Bubble GDPR Intro Guide - Bubble Blog

Hello @allenyang,

Is there any existing documentation where we could find description of the cookies set and used by Bubble (by default) and the ones relative to Bubble’s plug-ins (if Bubble plugin set any other cookie)?

That would really help for the legal docs :slight_smile:

Thanks for the update @allenyang we will run some more legal checks before proceeding with this…

However, it’s a bit weird that bubble website which “it’s made using bubble editor” it’s using a different “cookie consent”, actually exactly as I explained in the different posts I did here, and the “one made” from bubble to EU users to be compliant looks exactly as it shouldn’t (TBH very disappointed here, It’s like some kind of bad joke).

If Bubble website it’s made with Bubble editor how actually haves the feature to create categories of the cookies that’s using the app? If actually all what you said with the actual bubble plugin is true, why Bubble is using different cookie consent?

We haven’t added it to our formal documentation yet, but I answer the question about Bubble’s default cookies here: California Consumer Privacy Act (CCPA)

We haven’t documented what cookies different plug-ins set yet. Generally it should be the cookie of the corresponding service if it’s needed for the plugin to run. Easiest way to tell without waiting for our documentation is to set up the plugin and see for yourself!

@yusaney1 I checked with our team on this one. Yes, we use this service for our main webpage: https://cookie-script.com/. It’s a paid service that allows for more customization. Please see my above responses for why you shouldn’t rely on the Bubble-made plugin (which came out a while ago) for current GDPR compliance, and for our other guidance here.

1 Like

Cookie script sounds powerful!

Would it be possible to embed this cookie script thing into a bubble site? I was thinking the integration would work if embedded into the script/meta tags in header in the SEO/metatags page.

Like they do here for SquareSpace:

Does anyone know if this works?


Actually it does.


Hi, thanks for this - it was very helpful. @allenyang , is bubble planning any further developments around this such as more granular acceptance of individual cookies that @yusaney1 was suggesting?

No, not at this time. Bubble only sets a limited number of cookies on an end-user which are all important for core behavior of the app, namely staying logged in (see this post). You may also see a Cloudflare cookie from the Bubble platform but this is to make Cloudflare work technically, not to track end-user personal data.

Other cookies are likely due to certain plugins that the app creator chooses to use.

1 Like

Thanks allen

Thanks Allen, and others for this valuable conversation. GDPR does create issues for me (and it’s not that i’m trying to track users secretly, i just am trying not to make a mistake that costs me a fine).

That cookie script system looks like a really decent solution, and the pricing isn’t ridiculous either so thanks for sharing that one.

I appreciate what is being attempted with GDPR implementation, but the reality is for me as a sole developer, fully understanding the requirements and keeping on top of it is just such a huge task when i’m trying to build something that users want to use.

Best wishes Phil

Hello @philip.berryuk,

You can also have a look at iubenda, their GDPR solution is great and they also provide a cookies banner blocking non necessary cookies, according to users’ consent.

There was a lifetime deal on AppSumo, maybe still available.

1 Like

@vivienne @allenyang
Quick question regarding the DPA on the Bubble website. I’m a little unclear as to how this is to be used. Am I right that this is an agreement between me as a Data Controller and Bubble as my Data Processor? So I’d put my details in as the Licensee, having copied the text, and keep it on file as my DPA with you? And then I can say I have a DPA with Bubble (as Bubble does with their data-processors)? Or would the DPA with my details included normally be available to my users on my site?

Hi Shane,

You are correct that the DPA is an agreement between you and Bubble when you are the Data Controller and Bubble is your Data Processor.

We’ve been informed by our legal counsel that since we have published our DPA publicly, it is in effect for all our customers. But, in the event that you really would like a dually signed copy, please send us an email at legal@bubble.io, and we can kick that off.

I believe the DPA between you and Bubble does not need to be available to your users, but for that question you should consult your legal counsel.


1 Like

Thanks Allen, That clarifies it for me. I don’t need anything more.

Well that was a lot of reading.

If I understand correctly- the Bubble-built plugin is “good enough” for most use cases?

Hi @yusaney1,

Can I ask you how did you proceed with this?

1 Like

Hi Allen, All,
can you please advise on this? It is clearly a GDPR related behavior of Bubble that I need to fix:

Many thanks!

you can upload fonts to your directory and get it from there

Bubble is not offering Transfer Impact Assessment - which make is not GDPR comply.


Hi @Christophe_HK , I hope you are well. Have you found out how to setup Axeptio so that Bubble optin function is updated when the user clicks Accept ?