Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Prismic is a French headless CMS founded in Paris. Editors author content with Slice Machine and the published JSON is delivered through a Content API. The public delivery is cookieless and GDPR friendly, only editor authentication and the optional Preview feature set cookies.
Prismic is a headless CMS founded in Paris in 2013 by Prismic SAS. It uses a slice based composition model: developers define Slices (reusable components) in Slice Machine and editors arrange them in the page builder. The published content is served as JSON via the Content API. The frontend, often built with Next.js, Nuxt, SvelteKit or any framework, fetches the JSON server side or client side and renders the HTML.
On the public website Prismic sets no cookies. The Content API and the asset CDN respond with JSON or media without writing identifiers on the visitor browser. Cookies appear in two editor contexts. The prismic.io application uses a session cookie to authenticate editors. The Preview feature, when an editor activates it from prismic.io, sets a short lived io.prismic.preview cookie on the customer site so that the editor sees the draft version of the page. That cookie disappears once preview is exited and is never set on a non editor session.
Because the Prismic public delivery does not store any identifier on the visitor terminal, Article 5(3) of the ePrivacy Directive does not require prior consent. Article 6(1)(f) GDPR (legitimate interest) covers the limited request logs at the CDN. Prismic SAS acts as processor under Article 28 GDPR with a DPA available in the dashboard. The Preview cookie used by editors is strictly necessary and falls under the ePrivacy carveout for technical cookies.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Content is stored on AWS, by default in regions chosen during space creation, with EU options available on higher plans. The prismic.io editor application and customer login portal are operated from the US, which involves a transfer covered by Standard Contractual Clauses and the EU US Data Privacy Framework. The asset CDN is global via Cloudflare. For strict EU only requirements, contact Prismic about regional pinning options for content storage.
Sign the Prismic DPA and document the processor in your RoPA. Enable SSO and 2FA for editor accounts. Limit Preview access to authorized editors and audit the io.prismic.preview cookie occurrences. Restrict API tokens by repository and permission scope. Make sure your frontend gates any third party tracker (Google Analytics, Meta Pixel, video) behind a consent management platform. Disclose the EU US data transfer for editor flows in your privacy policy.
Websites using Prismic must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not needed for public Prismic content delivery. It should be considered if Prismic is combined with personalization, profiling or user generated content, or when content storage is configured in the US region for European visitors. Document the EU region selection (if available on your plan), the DPA with Prismic SAS and the access controls on the editor interface.
Sample consent text
This website uses Prismic to deliver editorial content. The Prismic Content API does not set cookies on visitors. No consent is required. Authentication and preview cookies only apply to editors logged into prismic.io.
Third-party domains contacted
prismic.iocdn.prismic.ioimages.prismic.ioasset.prismic.iostatic.cdn.prismic.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| io.prismic.preview | first-party (editor preview only) | Up to 30 minutes | Temporary cookie set when a logged in editor activates Preview from prismic.io to render the draft version of the page. Removed when preview is exited. Strictly necessary. |
| prismic-auth | first-party (prismic.io only) | Session | Authenticates an editor on the prismic.io application. Not set on customer websites. |
| io.prismic.previewSession | first-party (preview UUID) | Session | Stores the preview session UUID used by the Prismic preview backend. Set only during an active Preview, never on anonymous visitors. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The public Prismic Content API and asset CDN deliver JSON and media without setting cookies on visitors. The only cookies are io.prismic.preview (temporary, set for logged in editors when Preview is active) and session cookies on prismic.io for editor authentication.
No consent is needed for the public Prismic delivery because no identifier is written on the visitor terminal. The editor only Preview cookie is strictly necessary. Consent only applies to third party scripts you embed in your frontend through Prismic content.
Article 6(1)(f) GDPR (legitimate interest) covers the request logs needed for content delivery and abuse prevention. Prismic SAS is a processor under Article 28 GDPR with a DPA available in the dashboard.
The prismic.io editor application and customer portal are operated from the United States. Content storage runs on AWS in the region chosen during space creation. Transfers are covered by Standard Contractual Clauses and the EU US Data Privacy Framework. Disclose this transfer in your privacy policy.
A DPIA is generally not required for a public editorial deployment because no visitor profiling happens. It is recommended when Prismic is combined with personalization, AI features, large volumes of user generated content or sensitive data.
Sign the Prismic DPA, enable SSO and 2FA for editors, restrict API tokens by repository and scope, limit Preview access to authorized editors, document the processor in your RoPA and govern third party scripts in your frontend through a consent management platform.
EU headless CMS alternatives include Storyblok (Austria), Strapi (France), Contentful (Germany), Hygraph (Germany), Sanity (Norway), Directus (open source) and Payload CMS (open source).
List Prismic as a content processor in your privacy policy with hosting region, purpose and DPA reference. Mention the editor only io.prismic.preview cookie if your privacy policy details strictly necessary cookies. The public site can omit Prismic from the cookie banner because no cookies are placed on regular visitors.