Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Payload is an open source, code-first headless CMS and application framework built with TypeScript, Node.js, and React. It is fully self-hosted, giving operators complete data ownership. Payload uses a single HTTP-only authentication cookie (payload-token) for admin access and does not set any analytics or tracking cookies by default. Optional anonymous telemetry can be disabled.
Payload is an open source, code-first headless CMS and application framework built with TypeScript, Node.js, and React. Unlike traditional SaaS CMS platforms, Payload is fully self-hosted, meaning the website operator deploys and controls the entire application and database. Payload provides a powerful admin panel, REST and GraphQL APIs, authentication, access control, file uploads, and rich text editing out of the box. It supports MongoDB and PostgreSQL as database backends and can be deployed on any hosting provider or cloud infrastructure.
Payload CMS sets a single cookie by default: payload-token, an HTTP-only cookie that stores a JSON Web Token (JWT) for authentication. This cookie is used exclusively for admin panel access and application-level authentication. It is classified as strictly necessary and does not track visitor behaviour, store marketing data, or enable profiling. The cookie name prefix can be customised via the Payload configuration. Payload also collects optional, completely anonymous telemetry data about general CMS usage, which can be disabled by the operator. No analytics, advertising, or third-party tracking cookies are set by the CMS framework itself.
Payload CMS has a minimal privacy footprint. The payload-token cookie qualifies as strictly necessary under the ePrivacy Directive (Article 5(3)) because it is essential for the admin panel to function, and therefore does not require user consent. Since Payload is self-hosted, no personal data is transmitted to Payload CMS, Inc. or any third party by default. The GDPR applies to the personal data stored in the CMS collections (content, user accounts, form submissions), but the responsibility lies with the website operator as data controller. Payload CMS, Inc. is a US-based company, but in a self-hosted deployment, the company has no access to the operator's data. If using Payload Cloud (managed hosting), a DPA with SCCs would be required for EU data processing.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No cookie consent banner is required for Payload CMS itself, as the payload-token is a strictly necessary authentication cookie exempt from consent requirements. However, website operators must ensure that any additional services integrated into their Payload-powered website (analytics, marketing pixels, embedded content, social media widgets) have their own consent mechanisms in place. For the personal data stored in CMS collections, the website operator must determine the appropriate GDPR legal basis (typically contractual necessity for user accounts, consent for marketing communications, or legitimate interest for content management). Payload provides robust access control at the collection and field level, supporting the principle of data minimisation.
One of Payload CMS's strongest privacy advantages is complete data sovereignty. In a self-hosted deployment, all data (content, user accounts, media files) remains on the operator's own servers, in any jurisdiction of their choosing. No data flows to Payload CMS, Inc. unless optional telemetry is enabled (which sends only anonymous, non-personal usage statistics). For Payload Cloud users, data is hosted on US infrastructure, requiring Standard Contractual Clauses (SCCs) for processing EU personal data. The self-hosted model eliminates concerns about international data transfers, sub-processors, and third-party data access.
To ensure GDPR compliance with Payload CMS: deploy on EU-based infrastructure if processing EU personal data. Disable optional telemetry if you want zero data sent to Payload CMS, Inc. Configure access control at the collection and field level to enforce data minimisation. Implement data retention policies for CMS collections containing personal data. Set up CSRF protection by whitelisting your trusted domains. Update your privacy policy to disclose the payload-token authentication cookie (strictly necessary, no consent required). If integrating third-party services (analytics, forms, payment), implement a CMP for those services separately. Document your CMS data processing in your Record of Processing Activities (ROPA). Enable SSL/HTTPS and configure the payload-token cookie with secure: true and sameSite settings appropriate for your deployment.
Websites using Payload CMS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard Payload CMS deployments as the CMS does not perform visitor tracking, profiling, or marketing activities by default. The only cookie set is a strictly necessary authentication token for admin users. A DPIA may be warranted if the website built with Payload processes sensitive personal data through custom collections, integrates third-party analytics or marketing tools, or uses Payload Cloud (US-hosted) to process EU personal data.
