Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Nextra is an open source static site generator built on top of Next.js, designed for documentation, blogs and content focused sites. It produces fully static HTML, CSS and JavaScript that can be deployed to any host. Nextra itself sets no cookies and performs no tracking; the entire privacy surface depends on the deployment host and on analytics or third party scripts the operator chooses to add.
Nextra is an open source static site generator built on top of Next.js, designed for technical documentation, knowledge bases and blogs. Maintained by the Vercel team and a community of contributors, it provides Markdown and MDX based authoring, automatic navigation generation, theming (the Docs theme and the Blog theme), full text search, dark and light mode, internationalization and Next.js powered routing. At build time Nextra emits fully static HTML, CSS and JavaScript bundles that can be served by any web host without a runtime backend. Because Nextra itself executes only at build time, it never receives or stores personal data from site visitors.
A default Nextra site sets no cookies, embeds no trackers, opens no analytics pixels and creates no fingerprints. The only items that may be stored in the browser are non identifying UI preferences such as a theme cookie or local storage entry (light/dark mode) and a sidebar/table of contents expansion state. These are stored under the ePrivacy ''strictly necessary'' exemption because they correspond to a service explicitly requested by the user. The framework does not perform any IP logging, does not call any external server at runtime, and does not require a consent banner by itself.
Although Nextra is privacy neutral, the host that serves the static bundle is not. Vercel and Netlify operate primarily from the United States and write server access logs that may include IP addresses; transfers from the EEA rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. Cloudflare Pages relies on a global edge network. GitHub Pages is US based. EU centric alternatives include OVHcloud, Scaleway, Hetzner, Infomaniak and self hosted Nginx on an EU VPS. Each host must be evaluated for log retention, log content, third country transfers and processor agreements under Article 28 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Many operators add analytics to a Nextra site. Cookieless and EU friendly options such as Plausible, Fathom, Umami and Simple Analytics aggregate visits without identifying individuals and generally avoid the consent requirement when properly configured. Google Analytics 4, Hotjar, Microsoft Clarity, full third party search such as Algolia DocSearch, embeds from YouTube, Twitter or X, and CDN delivered fonts (Google Fonts) introduce cookies, identifiers or third country transfers and require informed consent under ePrivacy Article 5(3). The legal posture of a Nextra deployment is therefore the sum of these added components, not the framework itself.
To keep a Nextra site lawful and low risk, operators should: select a host whose location and contractual terms match their audience, prefer cookieless analytics, self host fonts and icons rather than load them from a third party CDN, replace YouTube embeds with privacy enhanced or click to load variants, document the chain of processors in a register of processing activities (Article 30 GDPR), publish a transparent privacy notice listing only the components actually used, and configure a minimal consent layer only if non strictly necessary cookies are introduced. Static, framework neutral architecture makes Nextra one of the most privacy compatible documentation stacks available.
Websites using Nextra must obtain user consent under GDPR regulations.
DPIA considerations
A formal Data Protection Impact Assessment is not required for vanilla Nextra because the framework processes no personal data and sets no cookies. A lightweight privacy review is nonetheless recommended: it should document the hosting provider (Vercel, Netlify, Cloudflare Pages, GitHub Pages, EU hosts such as OVHcloud, Scaleway or Hetzner), the resulting server log retention, the analytics solution chosen (Plausible, Fathom, Umami, Simple Analytics, Google Analytics) and any embedded third party scripts (YouTube, Twitter, Mermaid via CDN, search providers such as Algolia DocSearch). Each added component must be evaluated individually for legal basis, transfers and retention.
Sample consent text
This documentation site is built with Nextra, an open source static site generator. The framework itself does not set cookies or perform tracking. If you accept, we additionally load privacy friendly analytics to understand which pages are useful, with no cross site tracking and no personal profile. You can change your choice at any time.
