Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Contentful is a headless content management system founded in Berlin and used by enterprises around the world to deliver structured content to websites, mobile apps and connected devices. Editors author content in the Contentful web app while developers consume it through GraphQL or REST APIs. Contentful itself acts mostly as a backend service, so the consent footprint on the visitor browser is minimal, but the platform still processes editor data and content metadata on its EU or US infrastructure.
Contentful is a Berlin headquartered headless content management system that has become a reference in the API first CMS category. Editors define content models, write entries and reference rich assets in the Contentful web app at app.contentful.com. Developers then consume the content through the GraphQL Content API, the REST Content Delivery API or the Preview API and render it in a Next.js, Nuxt, Astro or native mobile front end. The CMS layer sits behind the public website, so visitors typically interact with Contentful only indirectly.
Contentful stores three categories of data: editor account information (name, email, organisation, role assignments, API keys), content entries and assets uploaded by editors (including any personal data deliberately embedded in articles such as author photos or testimonial quotes), and operational telemetry generated by the content APIs. The public front end does not typically receive cookies from Contentful, but the admin app at app.contentful.com sets session cookies, anti CSRF tokens and limited analytics cookies (Segment based) for editor authentication and product analytics.
Contentful GmbH is a processor for the content entries and editor accounts of its customers and acts as a controller for limited account, billing and product analytics purposes. Because the public website does not load Contentful scripts in the visitor browser, the ePrivacy consent rule is generally not triggered for end users. Legitimate interest under Article 6(1)(f) GDPR is the natural legal basis for backend content delivery. Editor data in app.contentful.com is processed on the basis of the Contentful Data Processing Addendum and the customer relationship.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Contentful production spaces can be hosted on AWS in eu-central-1 (Frankfurt), us-east-1 (Northern Virginia) or ap-southeast-1 (Singapore), with the CDN spread across additional regions. Even for EU spaces, support staff and monitoring infrastructure in the United States can access metadata. Transfers rely on the Contentful Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, with TLS 1.3 in transit, encryption at rest, ISO 27001, SOC 2 Type II and HIPAA controls for healthcare customers.
Sign the Contentful Data Processing Addendum, choose an EU production space when EU residency matters, configure access controls and Single Sign On for editors, and define retention rules for content versions and uploaded assets. Document Contentful in your record of processing activities, mention Contentful GmbH and the AWS hosting region in the privacy notice, and audit which integrations (Algolia, Segment, Salesforce, OpenAI) may forward visitor data through Contentful webhooks or app actions.
Websites using Contentful must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a public website that uses Contentful to deliver marketing or product content. A DPIA is recommended when Contentful is used to manage personalised content tied to identified visitors, when it serves regulated industries (financial services, health, public sector) or when integrations with Adobe Real Time CDP, Segment or Salesforce push personal data into the content delivery layer.
Sample consent text
This website is built with Contentful, a headless CMS operated by Contentful GmbH (Germany) on AWS infrastructure. Contentful processes the content you see on these pages. No marketing or analytics cookies are set by Contentful itself. Editorial features stored in your administrator account are subject to a separate Data Processing Addendum.
Third-party domains contacted
contentful.comapp.contentful.comcdn.contentful.compreview.contentful.comimages.ctfassets.netassets.ctfassets.netvideos.ctfassets.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _contentful_session | Strictly necessary (admin only) | Session | Set inside app.contentful.com for authenticated editors. Maintains the admin login session and is not present on public websites built with Contentful. |
| ajs_anonymous_id | Analytics (admin only, after consent) | 12 months | Set inside app.contentful.com when the Segment based product analytics is loaded. Used to attribute editor actions to a pseudonymous user. Not present on the public website. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. On a public website built with Contentful, content is rendered server side or at build time and the visitor browser does not load Contentful scripts. Contentful only sets cookies inside app.contentful.com (the editor admin) for authentication, CSRF protection and limited product analytics.
For standard headless usage (server side rendering, static site generation or backend API calls), no visitor consent is required because nothing is stored or read on the device. Consent becomes necessary if Contentful is paired with experiments, personalisation or analytics scripts that store identifiers in the browser.
For backend content delivery, the legal basis is legitimate interest under Article 6(1)(f) GDPR. For editor accounts and customer support, processing relies on the performance of the customer contract under Article 6(1)(b) GDPR and on the Contentful Data Processing Addendum. Personal data deliberately embedded in entries inherits the legal basis chosen by the publishing customer.
Contentful signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via its Data Processing Addendum, confirms participation in the EU US Data Privacy Framework and offers EU production spaces hosted in AWS eu-central-1. Supplementary measures include TLS 1.3, encryption at rest, ISO 27001, SOC 2 Type II, HIPAA controls and tightly scoped access to customer data.
A DPIA is not required for a typical informational or marketing website. A DPIA is recommended when Contentful is used to deliver personalised content to identified visitors, when the customer is in a regulated sector (financial services, health, public sector) or when integrations propagate personal data to third party systems through webhooks or app actions.
Sign the Contentful Data Processing Addendum, choose an EU production space if EU residency is required, enable Single Sign On for editors, configure granular roles and audit logs, define retention rules for content versions and assets, document Contentful as a processor in your record of processing activities and review every connected integration that exits the EU.
European or self hosted alternatives include Storyblok (Austria), Hygraph (Berlin), Sanity (Norway, US delivery), Strapi (France, self hosted or Strapi Cloud), Payload CMS (open source, self hosted), Directus (open source, self hosted) and Magnolia (Switzerland). The right choice depends on content modelling needs, EU residency requirements and developer experience.
List Contentful GmbH as a processor of the content delivery infrastructure, state that the public website does not load Contentful cookies on the visitor browser, mention that the editor admin (app.contentful.com) sets its own cookies for authenticated administrators, and link to the Contentful privacy statement. No cookie line item is normally needed for end users.