Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SiteManager is a Dutch visual website builder by SiteManager BV that lets agencies and brands design, manage and publish multilingual websites without code. The platform is hosted on AWS Frankfurt and sets first party cookies for editor sessions and preview rendering, while optional analytics, A/B testing and marketing modules added by the website owner may set additional third party cookies that trigger GDPR and ePrivacy obligations.
SiteManager is a visual website builder operated by SiteManager BV, a company headquartered in the Netherlands and acting as a data processor when it hosts customer sites. The product gives agencies and brands a drag and drop editor, multilingual content management, asset library and one click publishing on a managed cloud. Production hosting runs primarily on Amazon Web Services in Frankfurt (eu-central-1), keeping the publishing layer inside the European Economic Area. Customers retain control over which optional analytics, marketing or third party widgets they add to the published website.
On the editor side, SiteManager sets first party session cookies to authenticate logged in users, remember the active workspace and preserve unsaved drafts. On the public website, the platform itself only writes a small set of strictly necessary cookies such as a session identifier and CSRF token. Anything beyond that comes from modules the website owner activates: a built in lightweight analytics layer, Google Analytics, Meta Pixel, LinkedIn Insight Tag, chat widgets or A/B testing scripts. Form submissions, page views and IP addresses may be processed when these modules are turned on.
The website owner is the controller for the personal data processed through the published site, while SiteManager BV acts as the processor under Art. 28 GDPR. Strictly necessary cookies are exempt from prior consent under Art. 5(3) of the ePrivacy Directive 2002/58/EC, but every analytics, advertising or fingerprinting module a customer enables falls inside the consent scope. The CNIL, the Dutch Autoriteit Persoonsgegevens, the German DSK and the Spanish AEPD all require granular, freely given consent before such modules are loaded.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the SiteManager editor and the strictly necessary publishing cookies, no prior consent is required, although users must still be informed in the privacy notice. As soon as the customer turns on optional analytics, marketing pixels, embedded video or social widgets, a compliant Consent Management Platform must block those scripts until the visitor opts in. Consent must be specific, informed, unambiguous and as easy to withdraw as to give. Storing a proof of consent record with timestamp, version and choices is recommended to demonstrate accountability under Art. 7 GDPR.
Because SiteManager runs its production environment on AWS Frankfurt, no personal data leaves the European Economic Area for the core publishing service. Schrems II concerns become relevant only when optional US based modules (Google, Meta, Microsoft, HubSpot) are activated. In that case the website owner must rely on Standard Contractual Clauses, the EU US Data Privacy Framework where the partner is certified, and a Transfer Impact Assessment documenting supplementary measures such as IP truncation, consent gating and data minimisation.
Sign a Data Processing Agreement with SiteManager BV, list the platform in your Art. 30 record of processing activities and add a clear cookie notice that distinguishes editor session cookies from optional modules. Use a Consent Management Platform to gate any third party tag, set short cookie lifetimes, anonymise IP addresses where the module allows it and review the active modules at least once a year. Train editors so they do not paste raw tracking snippets into pages without routing them through the consent layer.
Websites using SiteManager must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is generally not required for the SiteManager publishing infrastructure itself because hosting is in the European Union (AWS Frankfurt) and only minimal session and editor data is processed. A documented record of processing activities under Art. 30 GDPR and a balancing test for legitimate interest are sufficient. A DPIA becomes appropriate when the website owner activates analytics, behavioural advertising, heatmap or A/B testing modules, when the site processes special categories of data, or when it targets a large number of children or vulnerable users.
Sample consent text
This website is built with SiteManager and uses strictly necessary cookies to deliver pages and remember your editor session. With your consent, we also enable analytics, A/B testing and marketing modules that may set additional cookies and share data with selected partners. You can accept all, reject non essential, or configure your preferences at any time from the cookie settings link in the footer.
