🚀 Kirby 3.6 is here! See what’s new →
Skip to content

Kirby & Privacy

With this guide, we want to give you the necessary technical information to make it easier for you to comply with privacy regulations in your country (e.g. the GDPR in the European Union).

The following information might be incomplete. Your site may collect or process personal data in other ways.

We are not responsible how you handle data privacy on your own Kirby-powered website(s). You are your own data controller and if you are located in the EU or if you have customers in the EU, you must make sure that your site complies with GDPR. The same applies to any other national privacy laws in your country or the countries of your customers.

We cannot give any legal advice in regard to the implications the following information has for you and your sites. If you are unsure what you need to do to comply with GDPR in particular or any other national privacy laws in your country, please consult a lawyer.

Privacy by design

Kirby and the Panel are designed with privacy in mind, which is why the Kirby core and the Panel do not communicate with third-party services or our own servers in any form (only exception: licensing, see below). There are no trackers, no analytics and no cookies except those related to sessions and user management. We have no access to your Panel, to your data, to your server or to your users. We also do not use external services to provide web fonts, JavaScript libraries or any other assets for the Panel. Everything runs on your server and stays under your control.

Features with privacy implications

Kirby sites usually do not store or process any personal data of your site visitors. However, here is a list of Kirby features that process data if you use them and some general information about where personal data might get stored.

User handling and the Panel

User data gets stored in account files within the site/accounts directory. Kirby will create a session cookie to keep track of the currently logged in user if you use a login form in your site’s frontend or if you use the Panel.

The user credentials are transmitted via HTTP. Therefore, we strongly recommend to use TLS encryption for your sites to protect the passwords and other personal data of your visitors and users.

The Panel also stores unsaved changes in localStorage in the user’s browser. localStorage only gets cleared when a user saves the changes or deliberately signs out of the Panel.

Brute-force protection

To protect the Panel login against brute-force attacks, Kirby temporarily stores a shortened SHA256 hash of the IP address on login failures. This hash cannot be converted back to the raw IP address. You can control the number of possible trials before brute-force protections kicks in and the time span for which this data is stored in your config settings.

csrf() helper

If you use the csrf helper, Kirby will create a session cookie so that the helper can validate the CSRF token in a later request.


To register your license, the Panel connects to our licensing server once to verify your license. When you register your license, the following information is transmitted to the server:

  • the entered license key
  • the email address connected to the license key
  • the index URL (domain and path) of the Kirby installation

No other personal or site data is transmitted to our server.

If you don't want the Panel to connect to our server, you can register your site manually and download license files directly from licenses.getkirby.com.

Other data handlers

Plugins, themes and custom code

Your sites may store or process additional personal data depending on the Kirby plugins and custom code you are using. For example, some plugins like contact form plugins also use sessions for technical reasons. Themes may include web fonts, external scripts or tracking code.

Usage of external images, embeds or other remote data

When integrating resources from other servers into your site, there is always the risk of revealing information about your visitors to third parties – starting with their IP address. Embeds might even allow third parties to load their own cookies or other scripts into your site, e.g. to track visitors across the web. Reflect on this risk when using external resources such as images, the video KirbyTag or other embeds and act accordingly.

Data submitted by visitors

Your sites also process personal data once a contact form is submitted, a blog comment gets stored or files get uploaded by visitors. The same also applies to similar custom site features. The data you store in your content files or databases may also contain personal data.

Hosting providers

Data might also get stored and processed by your hosting provider. What sort of data they store and process depends on your contract with the hosting provider.

If you have any further technical questions about Kirby and privacy, do not hesitate to contact us via the Kirby forum.