Third-party domains contacted
nextra.sitegithub.comvercel.appCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| theme | Strictly Necessary | 1 year (localStorage, persists until cleared) | Stores the visitor preferred colour scheme (light or dark) for the Nextra Docs theme. Implemented via next-themes and persisted in localStorage. Falls under the strictly necessary exemption of ePrivacy Article 5(3) because it implements a UI preference explicitly chosen by the user; no tracking or personal identification is performed. |
| nextra-toc-expanded | Strictly Necessary | Session or persistent (localStorage) | Stores the expanded or collapsed state of the table of contents and sidebar sections in the Nextra Docs theme so that visitors find the same layout on subsequent visits. Strictly necessary under ePrivacy Article 5(3) because it merely persists a UI choice made by the user and contains no identifier; no profile, no tracking and no transmission to third parties. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No, not for vanilla Nextra. Nextra produces only static HTML, CSS and JavaScript and sets no cookies of its own, so it does not trigger Article 5(3) of the ePrivacy Directive. A consent banner becomes necessary only if you add analytics that set non strictly necessary cookies (Google Analytics, Hotjar), embed third party widgets (YouTube, Twitter or X), use Algolia DocSearch with persistent identifiers or load Google Fonts. Theme preference and table of contents state are considered strictly necessary because they reflect a choice explicitly made by the visitor.
Yes. Out of the box Nextra processes no personal data: there are no user accounts, no telemetry, no analytics, no fingerprinting and no external calls at runtime. The compiled bundle is just files. From a GDPR standpoint the framework itself raises no obligation. The real obligations come from the hosting provider (server logs may contain IPs) and from any analytics or embeds the operator decides to integrate. Documenting these choices in a register of processing activities is sufficient for most documentation or blog use cases.
For an EU audience, EU based hosts such as OVHcloud, Scaleway, Hetzner, Infomaniak, Clever Cloud or self hosting on a European VPS minimise transfer risk because static files and access logs remain in the EEA. Vercel and Netlify are convenient and well integrated with Next.js but operate from the United States and rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. Cloudflare Pages serves from a global edge but is also US headquartered. GitHub Pages is US based. The right choice depends on audience, performance needs and your appetite for Schrems II type analysis.
The most consent friendly options are cookieless EU analytics such as Plausible (EU hosted), Fathom Analytics (EU isolated mode), Umami (self hostable), Simple Analytics, GoatCounter or Pirsch. They aggregate visits without identifying individuals and usually do not require a consent banner when configured to avoid persistent identifiers and full IPs. Google Analytics 4 remains usable but requires consent under ePrivacy Article 5(3), a documented legal basis, IP anonymisation, Consent Mode and a Transfer Impact Assessment for US transfers. Server side or hybrid analytics deployments offer further control.
Each adds its own privacy footprint, regardless of Nextra. Standard YouTube embeds set advertising cookies and call doubleclick.net; use youtube-nocookie.com or a click to load wrapper. Twitter or X embeds load tracking JavaScript and require consent. Google Fonts loaded from fonts.googleapis.com transmit the IP to Google and have been ruled non compliant by some EU courts (Munich Regional Court 2022); self hosting font files solves this. Algolia DocSearch is generally considered low risk for the EU but should be documented as a processor with EU data residency where available.
They can be stored either as cookies or as localStorage entries. In both cases they are considered strictly necessary because they implement a service that the user explicitly requested (preferred theme, sidebar layout) and do not enable tracking. Under Article 5(3) ePrivacy Directive they fall within the strictly necessary exemption and do not require consent. They should nevertheless be listed in the privacy notice for transparency, with their purpose, lifetime and category clearly stated.
Start by listing what is actually loaded: the host (Vercel, Netlify, Cloudflare, an EU provider, self hosted), any analytics, the search provider, embeds and CDN delivered assets. For each, document the purpose, the legal basis, the categories of data, the recipients, the retention and whether transfers outside the EEA occur. Add a section on rights (access, erasure, objection, portability, complaint to a supervisory authority), the contact point of the controller, and the date of the latest update. For most documentation sites a one page notice covers the obligations of Articles 13 and 14 GDPR.
Yes, and arguably more so than many CMS based alternatives. Because Nextra is static and the framework itself stores nothing about visitors, the privacy and security perimeter is reduced to the host and to any optional analytics. Choosing an EU based host (OVHcloud, Scaleway, Hetzner, sovereign cloud) and cookieless analytics produces a stack that is straightforward to assess against GDPR, Schrems II, the EU AI Act for any AI search components, and sectoral rules such as French RGS, German BSI Grundschutz or healthcare specific HDS hosting. The static nature also reduces the attack surface and simplifies security audits.