Getting started
  1. Overview
Terms
  1. Terms of Service
  2. Product Terms
  3. Beta Terms
  4. Developer Terms of Service
Policies
  1. Global Privacy Policy
  2. EU & Swiss Privacy Policy
  3. Acceptable Use Policy
  4. Intellectual Property Policy
  5. Cookie Policy
  6. Trademark Usage Policy
  7. Subprocessors
  8. CCPA Notice
  9. Data Processing Addendum
Agreements
  1. Creator Agreement
FAQ
  1. Privacy FAQs
Archive
  1. Archived Terms of Service

Privacy FAQs

Webflow is committed to providing you with the information you need to meet your data privacy obligations. Below you'll find resources related to our privacy practices and answers to frequently asked questions.

Disclaimer

These Privacy FAQs and resources are provided for informational purposes only. Its contents may be subject to change over time. The information contained herein does not modify existing contractual arrangements and should not be construed as legal advice.

Some background before we dive in

GDPR

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. The GDPR is a law designed to protect the privacy and security of personal data for individuals located in Europe.

The GDPR places certain obligations on companies (as well as other types of organizations) to protect the personal data of individuals located in Europe. These obligations notably include: security requirements, record keeping, and ensuring the protection of personal data that is  transferred out of Europe. The GDPR also grants individuals in Europe certain rights concerning their personal data. Please see the “GDPR Rights” section below for more information on these rights.

Definitions

GDPR

Part of what makes the GDPR complicated is its use of legalese. To that end, we wanted to provide you with a list of the definitions and what they mean so you can better understand the GDPR as it relates to your use of Webflow’s services.

Controller means the entity that determines how and for what purposes personal data is processed.

  • Basically... A controller is the company (or organization) that gets to determine how and why your personal data is processed. Usually, but not always, a controller is the company or organization that you directly interact with and submit your data to.
  • Example: You log in to Facebook and post a status. Facebook is your controller and can choose what they do with your personal data. Facebook explains what they do with your personal data in their privacy policy and terms of service.

Europe, for the purposes of these FAQs, means countries where the GDPR is in effect. These countries include all countries that are part of the European Union (EU), Iceland, Liechtenstein, Norway, and the United Kingdom.

  • Basically... The GDPR applies if personal data relates to an individual located in Europe. The GDPR applies based on where a person is located — not their nationality.
  • Example: The GDPR applies to a Canadian citizen located in Germany. The GDPR does not apply to a German citizen located in Canada.

Personal data means any information relating to an identified or identifiable person.

  • Basically... If the piece of data can be traced back to a person, it counts as personal data.
  • Example: You submit your name along with your eye color to a website. Your name is personal data as well as your eye color when the two pieces are associated. If your name becomes permanently dissociated with your eye color, all a controller knows is that an anonymous user has, for instance, brown eyes. The eye color data is no longer personal data at that point.

Processor means the entity that processes personal data on behalf of the controller.

  • Basically... Think of a processor as a company that the controller uses behind the scenes. A processor does not independently make decisions on how they use your personal data. A processor only follows the instructions of a controller.
  • Example: For instance, you post a status on Facebook and Facebook then uses Microsoft Excel to analyze the personal data contained in your status. Microsoft would be a processor here.

Webflow specific definitions

  • “Customer” means an individual that uses Webflow for any reason including to build and post websites built using Webflow.

  • “Customer End User” means an individual that provides their personal data to a Webflow Customer through a website built using Webflow.

Webflow’s relationship to you

Relationships can be confusing. To clarify things, we wanted to offer a few examples of the types of relationships that our services enable. These examples are not exhaustive and are only intended to help you understand how we interact with each other.

  1. I have submitted my email to join Webflow’s mailing list. Is Webflow a controller or processor of my personal data?

    If you provide your personal data to Webflow to sign up for our newsletter, Webflow is the controller of this personal data. In this situation, the personal data you submitted is governed by our privacy policy.

  2. I have built and posted a website using Webflow. Is Webflow a controller or processor of the personal data I collect through my site?

    If you have published a site using our services, Webflow is your processor when it comes to the personal data you collect on your users through your site. You, as the Customer, are the controller and direct Webflow, as the processor, on how to handle the personal data you collect through the website you built.

  3. I use a website built using Webflow, what are we?

    We are sorry for leading you on, but we are not in a direct relationship with each other. Webflow does not have a direct relationship with our Customers’ End Users. You, as a Customer End User are an individual that provides your personal data to our Customers. Webflow does not control how your personal data is collected in this scenario, we only process your personal data according to the instructions of our Customers.

