Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
jsDelivr is a free open source public CDN operated by Prospect One (Poland). Serves npm packages, GitHub releases and WordPress plugins from a global network. No cookies, no tracking, no identifier; the publisher loads only public scripts.
jsDelivr is a free open source content delivery network operated by Prospect One Sp. z o.o., a Polish company based in Krakow. It mirrors npm packages, GitHub releases, WordPress plugins, esm modules and a wide range of public assets, served from a multi provider edge network (Cloudflare, Fastly, Bunny.net and an internal load balancer) with more than 750 points of presence. Developers reference scripts with URLs like https://cdn.jsdelivr.net/npm/<package>@<version> instead of installing and bundling them locally.
jsDelivr sets no cookies and does not embed any tracking pixel. The CDN only logs aggregate file request counts per country and per package for the public statistics dashboard; the visitor IP is processed by the underlying CDN providers solely for routing and is not retained as a tracking identifier. There is no visitor profile, no audience matching, no analytics SDK, no marketing tag.
Loading a public open source script from jsDelivr is comparable to loading a static file from a CDN: it requires a network connection but no cookie or storage is written by jsDelivr itself. Under ePrivacy art. 5(3), no consent is required because nothing is stored on the visitor device. Under GDPR art. 6(1)(f), the processing of the IP for routing is grounded in the legitimate interest of the publisher in delivering the page. The Munich Google Fonts ruling does not apply because jsDelivr is hosted in the EU by Prospect One.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
jsDelivr load balances traffic across Cloudflare, Fastly and Bunny.net. All three honour HTTP signals and do not introduce additional tracking when serving a static file. Cloudflare and Fastly are US headquartered but offer EU regional services; Bunny.net is Slovenian and EU only by default. For maximum predictability the publisher can pin loading to the Bunny.net Subresource Integrity hash through the jsDelivr URL parameters or self host the file.
Add the integrity attribute to your script tags (SRI) to prevent supply chain attacks, pin the exact version of the package instead of a moving major tag, list jsDelivr in the privacy notice as a sub processor with the EU only Bunny.net edge if you can confirm it, and self host critical assets if the project has a strict CSP that forbids third party CDN domains.
Websites using jsDelivr must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for jsDelivr because the CDN sets no cookies, retains no personal data and is operated from the European Union by a Polish company. Document jsDelivr as a sub processor in your record of processing only if the assets loaded contain personal data (for example a JSON file embedding visitor profiles). The DPIA exemption applies as long as the underlying CDN providers (Cloudflare, Fastly, Bunny.net) handle only IP for routing without further processing.
Sample consent text
Our website loads open source JavaScript and CSS files from jsDelivr, a free public CDN operated by Prospect One (Poland). jsDelivr does not set cookies and does not track visitors. Your IP address is processed by the underlying CDN providers (Cloudflare, Fastly, Bunny.net) only for routing and is not retained for tracking purposes. No consent is required.
Third-party domains contacted
cdn.jsdelivr.netjsdelivr.comfastly.jsdelivr.netgcore.jsdelivr.netdata.jsdelivr.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| none | N/A | N/A | jsDelivr is a static asset CDN and does not set any cookies. No tracking, no identifier, no behavioural profile. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
None. jsDelivr is a public open source CDN that serves static files without setting any cookie. The underlying CDN providers (Cloudflare, Fastly, Bunny.net) do not introduce tracking cookies for the static file fetch.
No. Loading a public script from jsDelivr requires only a network connection without any storage on the visitor device. Under ePrivacy art. 5(3), no consent is required because nothing is written to the device.
Legitimate interest of the publisher (GDPR art. 6(1)(f)) in delivering the page through a public CDN. Article 28 GDPR does not strictly apply because jsDelivr does not process visitor personal data beyond the routing IP, but a sub processor mention is good practice.
jsDelivr itself is operated from Poland. The underlying CDN edges (Cloudflare, Fastly, Bunny.net) are global. EU visitors are normally routed to European edge nodes; no personal data is retained for tracking purposes. The Munich Google Fonts ruling does not apply.
No. jsDelivr does not process visitor personal data beyond routing. A DPIA is required only if the assets you load through jsDelivr contain personal data, in which case the DPIA covers your own content, not jsDelivr.
Add the integrity attribute (SRI) to your script tags, pin the exact version of the package, list jsDelivr in your privacy notice as a sub processor with the EU first edge configuration, and self host critical assets if your CSP forbids third party CDN domains.
unpkg (US), CDNJS by Cloudflare (US), Skypack (US, esm), esm.sh (US, esm), Bunny CDN (Slovenia, EU first paid CDN). For full control: self host the assets on your own CDN. jsDelivr is the EU first public CDN with the strongest privacy posture.
Add jsDelivr to the sub processor list with Prospect One (Poland) as the operator, state that no cookies are set, mention the underlying CDN providers (Cloudflare, Fastly, Bunny.net) for transparency and note that no consent is required because no storage occurs on the visitor device.