Yes, your Webflow site needs a privacy policy. Webflow hosting automatically collects visitor IP addresses, browser data, and device information through server logs. Webflow Analytics tracks page views and sessions. Forms collect user submissions. Every third-party integration adds additional data processing. GDPR, CCPA, and CalOPPA all require you to disclose this collection in a privacy policy.
Webflow has become one of the most popular website builders for designers, agencies, and small businesses. Its visual editor and powerful CMS make it easy to build professional sites without writing code. But every Webflow site, whether it is a simple portfolio or a full Ecommerce store, collects personal data from visitors.
Many Webflow users assume that because they are not writing server-side code, they are not collecting data. That is incorrect. Webflow hosting processes visitor requests and logs connection data. If you have enabled Webflow Analytics, added a contact form, embedded a YouTube video, or installed Google Analytics through custom code, your site is collecting personal data that privacy laws require you to disclose.
This guide covers exactly what your Webflow site collects, which integrations create additional obligations, the specific requirements for Webflow Ecommerce, and how to create a compliant privacy policy that covers everything.
Does Your Webflow Site Need a Privacy Policy?
Yes. There is no scenario where a Webflow site does not need a privacy policy. Even the simplest Webflow site, a single landing page with no forms and no integrations, still collects data through Webflow hosting infrastructure.
Webflow sites are hosted on Amazon Web Services (AWS) and Fastly CDN. When a visitor loads your site, the hosting infrastructure logs their IP address, browser type, device information, and the pages they visit. This is standard web server behavior, but under GDPR, IP addresses are classified as personal data. That alone triggers the requirement for a privacy policy.
Beyond hosting logs, most Webflow sites collect additional data through at least one of these features: Webflow Analytics (page views, sessions, referrers), Webflow Forms (name, email, message, or whatever fields you have added), custom code embeds (Google Analytics, Facebook Pixel, chat widgets), or Webflow Ecommerce (order details, payment information, shipping addresses).
The legal requirements are clear. GDPR requires a privacy policy if you process any personal data of EU residents. CCPA requires one if you collect data from California residents and meet certain business thresholds. CalOPPA requires a privacy policy for any commercial website or online service that collects personally identifiable information from California consumers, regardless of business size.
Hosting
Logs IP addresses automatically
Forms
Collects user submissions
Scripts
Third-party tracking tools
Q: My Webflow site is just a portfolio. Do I still need one?
Yes. Even a portfolio site collects IP addresses and browser data through Webflow hosting. If you have a contact form, that is additional personal data. If you use any analytics, that is more. A privacy policy is required regardless of the site type.
Q: Does Webflow provide a privacy policy for my site?
No. Webflow has its own privacy policy covering its platform, but that does not cover your site. You are the data controller for your website. Webflow is a data processor. You are responsible for providing your own privacy policy to your visitors.
What Webflow Collects Automatically
Before you even add a single integration or custom code snippet, your Webflow site is already collecting data. It is important to understand what Webflow processes natively so your privacy policy accurately reflects these baseline data flows.
Webflow hosting runs on AWS infrastructure with Fastly CDN. Every page load generates server logs. These logs are standard for any web hosting, but they contain personal data under GDPR definitions. Beyond hosting, Webflow offers native analytics and form handling, each of which processes additional categories of personal data.
| Webflow Feature | Data Collected | Active By Default | Uses Cookies |
|---|---|---|---|
| Webflow Hosting | IP address, browser type, device info, OS, pages visited, referring URL, timestamps | Yes | No |
| Webflow Analytics | Page views, unique visitors, sessions, session duration, referral sources, geographic location, device categories | On paid plans | No |
| Webflow Forms | Whatever fields you add: name, email, phone, message, file uploads, plus submission metadata | When forms are added | No |
| Webflow Ecommerce | Customer name, email, shipping address, billing address, phone, order history, cart contents | When Ecommerce is enabled | Yes (session) |
| Webflow Memberships | Email, password hash, membership tier, access history, account creation date | When Memberships is enabled | Yes (auth) |
| Webflow Logic | Form submission data passed to external services via automated workflows | When Logic flows are set up | No |
Each of these features processes personal data in a slightly different way. Webflow hosting logs are processed by Webflow as your data processor. Form submissions are stored in your Webflow project dashboard. Ecommerce data is stored within Webflow and shared with Stripe for payment processing.
Your privacy policy needs to account for every active feature. A Webflow site using hosting, analytics, forms, and Ecommerce is collecting significantly more data than one using just hosting. The policy must match your actual setup.
Did you know?
Webflow Analytics is designed to be cookie-free and privacy-friendly. Unlike Google Analytics, it does not set tracking cookies or use persistent identifiers. However, it still processes visitor IP addresses for geographic data, which qualifies as personal data under GDPR. Being cookie-free does not mean consent-free or disclosure-free. Your privacy policy still needs to mention it.
