Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
German file based self hosted PHP CMS by Content Folder GmbH (Berlin). DSGVO friendly by design with no telemetry, no tracking and minimal cookies. Popular among German agencies and designers.
Kirby is a self hosted file based PHP content management system created in 2009 by Bastian Allgeier and developed by Content Folder GmbH in Berlin, Germany. Unlike database driven platforms, Kirby stores all content as plain text files (Markdown, YAML and TXT) in a structured folder hierarchy directly on the customer server. It is distributed under a commercial licence with a free trial, and the controller installs and operates the application on their own infrastructure. Kirby is particularly popular with German agencies, designers and privacy conscious organisations that need a flexible CMS without external dependencies.
Kirby is one of the most DSGVO and GDPR friendly content management systems available. The core product contains no telemetry, no analytics call back, no third party tracking and no automatic font, map or video loading. Content is stored as flat files on infrastructure chosen by the controller, so there is no forced transfer to third countries. The only outbound call from the core is a one time licence validation request to Content Folder GmbH in Berlin when the licence key is activated. This minimal architecture means the controller keeps full sovereignty over the data and over the hosting region.
In its default configuration Kirby processes only administrative data: editor accounts (email, hashed password, role), session and authentication cookies for the back office, server access logs created by the host and the content files themselves. Public visitors do not receive tracking cookies, no analytics identifier, no fingerprinting and no third party script is loaded by the core. Any additional personal data, such as form submissions, comments or membership profiles, only exists when the controller installs a dedicated plugin and is fully under the controller responsibility.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because the Kirby core does not set tracking cookies and does not call third party services, the ePrivacy and TTDSG cookie consent obligations do not apply to a default installation. The legal basis for processing administrative data is the performance of the contract with the editors and the legitimate interest of the controller to secure the back office (Art. 6(1)(b) and (f) GDPR). No international transfer is triggered by the core, so standard contractual clauses are not required for Kirby itself. Compliance obligations are limited to the editorial team accounts and the optional plugins chosen by the controller.
Document the Kirby installation in the record of processing activities, choose an EU or local hosting provider, sign a data processing agreement with that hosting provider, enable TLS, configure strong password rules for editors and review every plugin or front end integration that loads external resources (web fonts, embedded videos, maps, captchas, analytics). Any such integration must be added to the cookie banner and to the privacy policy, and may require user consent. Keep Kirby and its plugins up to date and review server access logs retention.
Kirby is a strong fit for the German market and for any organisation that must comply with the DSGVO and the TTDSG. Its Berlin based publisher, its self hosted architecture, the absence of telemetry and the file based content model make it one of the safest choices for agencies serving public sector clients, healthcare providers, law firms and design studios that prioritise data sovereignty. Many German agencies have standardised on Kirby precisely because it allows them to deliver fast, design driven websites without inheriting the compliance burden of US hosted SaaS content platforms.
Websites using Kirby must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is rarely required for the Kirby core because it is self hosted, file based and ships with no telemetry, no analytics and no third party tracking. The default cookies are limited to administrative session and authentication cookies that are strictly necessary to operate the back office. A DPIA may become relevant when the controller adds plugins that process personal data (forms, comments, newsletters, member areas), connects external services (analytics, embeds, captchas) or processes special categories of data through Kirby driven applications.
Sample consent text
No prior consent is required to use the Kirby CMS core because it does not set tracking cookies and does not call third party services from the public website. Only strictly necessary cookies are used for the administrative panel. Consent must be collected separately for any optional plugin or front end feature that loads third party scripts, embeds or analytics.
Third-party domains contacted
getkirby.comlicenses.getkirby.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| kirby_session | Strictly necessary (session) | Session (deleted on browser close) | Maintains the administrative session for editors logged into the Kirby back office. Not used for visitors of the public website. |
| kirby_auth | Strictly necessary (authentication) | Session, or up to 2 weeks if the editor enables the remember me option | Stores the authentication token that keeps the editor signed into the Kirby panel. Only set after a successful back office login and limited to administrative users. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The Kirby core does not set any tracking, analytics or marketing cookies. The only cookies created in a default installation are administrative session and authentication cookies (kirby_session and kirby_auth) that are limited to the back office and considered strictly necessary. Public visitors who never log in do not receive any cookies from the CMS itself.
No prior consent is required for the Kirby CMS core because it does not deposit tracking cookies and does not call third party services from the public site. Consent only becomes mandatory when the controller adds optional plugins or front end integrations that load external scripts, analytics, embedded videos, maps, captchas or web fonts, in which case the usual ePrivacy and TTDSG rules apply.
The administrative data processed by Kirby (editor accounts, session cookies, back office authentication) relies on the performance of the contract with the editors (Art. 6(1)(b) GDPR) and on the legitimate interest of the controller to secure the back office (Art. 6(1)(f) GDPR). No consent based legal basis is required because the system does not perform any tracking by default.
The Kirby core does not transfer personal data to third countries. It is installed on infrastructure chosen by the controller, who can keep the data entirely within Germany or the European Economic Area. The only outbound call is a one time licence validation request to Content Folder GmbH in Berlin, which stays inside the EU.
A DPIA is rarely required for the Kirby core because it is self hosted, file based and ships with no telemetry, no analytics and no third party tracking. A DPIA may become relevant if the controller installs plugins that process large volumes of personal data, special categories or systematically monitor users, or if Kirby is used as the basis of an application that triggers Art. 35 GDPR criteria.
Host Kirby with a provider located in the EU or your jurisdiction, sign a data processing agreement, enable TLS, enforce strong password and role policies for editors, keep Kirby and plugins up to date, log only what is needed and define a retention period for access logs. Review every plugin and front end integration that loads third party resources and add them to the cookie banner and privacy policy as required.
Privacy oriented alternatives to Kirby include Statamic (another flat file PHP CMS with optional database), ProcessWire, Craft CMS, Bludit (lightweight flat file), Grav (flat file PHP CMS) and October CMS. All of them can be self hosted, but Kirby remains particularly attractive for the German market thanks to its Berlin based vendor, its file based architecture and its strict no telemetry policy.
You do not need to declare Kirby itself in the cookie banner because its core only uses strictly necessary cookies for the administrative back office. The privacy policy should still describe the editorial accounts, the hosting provider acting as processor, the retention of access logs and any plugin or front end integration that loads external resources or sets additional cookies.