Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Storyblok is a headless CMS based in Linz, Austria. The public Content Delivery API serves JSON over HTTPS without setting cookies on visitors, so the runtime is GDPR friendly by default. Cookies only appear inside the Visual Editor preview, which is used by logged in editors, not by site visitors.
Storyblok is a headless content management system founded in Linz, Austria in 2017. Editors compose pages inside a Visual Editor and the published content is exposed as JSON through a Content Delivery API. The frontend, built with any framework (Next.js, Nuxt, Astro, Hugo and others), fetches that JSON server side or client side and renders the HTML. Because the public delivery layer is a stateless REST and GraphQL API, it does not write cookies on the visitor browser and behaves like a normal asset fetch.
On the public website Storyblok sets no cookies. The CDN edge only stores standard request logs containing IP address, timestamp and user agent for caching and abuse prevention. Cookies appear in two specific contexts. First, when an editor is logged into app.storyblok.com a session cookie identifies the user. Second, when the Visual Editor preview is loaded for content authoring, the bridge script app.storyblok.com/f/storyblok-v2-latest.js opens an iframe inside the live preview to allow click to edit. This preview mode is for editors only and is not seen by anonymous visitors.
Because the public Storyblok delivery API does not place identifiers on the visitor terminal, Article 5(3) of the ePrivacy Directive (the cookie rule transposed into TTDSG in Germany, the LCEN in France and the LSSI in Spain) does not require prior consent. Article 6(1)(f) GDPR (legitimate interest) covers the limited processing of the visitor IP at the CDN edge for delivery and security. Storyblok GmbH acts as data processor when it stores editorial content, and a standard Article 28 data processing agreement is available in the Storyblok dashboard.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Storyblok offers two delivery regions. The EU region runs on AWS Frankfurt and serves the content from inside the European Economic Area, which keeps the project free from a Schrems II analysis on the delivery path. The US region runs on AWS Virginia and requires Standard Contractual Clauses plus an assessment of US surveillance laws (FISA 702, EO 12333). For European projects we recommend always selecting the EU region at space creation, since changing it later is not possible without exporting and reimporting the content.
Document Storyblok as a processor in the record of processing activities (RoPA) with purpose, EU region and asset CDN (Cloudflare). Sign the Storyblok DPA from the dashboard. Restrict editor accounts with single sign on or two factor authentication. If you embed third party scripts (Google Analytics, Meta Pixel, video) through Storyblok components, those scripts have their own consent requirements and must be gated by your consent management platform, the Storyblok delivery itself is out of scope. Make sure the Visual Editor preview URL is protected behind authentication so the bridge cookies are never set on anonymous visitors.
Websites using Storyblok must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the public Storyblok delivery layer because no personal data is processed on visitors beyond standard CDN logs. A DPIA may be useful when Storyblok is integrated with personalization, A/B testing or logged in member areas, or when the US Content Delivery region is selected. Document the EU region choice, the absence of cookies on the runtime and the Article 28 GDPR data processing agreement signed with Storyblok GmbH.
Sample consent text
Storyblok is used to deliver the editorial content of this website. The Content Delivery API does not set cookies and does not track you. No consent is required for the public delivery. If you log into the editor preview, a session cookie is created to authenticate you.
Third-party domains contacted
api.storyblok.comgapi.storyblok.coma.storyblok.comimg2.storyblok.comapp.storyblok.commapi.storyblok.comstoryblok.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| storyblok_session | first-party (editor app only) | Session | Authenticates a logged in editor on app.storyblok.com. Never set on the public website. |
| _storyblok_draft | first-party (preview only) | Session | Loaded inside the Visual Editor preview iframe to flag draft mode. Not present for anonymous visitors of the public website. |
| cf_clearance | third-party (Cloudflare asset CDN) | Up to 30 days | Cloudflare bot challenge cookie that may be set when assets are served through Cloudflare and a security challenge is triggered. Strictly necessary for security. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The public Content Delivery API serves JSON and does not write cookies on the visitor browser. Cookies only exist on app.storyblok.com when an editor is logged in and inside the Visual Editor preview iframe used for content authoring, which is never shown to anonymous visitors.
No consent is required for the public Storyblok delivery because no identifier is stored on the visitor terminal. Article 5(3) of the ePrivacy Directive does not apply. Consent only becomes relevant if your Storyblok components inject third party tracking scripts on the page.
Article 6(1)(f) GDPR (legitimate interest) covers the limited processing of IP and request metadata at the CDN edge for content delivery and abuse prevention. Storyblok GmbH is documented as a processor under Article 28 GDPR with a signed data processing agreement.
Not for European projects that select the EU region. The Content Delivery API runs on AWS Frankfurt and the Visual Editor backend on AWS Ireland. The US region is optional and triggers transfers covered by Standard Contractual Clauses and the EU US Data Privacy Framework. Editor product analytics may use Mixpanel in the US.
A DPIA is generally not required for the public delivery layer because no personal data is processed beyond standard CDN logs. A DPIA should be considered if Storyblok is combined with personalization, profiling, A/B testing or logged in member areas, or when the US region is selected.
Select the EU region when creating the space, sign the Storyblok DPA, document the processor in your RoPA, secure editor accounts with SSO or 2FA, and gate any third party scripts embedded through Storyblok components behind your consent management platform.
EU based alternatives include Contentful (Germany), Strapi Cloud (France), Hygraph (Germany), Sanity (Norway, with EU region) and self hosted options like Wagtail, Directus or Payload CMS. Compliance posture is similar when the delivery layer is cookieless.
You do not need a Storyblok specific cookie disclosure for the public site if no cookies are set. List Storyblok as a content processor in your privacy policy with purpose, EU hosting region, processor identity and DPA reference. List any third party scripts embedded through Storyblok components separately in your cookie disclosure.