🚀 A new era: Kirby 4 Get to know
Skip to content

Kirby & Privacy

With this guide, we want to give you the necessary technical information to make it easier for you to comply with privacy regulations in your country (e.g. the GDPR in the European Union).

The following information might be incomplete. Your site may collect or process personal data in other ways.

We are not responsible how you handle data privacy on your own Kirby-powered website(s). You are your own data controller and if you are located in the EU or if you have customers in the EU, you must make sure that your site complies with GDPR. The same applies to any other national privacy laws in your country or the countries of your customers.

We cannot give any legal advice in regard to the implications the following information has for you and your sites. If you are unsure what you need to do to comply with GDPR in particular or any other national privacy laws in your country, please consult a lawyer.

Privacy by design

Kirby and the Panel are designed with privacy in mind, which is why the Kirby core and the Panel do not communicate with third-party services or our own servers in any form (only exceptions: licensing and update checks, see below). There are no trackers, no analytics and no cookies except those related to sessions and user management. We have no access to your Panel, to your data, to your server or to your users. We also do not use external services to provide web fonts, JavaScript libraries or any other assets for the Panel. Everything runs on your server and stays under your control.

Features with privacy implications

Kirby sites usually do not store or process any personal data of your site visitors. However, here is a list of Kirby features that process data if you use them and some general information about where personal data might get stored.

User handling and the Panel

User data gets stored in account files within the site/accounts directory. Kirby will create a session cookie to keep track of the currently logged in user if you use a login form in your site’s frontend or if you use the Panel.

The user credentials are transmitted via HTTP. Therefore, we strongly recommend to use TLS encryption for your sites to protect the passwords and other personal data of your visitors and users.

The Panel also stores unsaved changes in localStorage in the user’s browser. localStorage only gets cleared when a user saves the changes or deliberately signs out of the Panel.

Brute-force protection

To protect the Panel login against brute-force attacks, Kirby temporarily stores a shortened SHA256 hash of the IP address on login failures. This hash cannot be converted back to the raw IP address. You can control the number of possible trials before brute-force protections kicks in and the time span for which this data is stored in your config settings.

csrf() helper

If you use the csrf() helper, Kirby will create a session cookie so that the helper can validate the CSRF token in a later request. This session cookie is required to enable the protection against CSRF attacks.


To activate your license, the Kirby backend connects to our licensing server once to verify your license. When you activate your license or license upgrade, the following information is transmitted to the server:

  • the entered license code,
  • the email address connected to the license code and
  • the index URL (domain and path) of the Kirby installation.

No other personal or site data is transmitted to our server.

If you don't want Kirby to connect to our server, you can activate your license manually and download license files directly on hub.getkirby.com.

Update checks

The Kirby backend connects to our content delivery network (KeyCDN) every three days to check for updates and security warnings for Kirby and installed plugins. Our CDN only sees the following information:

  • the IP address of your server,
  • the date and time of the request and
  • the names of the installed Kirby plugins.

No personal information or other site data is transmitted to our CDN. Kirby explicitly does not transmit the currently installed version as all checks are performed directly on your server. We also do not store or analyze any of the data that does get transmitted. The data is only used to perform the update and security check.

If you don't want Kirby to connect to our CDN, you can disable the update check or set a custom checking endpoint.

Other data handlers

Plugins, themes and custom code

Your sites may store or process additional personal data depending on the Kirby plugins and custom code you are using. For example, some plugins like contact form plugins also use sessions for technical reasons. Themes may include web fonts, external scripts or tracking code.

Usage of external images, embeds or other remote data

When integrating resources from other servers into your site, there is always the risk of revealing information about your visitors to third parties – starting with their IP address. Embeds might even allow third parties to load their own cookies or other scripts into your site, e.g. to track visitors across the web. Reflect on this risk when using external resources such as images, the video KirbyTag or other embeds and act accordingly.

Data submitted by visitors

Your sites also process personal data once a contact form is submitted, a blog comment gets stored or files get uploaded by visitors. The same also applies to similar custom site features. The data you store in your content files or databases may also contain personal data.

Hosting providers

Data might also get stored and processed by your hosting provider. What sort of data they store and process depends on your contract with the hosting provider.


If you have any further technical questions about Kirby and privacy, do not hesitate to contact us via the Kirby forum.