Yes, your Carrd site needs a privacy policy if it collects any personal data. Contact forms, email signups, Stripe payments, Google Analytics, embedded videos, and third-party widgets all collect visitor data. GDPR, CCPA, and CalOPPA require you to disclose this collection regardless of how simple your site is or whether you consider yourself a business.
Carrd has become the go-to platform for creators, freelancers, and small businesses who need a clean, single-page website without the complexity of traditional site builders. With millions of Carrd sites live today, it is one of the most popular tools for link-in-bio pages, portfolio sites, landing pages, and product launches.
But the simplicity of Carrd creates a false sense of security around data privacy. Because the platform is so lightweight, many site owners assume their Carrd page does not collect enough data to need a privacy policy. That assumption is almost always wrong.
This guide covers exactly when a Carrd site needs a privacy policy, what data Carrd and its common integrations collect, where to place a privacy policy on a single-page site, and the fastest way to generate one that covers your specific setup.
Does Your Carrd Site Need a Privacy Policy?
The short answer is yes, for nearly every Carrd site that does more than display static text and outbound links. If your site includes any of the following, you are collecting personal data and a privacy policy is legally required.
Contact forms
Collects names, email addresses, and message content
Email signup forms
Sends email addresses to Mailchimp, ConvertKit, or similar
Stripe payments
Processes names, email, billing addresses, and card details
Google Analytics
Tracks IP addresses, device info, and browsing behavior
Facebook Pixel
Tracks visitor behavior for ad targeting and retargeting
Embedded content
YouTube, Vimeo, and social embeds set tracking cookies
If your Carrd site includes even one of these elements, you are processing personal data. Privacy laws like GDPR and CCPA do not have a minimum threshold for site size or traffic volume. A Carrd site with 10 visitors per day has the same legal obligations as one with 10,000.
The only Carrd site that might not need a privacy policy is one that is purely static: text, images, and outbound links only, with no forms, no analytics, no embedded third-party content, and no cookies of any kind. In practice, very few Carrd sites meet this standard.
Q: What if my Carrd site is just a personal project?
Privacy laws apply based on whether you collect personal data from visitors, not on whether the site is commercial. GDPR applies to any entity processing personal data of EU residents, regardless of profit motive. If your personal Carrd site has a contact form, it needs a policy.
Q: Does a Carrd Pro account change anything?
Carrd Pro gives you access to more integrations (forms, payments, custom code), which typically means more data collection. A Pro account is more likely to need a privacy policy because Pro features are the ones that collect data. But even a free Carrd site with an embedded form widget needs one.
What Carrd Collects Automatically
Before you even consider your own integrations, it is important to understand what Carrd itself collects from visitors to your site. As a hosting platform, Carrd processes certain data automatically as part of serving your web pages.
Carrd Platform Data Collection
- Server access logs: IP addresses, timestamps, URLs visited, HTTP status codes, and referrer URLs are logged by Carrd's servers when a visitor loads your page
- Browser information: User agent strings that identify browser type, version, operating system, and device type
- Carrd analytics: If you enable Carrd's built-in site stats (Pro feature), page views, unique visitors, and traffic sources are tracked
- Cookies: Carrd may set functional cookies for site operation, and additional cookies if you use Carrd's analytics or A/B testing features
Did you know?
Under GDPR, you are considered a "joint controller" with Carrd for the data that Carrd's hosting infrastructure processes on your behalf. This means your privacy policy should acknowledge that your hosting provider collects certain technical data, even if you have no direct access to those server logs yourself.
Your Integrations vs. Carrd Platform Data
There is an important distinction between what Carrd collects at the platform level and what your integrations collect. Carrd's platform data collection is relatively minimal and standard for any web host. The bigger privacy concern for most Carrd site owners is the data collected by the third-party services they integrate.
When you add a Mailchimp form, a Stripe payment button, or a Google Analytics tracking code to your Carrd site, those services collect data directly from your visitors. You are responsible for disclosing this collection in your privacy policy because you chose to add these integrations. Carrd's own privacy policy does not cover your third-party services.
This is the point that catches most Carrd site owners off guard. They assume that because they are using a hosted platform, the platform handles all the privacy obligations. It does not. Your website privacy policy must cover both the platform-level data and your own integrations.
