Flagsmith

Overview

Flagsmith offers both cloud-hosted and self-hosted feature flag management, making it suitable for teams requiring data sovereignty. The platform supports user segmentation, multivariate flags, and remote configuration changes that take effect without application redeployments. Its open-source nature allows full inspection of client-side SDK behavior and data transmission patterns.

What This Script Does

Flagsmith's JavaScript SDK loads from cdn.flagsmith.com or a self-hosted endpoint. On initialization, the SDK makes an API request to the Flagsmith server with an environment key and optional user identity to retrieve feature flag states and remote configuration values applicable to the current session.

The SDK stores flag state in localStorage under keys prefixed with BULLET_TRAIN_DB or flagsmith_db for caching between page loads. This reduces API calls and provides fallback values when the network is unavailable. No persistent cookies are set by default.

When user identity is provided (typically a hashed user ID or anonymous identifier), the SDK transmits this to Flagsmith's API alongside flag evaluation requests. This enables percentage-based rollouts and user-segment targeting. Analytics events—such as flag evaluation counts—may be sent to Flagsmith's servers if the analytics feature is enabled.

Network requests go to api.flagsmith.com (cloud) or the configured self-hosted endpoint. Requests include the environment key, user identity (if set), and trait data used for segmentation rules.

Consent & Compliance

Flagsmith operates as a functional tool under GDPR and ePrivacy classifications. Feature flags control application behavior and are integral to the user experience being delivered. The localStorage caching serves a technical purpose (performance optimization) rather than tracking.

Under the ePrivacy Directive, storage used for delivering a service explicitly requested by the user is exempt from consent requirements. Feature flag state caching meets this exemption criterion. However, if Flagsmith's analytics feature is enabled to track flag evaluation metrics, this analytics layer introduces a secondary purpose that may require separate assessment.

GDPR considerations center on the user identity data transmitted to Flagsmith's servers. If pseudonymous identifiers are used, the processing falls under legitimate interest for service delivery. Self-hosted deployments eliminate third-party data transfer concerns entirely.

Should You Block This Without Consent?

No.

Flagsmith's core feature flag functionality is integral to delivering the intended user experience. Blocking it would break feature gating, A/B test assignments, and dynamic configuration. The SDK uses localStorage for caching rather than tracking cookies, and standard deployments qualify for the ePrivacy strictly-necessary exemption.