With this guide, we want to give you the necessary technical information to make it easier for you to comply with privacy regulations in your country (like the GDPR in the EU).
Kirby sites usually do not store or process any personal data of your site visitors. However, here is a list of Kirby features that process data if you use them and some general information about where personal data might get stored.
User data gets stored in account files within the
site/accounts directory. Kirby will create a session cookie to keep track of the currently logged in user if you use a login form in your site’s frontend or if you use the Panel.
The user credentials are transmitted via HTTP. Therefore, we strongly recommend to use TLS encryption for your sites to protect the passwords and other personal data of your visitors and users.
The Panel also stores unsaved changes in
localStorage in the user’s browser.
To protect the Panel login against brute-force attacks, Kirby temporarily stores a shortened SHA256 hash of the IP address on login failures. This hash cannot be converted back to the raw IP address. You can control the number of possible trials before brute-force protections kicks in and the time span for which this data is stored in your config settings.
If you use the
languages.detect option on a multilang site, Kirby also creates a session cookie to keep track of the visitor’s language. This option is disabled by default.
If you use the
csrf helper, Kirby will create a session cookie so that the helper can validate the CSRF token in a later request.
To register your license, the Panel connects to our licensing server once to verify your license. When you register your license, the following information is transmitted to the server:
- the entered license key
- the email address connected to the license key
- the domain of the Kirby installation
No other personal or site data is transmitted to our server.
Your sites may store or process additional personal data depending on the Kirby plugins and custom code you are using. For example, some plugins like contact form plugins also use sessions for technical reasons. Themes may include web fonts, external scripts or tracking code.
Your sites also process personal data once a contact form is submitted, a blog comment gets stored or files get uploaded by visitors. The same also applies to similar custom site features. The data you store in your content files or databases may also contain personal data.
Data might also get stored and processed by your hosting provider. What sort of data they store and process depends on your contract with the hosting provider.
If you have any further technical questions about Kirby and privacy, do not hesitate to contact us via the Kirby forum.