Common Carrd Integrations That Collect Data
Every third-party service you add to your Carrd site is a data processor that your privacy policy needs to disclose. Here is what the most common Carrd integrations collect.
| Integration | Data Collected | Data Type | Sets Cookies? |
|---|---|---|---|
| Stripe | Name, email, billing address, card details, transaction history | Financial | Yes |
| Mailchimp | Email address, name (if collected), signup source, engagement data | Contact | Yes |
| ConvertKit | Email address, name, subscriber tags, engagement metrics | Contact | Yes |
| Google Analytics | IP address, device info, pages viewed, session duration, traffic source | Behavioral | Yes |
| Meta Pixel | Page views, button clicks, conversions, device data, Facebook user ID | Advertising | Yes |
| Formspree / Typeform | All form field data (name, email, message), IP address, submission time | Contact | Varies |
| YouTube Embeds | IP address, viewing history, device info, Google account data if signed in | Behavioral | Yes |
| PayPal | Name, email, shipping address, payment details, PayPal account info | Financial | Yes |
Every integration in this table must be disclosed in your privacy policy. If you are using any of these on your Carrd site, you can generate a privacy policy that covers them in under 60 seconds.
Did you know?
YouTube embeds set cookies even if the visitor does not click play. Google's DoubleClick advertising cookies are loaded the moment the embed appears on the page. You can mitigate this by using YouTube's privacy-enhanced mode (youtube-nocookie.com), but you still need to disclose the embed in your privacy policy.
The Single-Page Challenge: Where to Put Your Privacy Policy
Carrd sites are designed to be single-page experiences. This creates a unique challenge: where do you put a privacy policy that could be several pages long without disrupting the clean, focused layout that makes Carrd effective?
There are four practical approaches, each with different trade-offs.
Create a separate Carrd page for your privacy policy
With Carrd Pro, you can create multiple sites. Build a second Carrd site dedicated to your privacy policy (for example, yoursite.carrd.co/privacy or a custom domain like privacy.yoursite.com). Link to it from the footer of your main page. This is the cleanest approach and gives your policy its own dedicated URL, which is helpful if third-party services require a privacy policy URL during setup.
Use a Carrd modal or lightbox
Carrd supports modal elements that open as overlays on your page. You can place your entire privacy policy inside a modal that opens when visitors click a "Privacy Policy" link in your footer. This keeps visitors on your page while still providing access to the full policy. The downside is that modals can be awkward for long documents on mobile devices.
Add a footer section with a link to an external page
Host your privacy policy elsewhere (your own website, a Google Doc, or a dedicated privacy policy page) and add a simple text link in the footer of your Carrd site that opens it in a new tab. This is the simplest option and works with both free and Pro Carrd accounts. The key requirement is that the link must be clearly visible and accessible from every section of your page.
Embed the policy directly on your page
For Carrd Pro users, you can use a custom code embed with an iframe that loads your privacy policy within a scrollable container. This keeps everything on one page but can look cluttered. This approach works best if your Carrd site already has multiple sections and the policy section blends naturally into the layout.
Q: Which option is best for most Carrd users?
For most users, option 1 (separate Carrd page) or option 3 (external link) is the best choice. Both give your privacy policy its own URL, which is required by many third-party services and makes it easy to reference in email footers, form notices, and terms of service.
Q: Does my privacy policy link need to be visible without scrolling?
It does not need to be above the fold, but it must be easily accessible. A footer link is standard practice and is accepted by regulators. If your Carrd site has forms that collect data, consider adding a brief notice near each form that links to the privacy policy.
Which Laws Apply to Your Carrd Site
A common misconception is that privacy laws only apply based on where you, the site owner, are located. In reality, most privacy laws apply based on where your visitors are located. Since Carrd sites are accessible globally, multiple laws likely apply to your site.
| Law | Applies When | Key Requirements | Penalties |
|---|---|---|---|
| GDPR | Any visitor from the EU or UK | Legal basis, data categories, processor disclosure, user rights, retention periods | Up to 20M euros or 4% of revenue |
| CCPA/CPRA | California visitors (if thresholds met) | Data categories, opt-out rights, annual updates, "Do Not Sell" link | $2,500 to $7,500 per violation |
| CalOPPA | Any commercial site with California visitors | Conspicuous privacy policy, data types, third-party sharing, effective date | $2,500 per violation |
CalOPPA deserves special attention for Carrd site owners. Unlike CCPA, CalOPPA has no revenue or data volume thresholds. It applies to any commercial website or online service that collects personally identifiable information from California residents. Since nearly every website has California visitors, CalOPPA effectively requires a privacy policy for almost every commercial Carrd site.
