Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Ghost is an open source publishing platform run by The Ghost Foundation, a non profit registered in Singapore. Publishers either self host Ghost on their own infrastructure or pay for Ghost(Pro), the managed hosting service. The reading experience is cookieless by default and can be fully operated without consent banners, but enabling Members, Stripe, native comments, third party analytics or social oEmbeds introduces cookies and consent obligations under the GDPR and ePrivacy.
Ghost is an open source headless publishing platform written in Node.js, used by independent writers, news media and creator businesses. It is governed by The Ghost Foundation Ltd, a non profit organisation registered in Singapore. Publishers either deploy the open source version on their own infrastructure or pay for Ghost(Pro), the managed hosting operated by the Foundation. Ghost focuses on long form publishing, newsletter delivery and paid memberships, and competes with Substack, Medium, WordPress and Beehiiv.
In its default configuration, the Ghost reading experience is cookieless. No analytics scripts, no fingerprints, no ad tags. As soon as the publisher enables Ghost Members, a session cookie (ghost members ssr) is written once a reader signs in or subscribes, plus a short lived auth token cookie. Stripe and the Stripe Customer Portal add their own cookies during the checkout flow. Native comments and oEmbed widgets (YouTube, Twitter, Spotify) bring their own third party cookies. Server side, Ghost stores member email addresses, newsletter preferences and subscription metadata in a Postgres or MySQL database.
For pure reading, Ghost is one of the few mainstream CMSes that can comply with Art. 5(3) ePrivacy without a cookie banner. As soon as Members, Stripe, comments, third party oEmbeds or analytics are enabled, the corresponding cookies become subject to consent. The legal basis for Ghost Members is contract performance (Art. 6(1)(b) GDPR) for the subscription itself, with consent (Art. 6(1)(a)) for marketing emails not strictly required by the contract.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
On a default Ghost site without Members, no cookie banner is required. Once Members or Stripe is enabled, treat the resulting session cookie as functional (strictly necessary for the requested service) and disclose it in the privacy notice. Optional integrations (Google Analytics 4, Plausible, Fathom, native comments, Mailchimp) belong behind a CMP toggle. Self hosted Ghost users should also consider the privacy posture of their own deployment (TLS, log retention, backups).
Ghost(Pro) for EU sites runs on Linode Frankfurt and AWS eu central 1 by default. The Ghost Foundation engineering and support team is based in Singapore. Sub processors include Mailgun (US, for transactional and newsletter email), Stripe (Ireland and US, for memberships), and various CDN and S3 storage providers. The Ghost DPA incorporates the EU Standard Contractual Clauses and the UK IDTA. A Transfer Impact Assessment should mention the Singapore management plane and the US sub processors.
Sign the Ghost DPA from the Ghost(Pro) account or your self hosted setup. Keep the default cookieless reading experience. Gate any optional analytics or oEmbed behind a CMP. Mention Ghost, Mailgun and Stripe in your privacy notice and Article 30 record. Document the international transfers to Singapore and the US. For self hosted Ghost, hold your own Article 28 contracts with the underlying hosting and email providers.
Websites using Ghost must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for a standard Ghost publishing site. It becomes appropriate for large media operations using Ghost Members with extensive profiling, paid subscriptions across the EU and integrations such as Mailgun, Stripe, Google Analytics 4 and OpenAI APIs.
Sample consent text
This site uses Ghost (The Ghost Foundation Ltd, Singapore) as its publishing platform. Reading the site is cookieless by default. When you sign up to our newsletter or paid membership, Ghost Members sets a session cookie, sends transactional email through Mailgun and processes payment through Stripe. International transfers are covered by Standard Contractual Clauses.
Third-party domains contacted
ghost.orgghost.ioghostpro.comjs.stripe.comapi.mailgun.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ghost-members-ssr | first_party | 6 months | Strictly necessary functional cookie set by Ghost Members when a reader signs up or signs in to a paid or free membership. Used to keep the authenticated session on the publisher domain. |
| ghost_auth | first_party | Session | Short lived authentication cookie used by Ghost Admin and Ghost Members during the sign in flow. |
| __stripe_mid | third_party | 1 year | Stripe machine identifier used for fraud prevention on the Ghost Stripe Customer Portal during the checkout. |
| __stripe_sid | third_party | 30 minutes | Stripe session identifier used for fraud detection on the Ghost Stripe Customer Portal during the checkout. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
A plain Ghost reading site without Members sets no cookies at all. Enabling Members adds ghost members ssr (functional session) and a short lived auth token. The Stripe Customer Portal adds Stripe cookies during the checkout (__stripe_mid, __stripe_sid). Native oEmbeds (YouTube, Twitter, Spotify) bring their own third party cookies if used.
Not for a pure reading experience. As soon as you turn on Members, Stripe, native comments, third party analytics or social oEmbeds, the corresponding cookies require either an exemption (strictly necessary for the service the user requested) or prior consent. Most EU sites end up with a small banner once Members and Stripe are live.
Contract performance (Art. 6(1)(b) GDPR) for the membership or paid subscription itself. Consent (Art. 6(1)(a)) for marketing emails not strictly required by the contract. Strictly necessary cookies during sign in are exempt from consent under Art. 5(3) ePrivacy.
Yes. The Ghost Foundation is registered in Singapore. Ghost(Pro) hosts EU customers on Linode Frankfurt and AWS eu central 1, but support and engineering operate from Singapore, and sub processors include Mailgun (US), Stripe (Ireland and US) and AWS S3. The Ghost DPA includes EU SCCs and the UK IDTA.
Not for a typical Ghost blog. A DPIA is appropriate for large publishers that combine Ghost Members with extensive profiling, paid subscriptions across the EU, third party analytics, AI tooling on reader data and broad newsletter targeting.
Sign the Ghost DPA, keep the default cookieless reading, turn on Members only when you actually need it, gate optional analytics and oEmbeds behind a CMP, list Ghost, Mailgun and Stripe in your privacy notice and Article 30 record, document transfers to Singapore and the US, and on self hosted Ghost sign your own Article 28 contracts with hosting and email providers.
For EU friendly self hosted publishing: WordPress with Newspack or MemberPress (US plugins but EU friendly hosting), Strapi (France), Directus (Germany), Hugo or Eleventy with Buttondown or Beehiiv newsletters. For managed alternatives: Beehiiv (US with DPF), Substack (US with DPF), Letterdrop and Bulletin (US). Ghost is one of the most privacy friendly because of its cookieless default.
If you only run a reading site, no cookie disclosure is needed. If you enable Members, list the ghost members ssr functional cookie and the Stripe cookies that load during checkout. In your privacy notice describe Ghost as your publishing platform, Mailgun for newsletter delivery, Stripe for payments and the international transfers to Singapore and the US under SCCs.