Does your website use third-party services? Get GDPR compliant in minutes.

Wagtail

What does Wagtail do?

Wagtail is an open source CMS built on Django and published by Torchbox in the United Kingdom. It is self hosted by the customer, which gives full control over the storage region. Public pages do not set cookies on visitors, only the /admin area uses Django session cookies for editors.

What Wagtail is and how it serves content

Wagtail is a free and open source CMS built on Django and published by Torchbox Limited (Bristol, United Kingdom) under a BSD licence. Editors author content in a structured tree of pages through the /admin interface. The published pages are rendered server side and returned as HTML, or as JSON via the Wagtail API v2 if a headless setup is preferred. Wagtail is self hosted, the customer fully owns the deployment.

Cookies and identifiers set on visitors

Out of the box Wagtail sets no cookies on anonymous visitors. The Django framework provides a sessionid cookie and a csrftoken cookie that are only sent to authenticated editors using /admin, both are strictly necessary. If the customer adds Wagtail extensions for personalization, A/B testing or third party trackers, those features will introduce their own cookies and must be governed by the consent management strategy.

GDPR and ePrivacy implications

Because the public Wagtail pages do not store identifiers on the visitor terminal by default, Article 5(3) of the ePrivacy Directive does not require prior consent. Article 6(1)(f) GDPR (legitimate interest) covers the server logs needed for delivery and security. The customer is the controller of all data managed in Wagtail. There is no SaaS processor, only the chosen hosting provider acts as a processor for the infrastructure.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers and Schrems II

Because Wagtail is self hosted, no transfer happens by default. Choose an EU based hosting provider (OVH, Scaleway, Hetzner, AWS Frankfurt or Ireland, Azure Western Europe, Google Cloud europe west) and an EU storage backend to keep all data inside the EEA. Avoid US based CDN or storage providers when strict EU residency is required. The Torchbox project itself is based in the UK, which is covered by an adequacy decision from the European Commission.

Practical compliance steps

Host inside the EU, protect /admin behind an IP allowlist or a VPN, enable 2FA and SSO for editor accounts (wagtail-2fa, mozilla-django-oidc or similar). Document the deployment in your RoPA with infrastructure provider, retention policy and access controls. Audit installed Wagtail packages and Django middlewares for additional data flows. Govern any third party tracker added to the templates through a consent management platform.

GDPR consent category

Other

Websites using Wagtail must obtain user consent under GDPR regulations.

Legal basisArticle 6(1)(f) GDPR (legitimate interest) for the limited server logs required to deliver pages. The admin area uses the Django sessionid and csrftoken cookies which are strictly necessary for editor authentication.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, DSGVO, RGPD, LSSI, UK GDPR if hosted in the United Kingdom

DPIA considerations

A DPIA is generally not required for a typical Wagtail deployment. It should be considered when the site hosts large volumes of user submissions, when special category data is published (health, biometrics, political opinions), or when third party services are heavily integrated (analytics, advertising, profiling). Document the hosting region, the access controls on /admin and any installed third party packages.

Sample consent text

This website is powered by Wagtail. The public pages do not set cookies on you. The administrative area uses strictly necessary session cookies for logged in editors. No consent is required for the standard operation of Wagtail.

Technical details

Tracking methodSelf hosted open source CMS built on Django. The customer runs the application on their own infrastructure. Pages are rendered server side and served as HTML, optionally as JSON via the Wagtail API v2. By default Wagtail only sets the Django sessionid and csrftoken cookies on logged in editors visiting /admin. The public site has no cookies unless the customer enables specific extensions.

Server locationWagtail is published by Torchbox Limited (Bristol, United Kingdom) under a BSD licence. Hosting is fully controlled by the customer. Typical EU deployments run on OVH, Scaleway, Hetzner, AWS Frankfurt or Ireland, Microsoft Azure Western Europe, Google Cloud europe west, or on premise.

Cookieless tracking availableYes

Third-party domains contacted

(customer hosted, no external Wagtail domain)wagtail.org

Cookies placed

Name	Type	Duration	Purpose
sessionid	first-party (Django, /admin only)	Session (or up to 2 weeks if SESSION_COOKIE_AGE is extended)	Standard Django session cookie used to authenticate logged in editors on the Wagtail /admin interface. Strictly necessary, never set on anonymous visitors.
csrftoken	first-party (Django, /admin only)	1 year (default)	Cross Site Request Forgery protection token. Required for any state changing operation in /admin. Strictly necessary, only used by authenticated editors.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Does Wagtail set cookies on website visitors?

No. Out of the box Wagtail does not set any cookie on anonymous visitors. The Django framework provides sessionid and csrftoken cookies which are only sent to logged in editors using /admin. They are strictly necessary.

Do I need consent for Wagtail under GDPR and ePrivacy?

No consent is required for the public Wagtail site. The strictly necessary editor cookies on /admin are exempt under Article 5(3) ePrivacy. Consent only applies if you add third party trackers (Google Analytics, Meta Pixel, video embeds) to your Wagtail templates.

What is the legal basis for processing visitor data with Wagtail?

Article 6(1)(f) GDPR (legitimate interest) covers the server logs needed to deliver pages and prevent abuse. The customer is the controller of all data managed in Wagtail. The hosting provider acts as processor for the infrastructure.

Does Wagtail transfer data to the United States?

Wagtail itself does not transfer anything. The customer chooses the hosting provider and storage backend. To keep data inside the EEA, pick an EU based hosting provider (OVH, Scaleway, Hetzner, AWS Frankfurt or Ireland, Azure Western Europe) and avoid US based CDNs or storage. The Wagtail project is maintained by Torchbox in the UK, which has an adequacy decision.

Is a DPIA required for Wagtail?

A DPIA is generally not required for a standard editorial deployment. It should be considered when the site hosts large amounts of user generated content, when special category data is published, or when the deployment integrates with third party services that profile visitors.

How do I implement Wagtail compliantly?

Host inside the EU, restrict /admin behind IP allowlist or VPN, enable 2FA and SSO for editors (wagtail-2fa, mozilla-django-oidc), document the deployment in your RoPA, audit installed Django middlewares and Wagtail packages, and govern third party scripts added to templates with a consent management platform.

What are the alternatives to Wagtail?

Other open source CMS options include Django CMS (also Django based), Drupal, TYPO3, Strapi, Directus, Payload CMS and Joomla. For a managed alternative consider Storyblok, Contentful, Sanity, Prismic or Kontent.ai.

How do I update the cookie policy for Wagtail?

The public site does not need Wagtail in the cookie banner because no cookies are placed on regular visitors. Mention the strictly necessary Django session cookies in your privacy policy if you publish a detailed list. Document third party scripts added to your templates separately.

Get compliant — Try FlowConsent free

Free plan · 10-min setup