Making your site GDPR-ready: How Kirby processes personal data


#1

Some of you have asked us which personal data Kirby stores and processes and what you need to know about in terms of GDPR compliance.

We are not responsible how you handle data privacy on your own Kirby-powered website(s). You are your own data controller and if you are located in the EU or if you have customers in the EU, you must make sure that your site is GDPR-compliant. However we want to give you the necessary technical information to make it easier for you to comply with GDPR.

Kirby and the Panel are designed with privacy in mind, which is why the Kirby core and Panel never communicate with third-party services or our own servers in any form. There are no trackers, no analytics and no cookies except those related to sessions and user management. We have no access to your Panel, to your data, to your server or to your users. We also don’t use external services to provide webfonts, JavaScript libraries or any other assets for the Panel. Everything runs on your server and stays under your control.

Simple Kirby sites don’t store or process any personal data of your site visitors.
However here is a list of Kirby features that do process data if you use them:

  • User handling: The user data gets stored in account files within the site/accounts directory. Also, Kirby will create a session cookie as well as other necessary cookies to keep track of the currently logged in user if you use a login form in your site’s frontend or if you use the Panel. Please note that Kirby 2 also creates the session cookie if you check whether a user is currently logged in, no matter if that’s the case or not. Kirby 3 won’t do that and will only create a session cookie once a user is actually logged in.
    The user credentials are transmitted via HTTP. Therefore we strongly recommend to use TLS encryption for your sites to protect the passwords and other personal data of your visitors and users.
  • Panel: The Panel also sets a session cookie as well as other necessary cookies for every visitor who uses the Panel. Besides storing the currently logged in user, the Panel also uses them to keep track of unsaved changes, the current state of the user interface, notification messages and to improve security.
  • Language detection: If you use the language.detect option on a multilang site, Kirby also creates a session cookie to keep track of the visitor’s language. This option is disabled by default.
  • csrf() helper: If you use the csrf() helper, Kirby will create a session cookie so that the helper can validate the CSRF token in a later request.

Your sites may store or process additional personal data depending on the Kirby plugins and custom code you are using. For example some plugins like contact form plugins also use sessions for technical reasons.

Of course your sites also process personal data once a contact form gets submitted, a blog comment gets stored or files get uploaded by visitors. The same also applies to similar custom site features. The data you store in your content files may also be personal data.

Data might also get stored and processed by your hosting provider. Which data they store and process depends on your contract with the hosting provider.


Please note that this information might be incomplete. We can’t guarantee that your sites don’t collect or process personal data in other ways.
Please also note that we can’t give any legal advice what this means for you and your sites. If you are unsure what you need to do to comply with GDPR or any other national laws in your country, please consult a lawyer.

In case you have any further technical questions about this topic, you can of course get in touch at any time by replying to this thread.


Kirby Session Cookie
#2

#3

It’s maybe interesting to hear what we did for https://getkirby.com:

  • We added a privacy policy: https://getkirby.com/privacy
  • We removed Google Analytics and didn’t replace it with any other tracker or analytics.
  • We made sure that we don’t set any additional cookies.
  • We removed the last signs of Disqus.
  • We moved from Imgix to Cloudinary. They handle privacy and GDPR compliance a lot better and more transparent.
  • We signed DPAs with every third-party service. You can find all of the services in the privacy policy.
  • We improved our newsletter sign-up form to be more clear

If you have any questions about our policy or those changes, please let us know!