Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Open source TypeScript headless CMS that runs in the operator's own infrastructure with only essential session and authentication cookies.
Alinea is an open source, TypeScript first headless CMS. The content is edited through an admin panel and stored in the operator''s own repository or database, making the project a community driven, self hosted solution rather than a SaaS tracking tool.
The CMS itself does not run any analytics or marketing tracking. The admin panel sets only essential cookies, typically a session cookie and a CSRF token, to authenticate editors. These cookies are limited to admin paths and are not exposed to public website visitors.
The cookies set by Alinea are strictly necessary to operate the admin interface and therefore fall under the exemption of Article 5(3) of the ePrivacy Directive. Personal data processed (editor account, login timestamps, IP address in server logs) is justified by the legitimate interest of operating the editorial workflow.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Risks are low because there is no public tracking and the operator controls the hosting. Mitigations include limiting admin access to a defined IP range, applying strong authentication, choosing an EU hosting provider when EU personal data is processed, and keeping the editorial database backups secure.
Because the cookies are essential and only set on the admin panel, no consent banner is required for the public site as long as no third party scripts are added. Document the admin session cookies in your privacy notice for editors, configure secure cookie attributes (HttpOnly, Secure, SameSite) and apply standard hardening of the hosting environment.
Websites using Alinea must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the CMS itself, as it only processes editor authentication data with no large scale or systematic monitoring. A DPIA may still be useful for the overall website if combined with other tools or sensitive content.
Sample consent text
No consent is required for the admin panel of Alinea since only strictly necessary session cookies are set. If you embed third party tools on the public site, configure consent for those tools separately.
Cookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| alinea.session | necessary | Session | Authenticates an editor logged into the Alinea admin panel and maintains the active session. |
| alinea.csrf | necessary | Session | CSRF token used to protect form submissions inside the Alinea admin panel. |
| alinea.preview | necessary | 1 hour | Short lived token enabling content preview for authenticated editors of the Alinea CMS. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Alinea only sets essential cookies on the admin panel, typically a session identifier and a CSRF token. These cookies authenticate editors and protect form submissions. They are not deployed on the public website and are not used for tracking.
No consent banner is required for the admin panel because the cookies set are strictly necessary for the requested service (the CMS itself), which falls under the exemption in Article 5(3) of the ePrivacy Directive. Consent may still be needed for unrelated tools embedded on the public website.
Processing editor accounts, login data and server logs typically relies on legitimate interests under Article 6(1)(f) of the GDPR, or on the performance of a contract for employees. The essential session cookies do not require Article 5(3) consent.
Because Alinea is self hosted, the location of data depends entirely on the operator. If you choose an EU based hosting provider, no transfer occurs. Transfers to third countries should only happen if you select a non EU host, in which case standard safeguards apply.
A DPIA is generally not required for the CMS alone since processing is limited to authenticating editors. A DPIA may still be valuable for the overall website if it processes sensitive content or large volumes of user data, in which case the CMS is one of many components to document.
Self host Alinea on an EU server when handling EU personal data, restrict admin access, configure secure cookie attributes, enable strong authentication for editors and document the editorial workflow in your records of processing. Keep the CMS up to date and review hosting provider commitments.
Alinea is already a privacy friendly option due to its self hosted, open source nature. Comparable alternatives include Payload CMS, Sanity (self hosted via DAM), Strapi, KeystoneJS and TinaCMS, all of which can be deployed in an EU environment without external tracking.
If the admin panel is exposed to data subjects who are not employees, list the strictly necessary session and CSRF cookies in your cookie policy as essential cookies with their durations and purposes. Otherwise, document them only in your internal records and the editor privacy notice.