Third-party domains contacted
sitemanager.ioapp.sitemanager.iocdn.sitemanager.ioassets.sitemanager.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sm_session | Session | Session | First party session cookie used to maintain authenticated state for SiteManager editor users while they work on a site. |
| sm_csrf | Session | Session | CSRF protection token tied to the editor session, used to prevent cross site request forgery on save and publish actions. |
| sm_workspace | Persistent | 30 days | Stores the identifier of the active workspace or site so an agency user lands on the right project after login. |
| sm_preview | Session | Session | Identifies a preview rendering session so unsaved draft content is displayed only to the authenticated editor. |
| sm_layout_state | Local Storage | Until cleared | Local storage entry on the public website holding minimal layout state such as menu open or close, used for user experience continuity. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The SiteManager platform itself sets a small set of strictly necessary first party cookies: an authenticated session cookie for editor users, a CSRF token, a workspace selector and a preview identifier. On published websites, the runtime adds a session identifier and a small JSON object in local storage for layout state. Anything else (Google Analytics, Meta Pixel, HubSpot, A/B test scripts, chat widgets) is added by the website owner through SiteManager modules or custom HTML blocks, and those tags can collect IP addresses, page views, clicks and form contents.
Consent is not required for the strictly necessary cookies used to authenticate editors and to render published pages, because they fall under the Art. 5(3) ePrivacy exemption. Consent becomes mandatory as soon as the owner activates analytics, advertising, chat, video, A/B testing or social widget modules. In that case a Consent Management Platform must block the relevant scripts until the visitor opts in, and the consent must be granular, freely given, informed and revocable.
For the editor and the strictly necessary publishing infrastructure, the appropriate legal basis is contract (Art. 6(1)(b) GDPR) for the agency or merchant operating the editor, and legitimate interest (Art. 6(1)(f) GDPR) for security cookies. For optional analytics and marketing modules a customer activates on the published site, the legal basis is consent under Art. 6(1)(a) GDPR combined with Art. 5(3) ePrivacy. The website owner is the controller and SiteManager BV the processor under Art. 28 GDPR.
The SiteManager publishing layer runs on Amazon Web Services in Frankfurt (eu-central-1), so the core service does not transfer personal data outside the European Economic Area. Transfers can occur when the owner activates US based modules such as Google Analytics, Meta Pixel or HubSpot. Those transfers must be covered by Standard Contractual Clauses, ideally combined with the EU US Data Privacy Framework when the partner is certified, and a Transfer Impact Assessment that documents supplementary measures.
A formal Data Protection Impact Assessment is usually not required for the SiteManager publishing platform alone, given EU hosting and minimal data processing. A DPIA becomes appropriate when the website processes special categories of data, targets a large audience of children or vulnerable users, runs systematic behavioural advertising, or combines several tracking modules likely to result in a high risk to data subjects under Art. 35 GDPR. Document the screening decision in any case.
Sign a Data Processing Agreement with SiteManager BV, list the platform in your Art. 30 register, publish a clear privacy notice and cookie page, and connect a Consent Management Platform that gates every optional module. Anonymise IP addresses where the module allows it, set short cookie lifetimes, audit active modules quarterly and remove unused tags. Train your editors so they do not paste tracking snippets directly into pages, but always route them through the consent layer.
Alternative EU based visual website builders include Webnode (Czechia), Wix Studio (with EU hosting options), Strapi based stacks combined with a privacy first front end, or Wagtail and Drupal hosted on European clouds such as Scaleway, OVHcloud or Hetzner. None of these eliminate the consent obligation for analytics and marketing modules. The relevant comparison is the location of the publishing infrastructure, the Data Processing Agreement and the granularity of cookie controls offered by the editor.
List the strictly necessary cookies set by SiteManager (session, CSRF, workspace) with their purpose and lifetime, then add a section per optional module enabled by the editor (Google Analytics, Meta Pixel, chat, A/B testing) with the cookies they drop and the third country transfer details. Mention SiteManager BV as processor and the EU hosting location. Re audit the policy whenever an editor adds or removes a module, at least every six months, and store previous versions for accountability.