Q: EU client site: is data EU-hosted? Do you offer a GDPR DPA? Does the embed load Google Fonts/Stripe before consent?
Orkun_kiwilaunch
Jul 4, 2026A: Hello!
- Hosting: Your data is hosted on AWS eu-west-2 (London). Despite Brexit, the UK still holds an EU adequacy decision, so this doesn't conflict with EU GDPR — that's the latest guidance from our consultant.
- Stripe: Stripe only loads at the payment step, after the user has shown clear intent to purchase, so it's strictly necessary at that point. We use Stripe Connect (Standard), and card data flows directly from the browser to Stripe — it never touches our servers. Stripe is the payment data processor and is GDPR-compliant (SCCs / EU-US Data Privacy Framework) (considering your STripe account is EU merchant, not non-EU)
- DPA: We provide a DPA covering our role as your data processor, so we're covered on our side for how we handle your and your clients' data. Note that for your clients you are the data controller — so you still need your own privacy policy, which you can set in the Kiwi admin panel. Our providing a DPA doesn't remove your own obligations toward your clients.
- Google Fonts: This is the one open item. For widgets we previously used "inherit from CSS" (which loaded no external fonts), but it was glitching so we reverted to loading fonts. Thanks to your message I've added "Self-host Google Fonts" to our roadmap — I appreciate you flagging it.