Sample consent text
This website is built with Payload CMS. The CMS uses a strictly necessary authentication cookie (payload-token) for admin panel access, which does not require consent. No analytics or tracking cookies are set by Payload CMS itself. [If you add third-party services, include their consent text here.]
Third-party domains contacted
payloadcms.comcloud.payloadcms.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| payload-token | first-party | Configurable (default: session-based, typically 1-2 hours) | HTTP-only authentication cookie storing a JWT. Used for admin panel access and application-level user authentication. Classified as strictly necessary. Protected against XSS attacks. Cookie name prefix is customisable via Payload configuration. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Payload CMS sets a single cookie by default: payload-token, an HTTP-only cookie that stores a JWT for authentication purposes. This cookie is used for admin panel access and application-level user authentication. The cookie name prefix can be customised in the Payload configuration. No analytics, marketing, or tracking cookies are set by the CMS framework. The cookie is classified as strictly necessary.
No. The payload-token cookie is classified as strictly necessary under ePrivacy rules (Article 5(3) of the ePrivacy Directive) because it is essential for the admin panel to function. Strictly necessary cookies are exempt from consent requirements. However, if you integrate third-party services (analytics, marketing tools, embedded content) into your Payload-powered website, those services will require their own consent mechanisms.
For the authentication cookie itself, the legal basis is legitimate interest or contractual necessity, as it is essential for the service to function. For personal data stored in CMS collections (user accounts, form submissions, customer data), the website operator must determine the appropriate legal basis depending on the purpose: contractual necessity for user accounts, consent for newsletter subscriptions, or legitimate interest for content management operations. Payload CMS, Inc. is not a data processor in self-hosted deployments.
Not by default. In a self-hosted deployment, all data remains on the operator's own servers and no data is transmitted to Payload CMS, Inc. Optional anonymous telemetry may send non-personal usage statistics to Payload CMS, Inc. (US), but this can be disabled. If using Payload Cloud (managed hosting), data is stored on US infrastructure, and Standard Contractual Clauses (SCCs) would be required for processing EU personal data.
A DPIA is generally not required for standard Payload CMS deployments because the CMS does not perform visitor tracking, profiling, or automated decision-making by default. The only cookie is a strictly necessary authentication token. A DPIA may be warranted if your Payload-powered site processes sensitive personal data (health, financial), handles large-scale processing of personal data through custom collections, integrates high-risk third-party services, or uses Payload Cloud for EU personal data.
Key steps: deploy on EU infrastructure for EU data processing. Disable optional telemetry. Configure field-level access control to enforce data minimisation. Set data retention policies for collections containing personal data. Enable CSRF protection by whitelisting trusted domains. Configure the payload-token cookie with secure: true and appropriate sameSite settings. Update your privacy policy to disclose the authentication cookie. If integrating third-party services, implement a separate CMP. Document CMS data processing in your ROPA.
Other self-hosted, privacy-friendly headless CMS options include: Strapi (open source, Node.js, self-hosted), Directus (open source, SQL-based, self-hosted), Ghost (open source, publishing-focused), and KeystoneJS (open source, Node.js). All of these can be self-hosted for full data sovereignty. For managed CMS solutions with EU hosting, consider Storyblok (EU-based), Contentful (with EU region), or Sanity (with configurable data residency). Payload CMS stands out for its code-first approach and built-in authentication.
Your cookie policy should list: payload-token (HTTP-only, strictly necessary, authentication, session-based or configurable expiry). State that this cookie is required for the CMS admin panel to function and does not track visitors or collect personal data for marketing purposes. Note that the cookie is set only when a user logs in to the admin panel or authenticated areas of the website. If you have disabled telemetry, you can state that no data is sent to third parties. List any additional cookies from third-party integrations separately.