Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sanity is a Norwegian headless CMS built around a real time content lake. Editors work in Sanity Studio and content is delivered through REST and GROQ APIs over HTTPS. The public delivery API does not set cookies on visitors, so it is GDPR friendly by default when the EU dataset region is selected.
Sanity is a headless content platform founded in Oslo, Norway in 2015 by Sanity.io AS. It is built around a real time content lake. Editors author structured content in Sanity Studio, a React based editing UI usually hosted by the customer or on sanity.studio. The published content is queried by the frontend via REST or the GROQ query language and delivered through the Sanity CDN. Like other modern headless platforms, the public delivery is stateless and cookie free.
On the public website Sanity sets no cookies. The content delivery responses only contain JSON and standard cache headers. Cookies appear in three editor only contexts. The Sanity Studio uses a session cookie to authenticate editors. The sanity.io account portal sets an authentication cookie for the dashboard. Sanity Insights, when enabled in the Studio for project owners, may use Plausible Analytics for usage statistics, scoped to the Studio domain.
Because the public Sanity API does not place identifiers on the visitor terminal, Article 5(3) of the ePrivacy Directive does not require prior consent. Article 6(1)(f) GDPR (legitimate interest) covers the limited request metadata processed at the CDN edge. Sanity.io AS acts as a processor under Article 28 GDPR when storing the customer content. The DPA is available in the Sanity dashboard and the corporate entity in Oslo provides additional comfort regarding GDPR enforcement.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sanity offers a EU dataset region (Frankfurt) and a US dataset region (Iowa). For European projects, create the dataset with the EU region. The dataset region cannot be changed after creation without an export and import. The corporate sanity.io login portal and some support tools may route requests through the United States. Plausible Analytics used by Sanity Insights is operated from the EU (Germany) which avoids US transfers for that telemetry.
Create the production dataset in the EU region. Sign the Sanity DPA. Document the processor in your RoPA with dataset name, region, retention and the asset CDN. Host the Sanity Studio on your own domain behind authentication (SSO via Google, GitHub, SAML). Restrict the API tokens by dataset and permission scope. Use the read only published view client for the public site instead of admin tokens. If you embed third party scripts in your frontend, gate them with a consent management platform, the Sanity delivery itself is out of scope.
Websites using Sanity must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for the public delivery API in most cases as no personal data is processed on visitors beyond standard request logs. A DPIA should be considered when Sanity is paired with Sanity Insights, personalization features, user generated content, or when special category data is stored in the content lake. Document the EU region selection, the DPA signed with Sanity.io AS and the access controls on Sanity Studio.
Sample consent text
This website uses Sanity to deliver editorial content. The Sanity API does not set cookies and does not track visitors. No consent is required. Authentication cookies only apply to editors signed into Sanity Studio.
Third-party domains contacted
sanity.ioapi.sanity.ioapicdn.sanity.iocdn.sanity.iosanity.studiosanity.workCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sanitySession | first-party (Sanity Studio only) | Session | Session cookie used inside Sanity Studio to authenticate a logged in editor. Strictly necessary, never set on the public website. |
| sanity-management-token | first-party (account portal only) | Up to 30 days | Authentication token for the sanity.io account portal. Strictly necessary for the customer dashboard, not present on public websites. |
| sb_anon | first-party (Studio analytics) | 30 days | Anonymous identifier optionally set by Plausible Analytics inside Sanity Insights when the project owner enables Studio usage tracking. Scoped to the Studio domain. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The public Sanity REST and GROQ APIs deliver JSON without any cookies. Cookies only appear in Sanity Studio (editor session), in the sanity.io account portal, and optionally in Plausible Analytics inside Sanity Insights, all of which are editor side and never visible to the website visitor.
No consent is required for the public Sanity delivery because no identifier is stored on the visitor terminal. Consent only becomes relevant if your frontend embeds third party trackers whose content was fed by Sanity.
Article 6(1)(f) GDPR (legitimate interest) covers the request metadata processed for content delivery and security. The customer is the controller of the content stored in Sanity. Sanity.io AS is a processor under Article 28 GDPR with a DPA available in the dashboard.
Not when the EU dataset region is selected, the content lake stays in Frankfurt and the asset CDN serves from Google Cloud EU regions. The US dataset region (Iowa) is optional. The sanity.io login portal may route through US infrastructure for the editor flow.
A DPIA is not generally required for a public editorial deployment. It should be considered when Sanity stores sensitive content, when Sanity Insights is enabled, when personalization or A/B testing is layered on top, or when the US dataset region is used.
Create the dataset in the EU region, sign the DPA, host Sanity Studio on your own domain with SSO, restrict API tokens by permission scope, document the processor in your RoPA, use a read only client for the public site and govern any third party scripts in the frontend through a consent management platform.
Other headless CMS options used in Europe include Storyblok (Austria), Strapi (France), Contentful (Germany), Hygraph (Germany), Directus (Germany, open source), Payload CMS (open source) and Wagtail (Python, open source).
No Sanity specific cookie disclosure is needed for the public site when no cookies are set. List Sanity as the content processor in your privacy policy with the dataset region, purpose, retention and DPA reference. Editor only cookies inside Sanity Studio do not need to appear in the public cookie banner.