Does your website use third-party services? Get GDPR compliant in minutes.

Umbraco

What does Umbraco do?

Umbraco is a Danish open source CMS based on ASP.NET, published by Umbraco HQ in Odense. It can be self hosted or used as the managed Umbraco Cloud / Heartcore. Public pages do not set cookies on visitors, only the /umbraco editor area uses strictly necessary authentication cookies.

What Umbraco is and how it serves content

Umbraco is a free and open source CMS based on ASP.NET, published by Umbraco HQ in Odense, Denmark since 2003 under an MIT licence. Customers can self host Umbraco CMS on IIS, Linux Kestrel, Microsoft Azure App Service or AWS, or use the managed services Umbraco Cloud (full deployment automation) and Umbraco Heartcore (headless). Public pages are rendered server side as HTML by default. The headless Heartcore mode adds a JSON Content Delivery API.

Cookies and identifiers set on visitors

On the public site Umbraco sets no cookies. The /umbraco backoffice issues an UMB_AUTH cookie for editor authentication and the standard ASP.NET .AspNetCore.Antiforgery token for CSRF protection, both strictly necessary. The Umbraco Cloud editor portal adds session cookies for the cloud.umbraco.com account. When Umbraco Members is used to gate content behind a login, additional authentication cookies are issued, again strictly necessary for members.

GDPR and ePrivacy implications

Because the public Umbraco site does not place identifiers on the visitor terminal, Article 5(3) of the ePrivacy Directive does not require prior consent. Article 6(1)(f) GDPR (legitimate interest) covers the server logs. The customer is controller of all data managed in Umbraco. Umbraco HQ acts as processor only for Umbraco Cloud and Heartcore, with a DPA available in the dashboard. As a Danish entity, Umbraco HQ is fully subject to GDPR enforcement and the Danish Data Protection Act.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers and Schrems II

Self hosted Umbraco does not transfer anything by itself, the customer fully controls the location of the database, the media library and the application server. For Umbraco Cloud and Heartcore, select the West Europe region so data stays inside the EEA. Umbraco HQ telemetry is anonymous usage statistics aggregated at the Danish HQ level, with the option to opt out via configuration. Some support tools (HubSpot, Intercom) may include US providers but are scoped to Umbraco HQ communications.

Practical compliance steps

Host inside the EU or pick the West Europe Umbraco Cloud region. Protect /umbraco behind an IP allowlist or a VPN, enforce 2FA via Microsoft Entra ID or an OIDC provider. Document the deployment in your RoPA. If you use Umbraco Forms, configure retention and right to erasure flows for submissions. Disable or scope the Umbraco HQ telemetry as desired. Govern third party scripts (analytics, advertising, video) added to templates through a consent management platform.

GDPR consent category

Other

Websites using Umbraco must obtain user consent under GDPR regulations.

Legal basisArticle 6(1)(f) GDPR (legitimate interest) for the server logs required to deliver pages. The /umbraco editor authentication uses strictly necessary cookies (UMB_AUTH, .AspNetCore.Antiforgery) that fall outside the consent requirement.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, DSGVO, RGPD, LSSI, Danish Data Protection Act

DPIA considerations

A DPIA is generally not required for a typical Umbraco deployment. It should be considered if Umbraco Forms is used to collect large volumes of personal data, if Umbraco Members hosts an authenticated member area with sensitive content, or if external services for profiling and advertising are heavily integrated. Document the hosting region, the access controls on /umbraco and the activated packages.

Sample consent text

This website is powered by Umbraco. Public pages do not set cookies on you. The administrative area uses strictly necessary authentication cookies for logged in editors. No consent is required for the standard operation of Umbraco.

Technical details

Tracking methodASP.NET based open source CMS. Pages can be rendered server side as HTML or served through the Content Delivery API in headless mode (Umbraco Heartcore). Both deployment options set ASP.NET authentication and antiforgery cookies for editors on /umbraco, but the public site has no cookies unless extensions are added.

Server locationPublished by Umbraco HQ (Odense, Denmark) under an MIT licence. Umbraco CMS is self hosted by the customer (typically on Microsoft Azure West Europe, AWS Frankfurt, IIS on premise or specialized Umbraco hosts like umbHost or Umbraco Cloud). Umbraco Cloud and Umbraco Heartcore are operated on Azure with regions in West Europe (Netherlands) and East US.

Cookieless tracking availableYes

Third-party domains contacted

umbraco.comour.umbraco.comcloud.umbraco.comapp.umbraco.comapi.umbraco.iomedia.umbraco.io

Cookies placed

Name	Type	Duration	Purpose
UMB_AUTH	first-party (/umbraco backoffice only)	Session (configurable, default 20 minutes sliding)	ASP.NET Identity authentication cookie for logged in editors in the Umbraco backoffice. Strictly necessary, never set on the public website.
.AspNetCore.Antiforgery	first-party (/umbraco backoffice)	Session	ASP.NET Core anti forgery token used to protect state changing requests in the backoffice. Strictly necessary.
UMB_UCONTEXT	first-party (/umbraco backoffice)	Session	Optional cookie used to preserve the editor variant context in the backoffice. Strictly necessary for the editor experience.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Does Umbraco set cookies on website visitors?

No. The public Umbraco site does not set any cookie on anonymous visitors. The /umbraco backoffice issues UMB_AUTH (authentication) and .AspNetCore.Antiforgery (CSRF token) cookies for logged in editors only. Members areas (Umbraco Members) issue strictly necessary cookies after a member logs in.

Do I need consent for Umbraco under GDPR and ePrivacy?

No consent is required for the public Umbraco site. The strictly necessary editor and member cookies are exempt under Article 5(3) ePrivacy. Consent only applies if you add third party trackers (Google Analytics, Meta Pixel, video embeds) to your templates.

What is the legal basis for processing visitor data with Umbraco?

Article 6(1)(f) GDPR (legitimate interest) covers the server logs needed to deliver pages. The customer is the controller of all data managed in Umbraco. Umbraco HQ is processor only for Umbraco Cloud and Heartcore with a DPA available.

Does Umbraco transfer data to the United States?

Self hosted Umbraco does not transfer anything. For Umbraco Cloud and Heartcore, choose the West Europe region (Azure Netherlands) to keep data in the EEA. Umbraco HQ is based in Denmark, fully under GDPR. Internal support tools may include some US providers but they are scoped to communications with Umbraco HQ.

Is a DPIA required for Umbraco?

A DPIA is generally not required for a standard editorial deployment. It should be considered when Umbraco Forms collects sensitive data at scale, when Umbraco Members manages a large user base or when third party services that profile visitors are heavily integrated.

How do I implement Umbraco compliantly?

Host in the EU or use the Umbraco Cloud West Europe region, restrict /umbraco behind IP allowlist or VPN, enable 2FA via Microsoft Entra ID or OIDC, document the deployment in your RoPA, configure retention and erasure flows for Umbraco Forms submissions, and govern third party scripts in templates through a consent management platform.

What are the alternatives to Umbraco?

In the ASP.NET space alternatives include Sitecore, Optimizely Content Cloud (formerly Episerver), Kentico Xperience and Orchard Core. In other ecosystems consider WordPress, Drupal, TYPO3, Wagtail, Strapi or Storyblok.

How do I update the cookie policy for Umbraco?

The public site does not need Umbraco in the cookie banner. Document the strictly necessary editor and member cookies in your privacy policy if you publish a detailed list. Add a member specific notice for Umbraco Members when users sign up. Document third party scripts in templates separately.

Get compliant — Try FlowConsent free

Free plan · 10-min setup