The definition of "commercial" is broad. If you sell anything, accept donations, promote a business, or monetize your site in any way, CalOPPA applies. Even a freelancer's portfolio site on Carrd that includes a contact form qualifies.
Did you know?
CalOPPA was the first state law in the United States to require commercial websites to post a privacy policy. Because California is such a large market, it effectively sets a national standard. If your Carrd site is accessible from the internet, it almost certainly has California visitors, and CalOPPA applies.
Beyond these three major laws, additional regulations may apply depending on your industry and audience. If your Carrd site targets children, COPPA applies. If you operate in Canada, PIPEDA applies. If you collect health data, HIPAA may apply. Your privacy policy needs to account for all applicable laws, not just the one you are most familiar with.
For a deeper look at the legal requirements, see our guide on what happens without a privacy policy.
Common Myths About Carrd and Privacy Policies
Carrd's simplicity leads to several persistent misconceptions about privacy requirements. Here are the five most common myths and why they are wrong.
Myth: "My Carrd is just a link-in-bio, so I do not need a privacy policy"
Link-in-bio pages are one of the most common uses for Carrd, and most of them collect data. If your link-in-bio includes an email signup form (extremely common), an embedded social media feed, analytics tracking, or a tip jar with Stripe, it is processing personal data. The purpose of the site does not determine whether privacy laws apply. Data collection does.
Myth: "I do not collect any data on my Carrd site"
This is almost never true. If you have any form, any analytics, any payment integration, or any embedded third-party content, data is being collected. Even without these, Carrd's hosting servers log IP addresses and browser information for every visitor. Under GDPR, IP addresses are personal data. You are collecting data whether you realize it or not.
Myth: "Carrd's own privacy policy covers my site"
Carrd's privacy policy describes how Carrd, the company, handles data for its platform and its own customers (site builders). It does not describe how you handle data that visitors submit through your site's forms, or what happens with the analytics data you collect, or how long you store email addresses from signups. You need your own policy that describes your specific practices.
Myth: "My site is too small to worry about privacy laws"
Privacy laws do not have a minimum traffic threshold. GDPR applies to any organization processing personal data of EU residents, regardless of size. CalOPPA applies to any commercial site accessible by California residents with no traffic minimum. The fact that your Carrd site gets 50 visitors per month does not exempt you from these laws. Each visitor whose data you collect without proper disclosure is a potential violation.
Myth: "I am not a business, so this does not apply to me"
GDPR applies to any "controller" or "processor" of personal data, regardless of whether the activity is commercial. If you run a personal portfolio, a hobby project, or a nonprofit page on Carrd and collect personal data through forms or analytics, GDPR still applies. CalOPPA is narrower (commercial sites only), but the definition of commercial is broad enough to include freelancers, creators selling digital products, and anyone promoting services.
For more on what happens when you operate without a privacy policy, see our guide on consequences of not having a privacy policy. And if you are considering copying another site's policy, read why that creates legal risk.
How to Create a Privacy Policy for Your Carrd Site (6 Steps)
Follow these steps to create a privacy policy that covers your specific Carrd site setup and complies with applicable privacy laws.
List every integration on your Carrd site
Open your Carrd site editor and go through every element. Document every form (contact, email signup, survey), every payment button (Stripe, PayPal, Gumroad), every analytics code (Google Analytics, Plausible, Fathom), every tracking pixel (Facebook, TikTok, Google Ads), and every embedded element (YouTube, Vimeo, Spotify, Instagram, Twitter). Each of these is a data collection point that your policy needs to cover.
Identify what data each integration collects
For each integration, determine exactly what personal data it receives. Check the integration's own documentation or privacy policy. Email forms collect email addresses. Payment processors collect names, emails, and financial data. Analytics tools collect IP addresses, device information, and behavioral data. Write down each data type for each integration.
Generate your privacy policy
Use a privacy policy generator to create a policy that covers all the data collection you identified. Answer the questions about your specific integrations, how you use the data, whether you share it with third parties, and your contact information. The generator will produce a complete, legally compliant policy with all required sections.
Choose where to host your privacy policy
Decide on the best approach for your Carrd site. For most users, creating a separate Carrd page or linking to an externally hosted policy works best. If you have Carrd Pro, the separate page approach gives you a clean URL. If you are on a free plan, an external link (Google Doc, Notion page, or your own domain) works fine.
