Does your website use third-party services? Get GDPR compliant in minutes.

Kontent.ai

What does Kontent.ai do?

Kontent.ai is a Czech headless CMS by Kontent.ai s.r.o. (Kentico group), hosted on Microsoft Azure with a Western Europe region. The Delivery API serves JSON without setting cookies on visitors, so the public delivery layer is GDPR friendly by default. Editor authentication on app.kontent.ai uses strictly necessary cookies.

What Kontent.ai is and how it serves content

Kontent.ai is a headless content platform originally launched as Kentico Cloud in 2016 and renamed Kontent.ai in 2022. The publisher is Kontent.ai s.r.o. based in Brno, Czech Republic, part of the Kentico group. Editors create content items in app.kontent.ai. Published items are served as JSON via the Delivery API (deliver.kontent.ai). Frontends fetch the JSON and render the page. The public delivery layer is stateless and does not need any cookie on the visitor browser.

Cookies and identifiers set on visitors

The public Kontent.ai Delivery API does not set cookies on visitors. Editor side, app.kontent.ai sets authentication, session and CSRF cookies. The optional Web Spotlight feature loads the customer site inside an authenticated iframe so editors can click and edit, this preview is never reached by anonymous visitors. The Kontent.ai marketing site kontent.ai sets analytics cookies (Google Analytics, HubSpot, LinkedIn) that are scoped to that domain only.

GDPR and ePrivacy implications

Because the public Kontent.ai delivery does not place identifiers on the visitor terminal, Article 5(3) of the ePrivacy Directive does not require prior consent. Article 6(1)(f) GDPR (legitimate interest) covers the limited request metadata at the Azure CDN. Kontent.ai s.r.o. acts as processor under Article 28 GDPR. As a Czech company, Kontent.ai is fully subject to GDPR enforcement and the Czech Personal Data Processing Act, which is reassuring for European customers.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers and Schrems II

For European projects, create the environment in the Western Europe Azure region. Content storage and the Delivery API origin stay inside the EEA. Azure Front Door cache nodes are global, which is acceptable since only published JSON is cached. Some support and product analytics tools used internally by Kontent.ai may include US based providers, this is documented in the Kontent.ai privacy notice.

Practical compliance steps

Create the project in the Western Europe region at creation, sign the Kontent.ai DPA, document the processor in your RoPA, enable SSO and MFA for editor accounts, scope API keys to a single environment and use the secured delivery key when needed. Govern any third party script injected through Kontent.ai content via a consent management platform. Restrict Web Spotlight access to authorized editors.

GDPR consent category

Other

Websites using Kontent.ai must obtain user consent under GDPR regulations.

Legal basisArticle 6(1)(f) GDPR (legitimate interest) for content delivery and abuse prevention. Strictly necessary cookies are used for editor authentication in app.kontent.ai. No consent required for the public delivery API.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, DSGVO, RGPD, LSSI, Czech Personal Data Processing Act

DPIA considerations

A DPIA is generally not required for the public Kontent.ai delivery when the EU region is used. It should be considered when the project handles user generated content with personal data, when AI assisted features are enabled or when sensitive data is stored in items. Document the EU region selection, the DPA with Kontent.ai s.r.o. and the SSO setup for editor accounts.

Sample consent text

This website uses Kontent.ai to deliver editorial content. The Kontent.ai Delivery API does not set cookies on visitors. No consent is required for the public delivery. Authentication cookies only apply to editors signed into app.kontent.ai.

Technical details

Tracking methodHeadless CMS with content stored in a multi region cloud and exposed via the Delivery API (deliver.kontent.ai) and the Preview / Management APIs. The frontend fetches JSON, no cookies are set on the public site. The Kontent.ai app (app.kontent.ai) uses session cookies for editors. An optional Web Spotlight feature creates an authenticated preview iframe used by editors.

Server locationKontent.ai s.r.o. (Brno, Czech Republic, part of the Kentico group). Hosting on Microsoft Azure with regions including Western Europe (Netherlands), Eastern US (Virginia) and Australia East (Sydney). EU customers can pin their environment to the Western Europe region. CDN by Azure Front Door and Microsoft Edge nodes.

Cookieless tracking availableYes

Third-party domains contacted

kontent.aiapp.kontent.aideliver.kontent.aipreview-deliver.kontent.aimanage.kontent.aiassets-eu-01.kc-usercontent.com

Cookies placed

Name	Type	Duration	Purpose
kontent-auth	first-party (app.kontent.ai)	Session (up to 24 hours)	Editor authentication session cookie on app.kontent.ai. Strictly necessary, not set on the public website.
kontent-csrf	first-party (app.kontent.ai)	Session	Anti CSRF token used by the Kontent.ai app to protect state changing operations. Strictly necessary.
_ga	third-party (marketing site only)	2 years	Google Analytics cookie used on kontent.ai marketing site. Not set on customer websites.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Does Kontent.ai set cookies on website visitors?

No. The public Delivery API serves JSON without cookies. Editor side cookies exist on app.kontent.ai for authentication, session and CSRF protection, and on the kontent.ai marketing site for analytics, but neither propagates to the customer website that consumes the Delivery API.

Do I need consent for Kontent.ai under GDPR and ePrivacy?

No consent is required for the public Delivery API because no identifier is stored on the visitor terminal. Editor cookies on app.kontent.ai are strictly necessary. Consent only applies to third party scripts you embed in your frontend.

What is the legal basis for processing visitor data with Kontent.ai?

Article 6(1)(f) GDPR (legitimate interest) covers the request metadata processed at the Azure CDN edge. Kontent.ai s.r.o., a Czech company, is documented as processor under Article 28 GDPR with a DPA available.

Does Kontent.ai transfer data to the United States?

When the Western Europe Azure region is selected, content storage and the Delivery API origin stay in the EEA. Some internal support and product analytics tools used by Kontent.ai may rely on US providers, listed in the privacy notice. As a Czech entity, Kontent.ai is fully under GDPR jurisdiction.

Is a DPIA required for Kontent.ai?

A DPIA is generally not required for a public editorial deployment when the EU region is used. It should be considered when AI assisted features are enabled, when sensitive data is stored in items or when Kontent.ai is combined with personalization features.

How do I implement Kontent.ai compliantly?

Pick the Western Europe region at creation, sign the DPA, document the processor in your RoPA, enable SSO and MFA, use Secured Delivery Keys when needed, scope API keys per environment, restrict Web Spotlight access and govern third party scripts in your frontend.

What are the alternatives to Kontent.ai?

Other EU headless CMS options include Storyblok (Austria), Contentful (Germany), Sanity (Norway), Strapi (France), Hygraph (Germany), Prismic (France) and self hosted Directus or Payload CMS.

How do I update the cookie policy for Kontent.ai?

List Kontent.ai as a content processor in your privacy policy with EU region, purpose and DPA reference. The public site does not need Kontent.ai in the cookie banner because no cookies are placed on visitors.

Get compliant — Try FlowConsent free

Free plan · 10-min setup