There needs to be a specific/custom contract (SCC) between Webflow and the EU (or EER) user/owner of the data. This contract needs to be based on standard contractual clauses of the European Commission. More info on what needs to changed/be done is still in the works.

But in general, the US law is (according to the European Court of Justice) irreconcilable with the minimal requirements of data protection of the EU » Meaning that the transfer of (personal)data to the US is in fact illegal.

PS. This will also apply for the Brexit - If there isn’t a deal before the end of 2020, the UK will also be considered as a ‘not compliant’ country for data protection.

I’ll try to post the full details and document describing this ruling. It states pretty heavy problems/consequences for (global) data transfer to countries outside of the EER.

“The Court ruled that Decision 2016/1250 concerning the adequacy of the Protection provided by the EU-VS-Privacy Shield is invalid

Link to the Ruling of the European Court of Justice (in Dutch):


@icexuick i wish your voice could be heard. I’m afraid we, as non-american people, are being left aside in regards to the GDPR law.


Well ideally the whole law/privacy/data protection should be better all around the world. It’s for a good cause to be (much) more careful with this data.

But practically speaking, i think there should at least be good/specific and watertight contracts to be signed between f.e. a EU Webflow user and Webflow.

If i understand enough of the rulings, this is most likely something that needs to be done, and this contract should apply to the (EU) GDPR, not the US Privacy Shield. I even believe the whole Privacy Shield should not be in the same sentence as the GDPR.

It’s unfortunate for the EU/EER people that, they are ones that are fined for using their preferred software or online application of choice which happens to be located in the US
(The US is just an example, lots more countries aren’t on the ‘safe-list’ regarding the GDPR/Ruling of the Court of Justice.)

1 Like

This is a major issue - we really need an option to host on AWS Europe.


We really need something done about this. Many Webflow users in EU are still operating in full knowledge of this and taking the risk upon themselves.

I am keeping my Webflow subscription for now but I am steadily losing faith in them. To not even have a blog post about these changes or offer any advice for the EU users? It makes me feel like the unwanted third child.


Well there is stuff being done here - you can read here: Webflow, your EU customers need a statement (Privacy Shield)

So we’re (hopefully) not the unwanted child(s).

My guess is that it’s just very very complicated matter, which involves tons of legal stuff, but also how to get this technically right.

Also it’s all still fairly new, especially for US-based businesses, so i think investigating each/every system that (in this case) Webflow uses, and in order to get the “GDPR-PROOF” Label on each and everyone which could involve all kinds of technical and/or legal changes, is a major(!) undertaking. This could very well take many months, if not, years to do well.