Add the privacy policy link to your Carrd site
Add a clearly visible link to your privacy policy in the footer section of your Carrd site. Use descriptive anchor text like "Privacy Policy" rather than generic "click here" text. If you have forms that collect personal data, add a brief disclosure near each form: "By submitting this form, you agree to our Privacy Policy" with a link to the full document.
Review and update whenever you change integrations
Every time you add, remove, or change an integration on your Carrd site, review your privacy policy. If you switch from Mailchimp to ConvertKit, add a new analytics tool, or start accepting payments, your policy needs to reflect those changes. At minimum, review your policy once per year.
The Easiest Way to Get a Carrd Privacy Policy
Writing a privacy policy from scratch requires legal knowledge of GDPR, CCPA, CalOPPA, and potentially other regulations. Copying another Carrd site's policy is both a copyright risk and a compliance risk. Hiring a lawyer costs hundreds of dollars for a document that still needs regular updates.
A privacy policy generator gives you a complete, legally compliant policy customized to your exact Carrd setup in under 60 seconds. You answer a few questions about your integrations and data practices, and the generator produces a policy that covers every required section for GDPR, CCPA, and CalOPPA.
The generated policy includes all the specific disclosures your Carrd site needs: which third-party services receive data, what cookies are set, what user rights exist, how long data is retained, and how visitors can contact you about their data. It covers everything a GDPR-compliant template requires.
Frequently Asked Questions
Do I need a privacy policy for my Carrd site?
Yes, if your Carrd site collects any personal data. This includes contact forms, email signup forms, Stripe payments, analytics tracking, Facebook Pixel, YouTube embeds, or any other third-party widget that processes visitor information. Privacy laws apply based on data collection, not site complexity.
Does Carrd itself collect data from my visitors?
Yes. Carrd's hosting servers automatically log IP addresses, browser type, and access timestamps for every visitor. If you enable Carrd's built-in analytics, additional behavioral data is collected. Your privacy policy should acknowledge this platform-level data collection in addition to your own integrations.
Where do I put a privacy policy on a single-page Carrd site?
You have several options: create a separate Carrd page for your policy and link to it, use a modal or lightbox overlay, link to an externally hosted policy, or embed it directly on your page with custom code. A footer link to a separate page is the most common and recommended approach.
Does Carrd's privacy policy cover my site?
No. Carrd's privacy policy covers Carrd as a platform and its relationship with site builders (you). It does not cover how you handle the personal data collected through your site's forms, analytics, and integrations. You need your own separate privacy policy that describes your specific data practices.
What laws require a privacy policy for Carrd sites?
GDPR applies if you have EU or UK visitors. CCPA applies to California visitors if you meet business thresholds. CalOPPA applies to any commercial site accessible by California residents with no thresholds at all. These laws are based on visitor location, not yours. Since Carrd sites are publicly accessible, multiple laws likely apply.
Do I need a privacy policy for a Carrd link-in-bio page?
If your link-in-bio page includes an email signup form, analytics, embedded social content, or payment buttons, yes. A purely static page with only outbound links and no data collection might not need one. But most link-in-bio pages include at least one data-collecting element, so it is safer to have a policy in place.
How do I create a privacy policy for my Carrd site?
The fastest method is using a privacy policy generator. List your Carrd integrations, answer a few questions about your data practices, and receive a complete, compliant policy in under 60 seconds. Then add it to your Carrd site as a linked page or modal.
Related Resources
Privacy Policy for Websites
Complete guide for any website, including single-page sites
Do I Need a Privacy Policy for a Blog?
Similar question, similar answer: yes if you collect any data
Privacy Policy for Collecting Emails
What to disclose when you collect email addresses
What Happens Without a Privacy Policy
The real consequences of operating without one
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
Can I Copy Someone Else's Privacy Policy?
Why copying creates both copyright and compliance risk
How Often to Update Your Privacy Policy
Annual reviews, triggers, and CCPA requirements
Cookie Policy for Websites
GDPR cookie requirements and consent rules
Your Carrd Site Needs a Privacy Policy
Do not let the simplicity of Carrd fool you. If your site collects any data, you need a privacy policy. Generate one customized for your exact integrations in under 60 seconds.
Covers GDPR, CCPA, and CalOPPA · Customized to your Carrd integrations · Updated for 2026