Third-Party Integrations on Webflow
The native Webflow features are just the starting point. Most Webflow sites add third-party tools through custom code embeds, Webflow integrations, or the Project Settings code injection area. Each integration that receives visitor data is a separate data processor that must be disclosed in your privacy policy.
Here are the most common third-party integrations found on Webflow sites, along with what data they collect and why your policy must mention them.
| Integration | Category | Data It Accesses | Sets Cookies |
|---|---|---|---|
| Google Analytics | Analytics | Page views, sessions, demographics, device data, location, behavior flow | Yes (_ga, _gid, _gat) |
| Hotjar | Analytics | Heatmaps, session recordings, mouse movements, clicks, scroll depth, form interactions | Yes (_hjid, _hjSession) |
| Facebook Pixel | Advertising | Page views, conversions, button clicks, purchase events, user agent data | Yes (_fbp, _fbc) |
| Mailchimp | Email Marketing | Email address, name, signup source, subscription preferences | Possible (embedded forms) |
| Zapier | Automation | Form submission data, webhook payloads, whatever data your Zap processes | No |
| Stripe | Payments | Card details, billing address, email, transaction history, fraud detection data | Yes (__stripe_mid) |
| Memberstack | Memberships | Email, password, membership tier, payment data, access history | Yes (auth tokens) |
| Finsweet | Webflow Enhancement | Depends on attributes used: CMS filtering, form handling, cookie consent data | Possible (Cookie Consent) |
| Jetboost | Search / Filter | Search queries, filter selections, favorites data, user preferences | Possible (user prefs) |
Every tool in this list acts as a data processor under GDPR. Your privacy policy must identify each one, describe what data it receives, and explain why you use it. Simply stating "we use third-party services" is not specific enough to satisfy GDPR Article 13 requirements.
A common oversight is forgetting about tools added through Webflow custom code injection. Check your Project Settings under the Custom Code tab. Many Webflow users paste tracking scripts there and forget about them. Each one may be sending visitor data to an external service that your privacy policy does not mention.
Did you know?
Webflow Logic, the platform's native automation tool, can send form data to external services like Google Sheets, Airtable, Slack, and email platforms. Each destination in a Logic flow is a data processor. If you use Logic to route form submissions to three different services, that is three processors your privacy policy needs to disclose.
If you are unsure which integrations are active on your Webflow site, open your browser developer tools on your live site and check the Network tab as a page loads. You will see every external domain your site connects to. Each one that receives visitor data needs to be in your privacy policy.
Q: Do embedded YouTube videos count as a third-party integration?
Yes. Embedding a YouTube video loads Google scripts that set cookies and track viewer behavior. This applies to Vimeo embeds, Spotify embeds, Google Maps, and any other embedded third-party content. Each one sends visitor data to the embedded service and should be disclosed.
Q: What about Webflow Apps from the marketplace?
Webflow Apps installed from the Webflow marketplace may access your project data and visitor data depending on their permissions. Review each app's data access requirements and include relevant disclosures in your privacy policy.
Webflow Ecommerce Privacy Requirements
If you use Webflow Ecommerce, your privacy obligations are significantly more extensive than for a standard Webflow site. Ecommerce involves collecting sensitive personal data including payment information, physical addresses, and detailed purchase histories.
Webflow Ecommerce uses Stripe as its payment processor. This is not optional. All payment card data goes through Stripe. Your privacy policy must disclose Stripe as a data processor, explain that card details are processed by Stripe rather than stored on your servers, and link to Stripe's privacy policy.
Data Collected Through Webflow Ecommerce
- Order data: Customer name, email address, billing address, shipping address, phone number, order items, quantities, and order totals
- Payment data: Payment card details (processed by Stripe, not stored in Webflow), transaction IDs, payment status, and refund information
- Customer account data: Email, password hash, order history, saved addresses, and wishlist items if customer accounts are enabled
- Cart data: Items added to cart, cart abandonment data, session information for maintaining cart state across page loads
- Tax data: Location information used for tax calculation, tax identification numbers in some jurisdictions
- Shipping data: Shipping method selected, tracking numbers, delivery status, and carrier information
Your privacy policy for a Webflow Ecommerce site needs dedicated sections covering how you handle order data, how payments are processed, what data Stripe receives, how long you retain order records, and what rights customers have regarding their purchase data.
Under GDPR, you must also identify your legal basis for processing each category of Ecommerce data. Order fulfillment data is typically processed under "contract performance" (Article 6(1)(b)). Marketing emails to customers require either legitimate interest or consent. Financial record retention may fall under "legal obligation" (Article 6(1)(c)).
