Does your website use third-party services? Get GDPR compliant in minutes.

Draft.js

What does Draft.js do?

Draft.js is an open-source React rich text editor framework built by Meta and released as open source. It runs entirely in the browser as a client-side component and does not transmit data to any server by itself. GDPR obligations depend on how and where the application stores the content created with Draft.js, not on the editor component itself.

What is Draft.js?

Draft.js is an open-source rich text editor framework for React, originally built by Meta (Facebook) and open-sourced in 2016. It provides the foundation for building customisable rich text editing experiences in web applications, with support for inline styles, block types, entity handling, and custom rendering. Draft.js operates entirely as a client-side React component, managing editor state in memory without communicating with any external server.

How does GDPR apply to Draft.js?

Draft.js itself does not process, store, or transmit personal data. GDPR obligations arise when the application saves Draft.js editor content to a server or database. The content users create in Draft.js editors may contain personal data (names, personal statements, medical information, etc.) that becomes subject to GDPR when it is persisted to a backend system.

Content storage and GDPR

When Draft.js content is saved to a database, the application becomes responsible for GDPR compliance for that content. This includes: providing users with access to their saved content, enabling deletion of content upon erasure requests, applying appropriate retention periods, and encrypting sensitive content at rest. The data controller is the organisation operating the application, not Meta as the original author of Draft.js.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Practical compliance steps

Implement data subject rights for content created in Draft.js editors. Enable users to view, export, and delete their saved content. Apply retention limits to auto-saved drafts. Encrypt sensitive content at rest. Describe content storage in your privacy policy.

GDPR consent category

Other

Websites using Draft.js must obtain user consent under GDPR regulations.

Legal basisDraft.js is a client-side UI component, not a data processor. GDPR obligations arise from the application storing content created with Draft.js.

Risk levellow

Applicable regulationsGDPR compliance is the responsibility of the application developer

DPIA considerations

A DPIA is not required for Draft.js itself. It may be required if the application stores large volumes of personal data entered into Draft.js editors, particularly in healthcare or legal contexts where document content is highly sensitive.

Sample consent text

This application uses Draft.js, an open-source text editor component. Any content you create is stored as described in our privacy policy.

Technical details

Tracking methodOpen-source React rich text editor framework, no client-side tracking

Server locationSelf-hosted (deployer's infrastructure)

Cookieless tracking availableYes

Third-party domains contacted

draftjs.orgunpkg.com

Cookies placed

Name	Type	Duration	Purpose
draft_state	session	Session	In-memory only — Draft.js does not set persistent cookies; editor state is managed in React component memory

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Does Draft.js collect personal data?

No. Draft.js is a client-side React component that manages editor state entirely in browser memory. It does not collect, store, or transmit data to any external server. Personal data obligations arise when the application saves Draft.js content to a backend.

Does Draft.js set cookies?

No. Draft.js does not set any cookies. It manages state entirely within the React component lifecycle in browser memory.

Does Draft.js require a privacy policy entry?

Not for the component itself. However, the personal data contained in content created and saved through Draft.js editors must be addressed in your privacy policy, including what content is stored, where, for how long, and how users can access or delete it.

Does Draft.js transfer data outside the EU?

Draft.js itself does not transfer data. Transfer obligations depend entirely on where the application saves Draft.js content and which backend services process that content.

Do I need a DPIA for applications using Draft.js?

Not for Draft.js itself. A DPIA may be required for the application if it stores large volumes of sensitive personal data entered through Draft.js editors, particularly in medical, legal, or HR contexts.

How do I handle erasure requests for content created in Draft.js?

Implement a deletion mechanism in your application backend that removes all saved Draft.js content linked to the requesting user. For document versioning systems, ensure all historical versions are also deleted. Confirm deletion in writing and log the erasure request.

Is Draft.js still actively maintained?

Draft.js entered maintenance mode at Meta and the community has developed alternatives including Lexical (also by Meta) and Slate.js, ProseMirror, and TipTap as actively developed alternatives. For new projects, Lexical is Meta's recommended successor.

Does Draft.js have any GDPR compliance built in?

No. As a UI component library, Draft.js does not include privacy or compliance features. All GDPR compliance responsibility lies with the application developer regarding how Draft.js content is stored and managed.

Get compliant — Try FlowConsent free

Free plan · 10-min setup