Your obligations as a Customer

  1. Does Webflow take care of my GDPR compliance as a Customer?

    No. The GDPR imposes different obligations on controllers and processors. As a processor for you, Webflow fulfills its legal obligations under the GDPR and is GDPR compliant. However, you, as a controller, have your own separate obligations under the GDPR.

  2. Do I have to make my website GDPR compliant?

    Maybe. The GDPR may apply to you as a Customer if you collect the personal data of individuals located in Europe. The GDPR applies to controllers and processors regardless of where they are located if they process personal data of individuals located in Europe.
  3. What do I have to do to be GDPR compliant?

    There are several components to GDPR compliance. You should consult with a local lawyer familiar with privacy laws to help you answer this question.

Data storage and international transfers

The GDPR requires controllers and processors to ensure certain safeguards are present whenever personal data is exported from Europe.

  1. Where does Webflow store personal data?

    Webflow stores its Customers’ and Customers’ End Users’ data in the United States, where Webflow is based. Webflow also utilizes a number of processors based in the United States to provide our services (“Subprocessors''). To find a full list of Subprocessors and the countries in which they are located, please visit Webflow’s Subprocessors page.
  2. How does Webflow legally process and transfer data out of Europe for its European Customers?

    Webflow uses the European Union’s standard contractual clauses as its transfer mechanism to export data from Europe. Webflow’s Data Processing Agreement (DPA) includes the standard contractual clauses and all other contractual requirements placed on processors under the GDPR. Our Data Processing Agreement is available to all customers regardless of their plan selection.

    Additionally, Webflow remains self-certified under the E.U. – U.S. Privacy Shield and the Swiss – U.S. Privacy Shield. Webflow continues to honor our obligation to comply with the Privacy Shield Principles despite Privacy Shield’s invalidation in July 2020 by the Court of Justice of the European Union. Webflow continues to monitor all developments regarding international data transfers and is committed to privacy by design for its Customers and their End Users.
  3. When will Webflow offer the new standard contractual clauses to its customers?

    Webflow now offers an updated DPA that incorporates the new standard contractual clauses approved by the European Commission in June 2021.
  4. How does Webflow protect the personal data it sends to subprocessors?

    Webflow vets our new Subprocessors that access personal data before engagement to check that the necessary security and privacy controls are in place. Webflow also monitors our existing Subprocessors on an ongoing basis.

Security

  1. How does Webflow secure the data it stores?

    Webflow is committed to ensuring our infrastructure is secure, redundant, and reliable. We encrypt data in transit and at rest. Webflow has a SOC 2 certification and is dedicated to the continued validation of its security program. To learn more about our security program please check out our security center.

GDPR Rights

What GDPR rights do Users and Customers have?

If you are a User or Customer located in the Europe you may have certain rights regarding your personal data, including the:

  1. right to withdraw consent;
  2. right of access to and rectification of your personal data;
  3. right to erasure of your personal data (“the right to be forgotten”);
  4. right to data portability;
  5. right to restriction of processing;
  6. right to object to processing; and
  7. right to object to automated individual decision-making, including profiling.

To learn more about these rights, please review section 12 of our EU & Swiss Privacy Policy.

Can an End User exercise their GDPR rights directly with Webflow?

No. If Webflow receives a GDPR request from a Customer End User, Webflow will be unable to honor that request. When this happens, Webflow informs both the Customer and the End User.

A quick word on the CCPA

On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect in California in the United States. The CCPA will be replaced by the California Privacy Rights Act (CPRA) on January 1, 2023.

At a high level, the CCPA currently provides California residents with certain rights concerning their personal data. These rights are similar to those provided for under the GDPR.

What CCPA rights do Users and Customers have?

If you are a User or Customer who is a resident of the US state of California, you may have certain rights regarding your personal data, including the:

To learn more about these rights, please review section 12 of our Global Privacy Policy.

  1. right not to be discriminated against for exercising any of your CCPA rights;
  2. right to request additional information about your personal data that Webflow collected;
  3. right to opt out of sharing of your personal data; and
  4. right to delete any personal data Webflow has collected from you or maintains about you, subject to certain exceptions.

Can an End User exercise their CCPA rights directly with Webflow?

No. If Webflow receives a CCPA request from a Customer End User, Webflow will be unable to honor that request. When this happens, Webflow informs both the Customer and the End User.

Additional Questions

Who can I contact for more information on Webflow’s practices?

Please contact privacy@webflow.com for more information regarding Webflow's privacy practices.

Table of contents
  1. Table of contents link