Does your website use third-party services? Get GDPR compliant in minutes.

Botble CMS

What does Botble CMS do?

Botble CMS is an open source content management system built on the Laravel PHP framework. It is self hosted on the operator's own infrastructure and ships with a modular architecture, role based access control, multilingual content and a marketplace of plugins. The core CMS only sets first party technical cookies (session and CSRF token) and does not perform third party tracking, which makes it a low risk processing under the GDPR provided that no third party plugins are added.

What Botble CMS is

Botble CMS is an open source content management system written in PHP on top of the Laravel framework. It is self hosted by the website operator on their chosen infrastructure (on premise, virtual private server or managed Laravel host) and ships with multilingual support, role based access control, an admin dashboard, a media library and a plugin marketplace covering e commerce, blog, real estate and other modules.

Data and cookies collected

By default, Botble CMS sets a Laravel PHP session cookie and a CSRF protection cookie (XSRF TOKEN). These are first party cookies, scoped to the operator domain, used to maintain the user session and prevent cross site request forgery. The CMS also stores authentication data and audit logs in the operator''s database. No third party tracking, advertising pixel or analytics tag is included in the core distribution.

GDPR and ePrivacy implications

The default cookies are strictly necessary for the operation of the site requested by the user, which exempts them from consent under Article 5(3) ePrivacy Directive. The legal basis for processing the related personal data is legitimate interest under Article 6(1)(f) GDPR. Operators must still publish a privacy notice and a cookie policy that lists the technical cookies, even if no consent banner is required.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

International data transfers

There is no built in transfer to a third country by the CMS. Operators choose the hosting location and remain responsible for any onward transfer. Plugins that integrate with Google services, payment processors or content delivery networks may introduce transfers, which must be assessed independently and documented under Standard Contractual Clauses or other transfer mechanisms.

Consent management and practical steps

Document the technical cookies in the cookie policy, publish a clear privacy notice, harden the Laravel configuration to disable any non essential telemetry, and audit each installed plugin for tracking behaviour. If you add analytics, marketing or social plugins, integrate a Consent Management Platform that blocks them by default and only loads after explicit consent.

Privacy friendly alternatives

Other open source CMS options with strong privacy posture include Strapi, Directus, Statamic, October CMS and WordPress hardened with privacy oriented plugins. Each can be hosted within the European Economic Area to keep data subject to the GDPR exclusively.

GDPR consent category

Other

Websites using Botble CMS must obtain user consent under GDPR regulations.

Legal basisArticle 6(1)(f) GDPR (legitimate interest) for technical cookies that are strictly necessary for the operation of the site, exempted from consent under Article 5(3) ePrivacy Directive

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive 2002/58/EC, German TTDSG, French Data Protection Act, Spanish LSSI

DPIA considerations

A formal DPIA is generally not required for the core Botble CMS because it only sets strictly necessary cookies and processes minimal personal data on the operator's own infrastructure. A DPIA may become necessary if plugins introduce profiling, behavioural tracking, third country transfers or large scale processing of special category data. The operator must document the chosen plugins, the data flows and the legal basis for each.

Sample consent text

This site uses essential cookies provided by Botble CMS that are strictly necessary for navigation, login and security. These cookies do not require your consent. If we add analytics or marketing plugins, we will request your consent before any non essential cookie is set.

Technical details

Tracking methodSelf hosted Laravel CMS with first party PHP session cookies and CSRF protection cookies, no third party tracking by default

Server locationWherever the website operator deploys the application (typically the operator's own EU or third country hosting)

Third-party domains contacted

botble.comdocs.botble.comgithub.com/botble/cms

Cookies placed

Name	Type	Duration	Purpose
laravel_session	first_party	Session	Encrypted Laravel PHP session cookie used to maintain the user session across requests.
XSRF-TOKEN	first_party	Session	Cross site request forgery protection token issued by Laravel for every form submission.
remember_web_*	first_party	5 years	Optional remember me cookie set by Laravel authentication when the user opts to stay logged in on a trusted device.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

What cookies does Botble CMS set?

Botble CMS sets two first party cookies by default: a Laravel PHP session cookie that maintains the user session and a XSRF TOKEN cookie that protects against cross site request forgery. Both are scoped to the operator domain and qualify as strictly necessary cookies.

Is consent required for Botble CMS cookies?

No. Default Botble cookies are strictly necessary for the functioning of the site, which exempts them from consent under Article 5(3) of the ePrivacy Directive. Consent becomes necessary if you add analytics, marketing or social plugins that fall outside the strictly necessary exemption.

What is the legal basis for processing through Botble CMS?

The legal basis for the strictly necessary cookies is legitimate interest under Article 6(1)(f) GDPR. For user accounts and back office processing, the legal basis is the contract with the user under Article 6(1)(b). Plugins introducing additional purposes require their own legal basis, typically consent.

Does Botble CMS transfer data to the United States?

By itself, no. Botble CMS runs on the operator's infrastructure. Transfers to the United States or other third countries can occur only through plugins or hosting choices, which must be assessed independently using SCCs or the EU US Data Privacy Framework where applicable.

Do I need a DPIA before deploying Botble CMS?

Generally not for the core CMS, because the processing is limited to strictly necessary cookies and minimal personal data on the operator's own infrastructure. A DPIA may become necessary if plugins introduce profiling, tracking, third country transfers or large scale processing of special categories of data.

How do I implement Botble CMS in a compliant way?

Host the CMS in the EEA, harden the Laravel configuration, audit each plugin for tracking behaviour, document the processing in your record of processing activities, publish a privacy notice and a cookie policy, and use a Consent Management Platform if you add any non essential plugin.

What are alternatives to Botble CMS?

Other open source CMS options with strong privacy posture include Strapi, Directus, Statamic, October CMS and a hardened WordPress with privacy oriented plugins. Each can be hosted within the EEA to keep data exclusively under the GDPR.

How do I update my cookie policy when adding plugins to Botble?

Audit the plugin for cookies and third party calls, list each new cookie with provider, purpose and retention in the cookie policy, document the legal basis and any third country transfer, increment the policy version and prompt for fresh consent for visitors so that previously stored consent is renewed.

Get compliant — Try FlowConsent free

Free plan · 10-min setup