Did you know?
Even after a customer completes a purchase on your Webflow Ecommerce site, you may have legal obligations to retain their order data. Tax laws in many jurisdictions require you to keep transaction records for 5 to 7 years. Your privacy policy should disclose these retention periods and explain that some data is kept beyond account deletion to comply with financial regulations.
Standard Webflow Site vs Ecommerce: Privacy Comparison
| Requirement | Standard Webflow Site | Webflow Ecommerce Site |
|---|---|---|
| Privacy policy required | Yes | Yes |
| Payment processor disclosure | Only if accepting payments | Required (Stripe) |
| Financial data section | Usually not needed | Required |
| Data retention disclosures | Recommended | Required (tax law) |
| Order data handling | N/A | Full disclosure needed |
| Customer account section | Only if using Memberships | Required if accounts enabled |
Running a Webflow Ecommerce store without a comprehensive privacy policy is a significant compliance risk. Generate a policy that covers all your Ecommerce data flows with a privacy policy generator.
Where to Display Your Privacy Policy on Webflow
Creating a privacy policy is only half the requirement. You also need to make it accessible. Privacy laws require that your policy be easy to find, not buried in a page that visitors will never see. CalOPPA specifically requires a "conspicuous" link from your homepage.
Here is where your privacy policy link should appear on your Webflow site.
Site footer (every page)
Create a Webflow Symbol for your footer and include a "Privacy Policy" link. Symbols are reusable components that appear on every page, so updating the symbol updates the link site-wide. This is the most important placement and satisfies CalOPPA's conspicuous link requirement.
Dedicated /privacy-policy page
Create a static page in your Webflow project with the URL slug "privacy-policy". This is where your full policy text lives. Keep the page clean and readable. Avoid heavy animations or design elements that make the text hard to read.
Near form submission buttons
Add a small text link below or near every form submit button that says something like "By submitting, you agree to our Privacy Policy." This is especially important for GDPR consent. The link should go to your /privacy-policy page.
Cookie consent banner
If your site sets non-essential cookies (most Webflow sites with third-party integrations do), you need a cookie consent banner. This banner should link to your privacy policy or a dedicated cookie section within it. Tools like Finsweet Cookie Consent or CookieYes integrate well with Webflow.
Ecommerce checkout page
If you use Webflow Ecommerce, add a privacy policy link on the checkout page. Customers are providing sensitive personal and financial data during checkout, and they should be able to review your policy before completing their purchase.
A good test: can a first-time visitor find your privacy policy within one click from any page on your site? If the answer is no, your placement needs improvement. The footer link is the minimum. Adding links near forms and on checkout pages demonstrates stronger compliance practices.
Common Webflow Privacy Mistakes
These are the most frequent privacy policy mistakes made by Webflow site owners. Each one creates a real compliance gap that could result in fines, app store rejections, or loss of advertising accounts.
Mistake: "Webflow handles compliance for me"
Webflow is a data processor, not a data controller. Under GDPR, you are the data controller for your website. Webflow processes data on your behalf based on the instructions you give through your site design. The legal responsibility for having a privacy policy, for obtaining consent, and for responding to data subject requests falls entirely on you. Webflow's own privacy policy covers their platform, not your site.
Mistake: "My template came with a privacy policy"
Many Webflow templates include a placeholder privacy policy page with generic legal text. This text does not reflect your specific data practices, integrations, or business details. A compliant privacy policy must be customized to describe your actual data collection. A template policy that mentions tools you do not use and fails to mention ones you do is worse than having no policy at all because it actively misleads visitors.
Mistake: "I only use Webflow Analytics so I am fine"
Even if Webflow Analytics is your only analytics tool, you still need a privacy policy. Webflow Analytics processes visitor IP addresses for geographic data, which is personal data under GDPR. Additionally, Webflow hosting logs visitor data regardless of whether you use Analytics. And most sites have additional data flows through forms, embeds, or third-party scripts that site owners overlook.
Mistake: "I do not need consent for Webflow forms"
Webflow forms collect whatever personal data you include in the form fields. Under GDPR, you need a legal basis for processing this data. If you use form submissions for marketing purposes, you typically need explicit consent. Even for inquiry forms, you need to disclose how the data will be used, stored, and for how long. A link to your privacy policy near the form submit button is a minimum requirement.
Mistake: "My Webflow site is just a portfolio"
Portfolio sites still collect data. Webflow hosting logs visitor IP addresses and browser information on every page load. If you have a contact form, you are collecting names and emails. If you have embedded your Dribbble, Behance, or Instagram feed, those embeds load third-party scripts that track visitors. Portfolio sites are commercial websites and CalOPPA applies to any commercial site collecting data from California visitors.
How to Create a Privacy Policy for Webflow (6 Steps)
Follow this process to create a privacy policy that accurately covers your Webflow site and satisfies GDPR, CCPA, and CalOPPA requirements.
Audit all data collection on your Webflow site
Start by mapping every data collection point on your site. Check which Webflow native features you use: Analytics, Forms, Ecommerce, Memberships, Logic. Then review your Project Settings Custom Code section for any tracking scripts. Open your live site in a browser and check the Network tab in developer tools to see which external services your site contacts.
Identify all third-party services and processors
Create a list of every external service that receives visitor data from your Webflow site. Include analytics platforms (Google Analytics, Hotjar), email tools (Mailchimp, ConvertKit), payment processors (Stripe), automation tools (Zapier, Make), CRM systems (HubSpot), live chat (Intercom, Crisp), and any embedded content (YouTube, Vimeo, Google Maps).
Determine which privacy laws apply
Webflow sites are accessible globally, so consider where your visitors are located. EU visitors trigger GDPR. California visitors trigger CCPA and CalOPPA. Canadian visitors mean PIPEDA applies. Check your Webflow Analytics geographic data to understand your audience. Most Webflow sites need to comply with multiple frameworks.
Generate your privacy policy with accurate details
Use a privacy policy generator to create a policy based on your specific Webflow setup. Answer questions about your data practices, the integrations you identified in step 2, your business type, and your contact information. This produces a customized policy in minutes rather than a generic template.
Create a dedicated privacy policy page in Webflow
In the Webflow Designer, create a new static page with the URL slug "privacy-policy". Add your generated privacy policy content to the page. Use clean, readable typography. Ensure the page is responsive and accessible on all screen sizes. Add a "Last Updated" date at the top of the page.
Link to your policy from the footer and forms
Add a "Privacy Policy" link in your site footer Symbol so it appears on every page. Add a consent notice with a policy link near every form submit button. If you use Webflow Ecommerce, add the link to your checkout page. If you use a cookie consent banner, link to your policy from the banner. Publish your site and verify all links work correctly.
Frequently Asked Questions
Does my Webflow site need a privacy policy?
Yes. Every Webflow site needs a privacy policy because Webflow hosting automatically collects visitor data including IP addresses and browser information. If you use Webflow Analytics, forms, Ecommerce, or any third-party integrations, you are collecting even more data that must be disclosed under GDPR, CCPA, and CalOPPA.
What data does Webflow collect automatically?
Webflow hosting logs IP addresses, browser type and version, device information, operating system, referring URLs, and pages visited. If Webflow Analytics is enabled, it also tracks page views, unique visitors, session duration, referral sources, and geographic location. Webflow forms collect whatever fields you include in your form designs.
Does Webflow Analytics require cookie consent?
Webflow Analytics itself does not use cookies. However, if you have added any third-party scripts like Google Analytics, Facebook Pixel, or Hotjar, those tools set cookies and require consent under GDPR. Your privacy policy must still disclose Webflow Analytics even though it is cookie-free, because it processes visitor IP addresses.
Do I need a separate cookie policy for Webflow?
If your Webflow site sets non-essential cookies through third-party integrations, you need to disclose them. This can be a separate cookie policy or a dedicated section within your privacy policy. Since most Webflow sites include at least one third-party integration that sets cookies, a cookie disclosure is almost always necessary.
How do I add a privacy policy page to Webflow?
In the Webflow Designer, create a new static page with the slug "privacy-policy." Add your policy content to the page. Then add a link to this page in your site footer using a Webflow Symbol so it appears globally. Also add links near form submit buttons and on your checkout page if using Ecommerce.
Does Webflow Ecommerce need special privacy disclosures?
Yes. Webflow Ecommerce collects order data, customer account information, shipping addresses, and processes payments through Stripe. Your privacy policy must disclose all of this, identify Stripe as a payment processor, and explain data retention for financial records. You also need sections on customer rights regarding their purchase data.
Is the privacy policy from my Webflow template enough?
No. Template privacy policies contain generic placeholder text that does not describe your actual data practices. A compliant policy must reflect your specific integrations, business details, and data flows. Using a template policy without customization is a compliance risk because it misrepresents your actual data handling to visitors.
Related Resources
Privacy Policy for Websites
Complete guide to website privacy policies and what to include
Privacy Policy for Wix
Wix-specific privacy requirements and data collection
Cookie Policy for Websites
GDPR cookie consent requirements and how to comply
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
What Happens Without a Privacy Policy
Real consequences of operating without one
Privacy Policy for Ecommerce
What online stores must disclose about data collection
How Often to Update Your Privacy Policy
Update frequency requirements under GDPR and CCPA
Can I Copy Someone Else's Privacy Policy?
Why copying creates copyright and compliance risk