GDPR compliance
for every static site
Cookie consent banners, contact forms, comments, newsletters, and analytics — all GDPR-native, all embedded with a single <script> tag.
Free forever on 1 site · Cancel anytime
<!-- Cookie Consent — add once to your base layout --><script src="https://cdn.hugohelper.com/hh-banner.js" data-consent-id="{{ .Site.Params.hhConsentId }}" defer></script><!-- Contact Form — drop in any page template --><div data-hh-form data-form-id="{{ .Params.formId }}"></div>Works with Hugo · Astro · Jekyll · 11ty · Next.js · SvelteKit
Works with every static site generator & headless CMS
One platform, every add-on you need
All modules share the same account, dashboard, and billing. Enable exactly what each site needs — nothing more.
Cookie Consent
Full Consent Management Platform
The legal backbone of your site. Configurable categories, service-level granularity, Google Consent Mode v2, geo-restriction, versioned consent with re-consent prompts, and timestamped audit logs — all from one script tag.
- ✓GDPR Art. 6/7 legal basis enforcement
- ✓Google Consent Mode v2 (GCM v2)
- ✓Per-service blocking (YouTube, Analytics, etc.)
- ✓Consent logs with CSV export
- ✓Version tracking & forced re-consent
- ✓Geo-restriction (EU-only or custom)
Newsletter
Double opt-in, GDPR-native
Subscriber forms embedded in static sites with full double opt-in flow, GDPR consent logging at sign-up, list management, and campaign sending via Resend.
- ·Double opt-in confirmation emails
- ·Consent logged at subscribe time
- ·Unsubscribe token handling
Contact Forms
Virtual inbox & spam protection
Custom fields, honeypot + Turnstile spam protection, email forwarding, and a virtual inbox per site. No storage of more data than needed.
- ·Custom fields with validation
- ·Turnstile CAPTCHA (Pro)
- ·Email forwarding via Resend
Comments
OAuth identity-verified threads
Google & GitHub authenticated comments with moderation queue, threaded replies, and ban management — no passwords or self-hosted auth.
- ·OAuth via Google & GitHub
- ·Auto-moderation or approval queue
- ·Threaded replies (1 level)
Website Stats
Cookie-less · No consent needed
Privacy-friendly analytics with no cookies, no personal data, no consent banner required. Pageviews, referrers, countries — that's it.
- ·Cookie-free, consent-banner-free
- ·No IP storage — daily visitor hash
- ·Pageviews, referrers, countries
Built to the letter of European law
HugoHelper is not a generic SaaS with a GDPR checkbox. Every data point collected, every storage mechanism used, and every API call made was designed with the GDPR, ePrivacy Directive, and Google Consent Mode requirements as primary constraints — not afterthoughts.
General Data Protection Regulation
The foundation of EU data protection. HugoHelper implements the technical consent mechanisms required by Articles 6 and 7: purpose-limited data collection, freely given & revocable consent, and transparent information notices (Art. 13).
- →Art. 6 — Lawfulness of processing
- →Art. 7 — Conditions for consent
- →Art. 13 — Information to be provided
ePrivacy Directive
Requires informed, prior consent before placing any non-essential cookie or tracker. HugoHelper's Cookie Consent module blocks all tracking scripts until the visitor actively accepts — complying with Art. 5(3).
- →Art. 5(3) — Cookie consent
- →Opt-in before non-essential cookies
Google Consent Mode v2
Required by Google for all European Google Ads and Analytics users. HugoHelper's banner natively fires the correct GCM v2 signals based on visitor choice — no manual gtag() calls needed.
- →ad_storage
- →analytics_storage
- →ad_personalization
- →ad_user_data
Transparency & Consent Framework
HugoHelper supports service-level consent which is compatible with the IAB TCF signal model. Vendor IDs and purpose IDs are configurable per service in the dashboard.
- →Vendor-level consent
- →Purpose consent strings
- →Legitimate interest
Data minimisation by design
No IP addresses stored in plain text. All IP-derived identifiers use SHA-256 hashing with a per-deployment salt. Only data required for the stated purpose is collected.
Consent before cookies
The embed script blocks all third-party scripts tagged with data-cc-category until the visitor has actively consented. Rejection and no-action are treated identically — no tracking.
Revocable consent
Visitors can change or withdraw consent at any time via window.CookieConsent.open(). Each change is timestamped in the audit log with session-level granularity.
Consent audit logs
Every consent event is logged with timestamp, session ID, version, and choices. Logs are exportable as CSV for DPA audits. Retention is configurable (1–10 years).
Geo-restriction
Show the consent banner only to EU/EEA visitors, or configure a custom country list. Non-EU visitors skip the consent flow entirely — no unnecessary friction.
Versioned consent
Add a new category or service? Bump the consent version — existing visitors are shown a re-consent prompt automatically on next visit.
Legal scope disclaimer
HugoHelper provides technical tools to help implement GDPR requirements for web properties. It does not constitute legal advice and does not guarantee full regulatory compliance for your specific use case. Whether your implementation satisfies your obligations under the GDPR depends on your legal basis, the data you process, and how you configure these tools. Consult a qualified data protection officer or legal counsel for your specific situation — especially for complex processing activities, DPIAs, or supervisory authority interactions.
Compliance at scale, without the overhead
Your clients need GDPR compliance. You need efficiency. HugoHelper gives you both without running your own backend.
GDPR-native, not GDPR-compatible
Data minimisation, configurable retention, consent logging, SHA-256 hashed IPs, and privacy notices are built into every module. Not bolted on.
One script tag is all it takes
No npm package. No build step. No serverless setup. Drop a <script> tag in your layout file and the module is live — in any framework.
All clients in one dashboard
One organisation, unlimited sites. Add team members, assign roles, and manage every client's modules from a single place. No more juggling accounts.
Virtual inboxes for each client
Form submissions land in clean inboxes — per site or shared across your team. Read, filter, mark spam, and forward to clients. Share a read-only portal link.
Analytics without a consent banner
Website Stats is fully cookie-less — no personal data, no consent required. Measure what matters without adding more popup friction.
White-label for agencies
Set your brand colour, name, and URL in the widget footer. The "Powered by HugoHelper" can be hidden entirely — present a seamless experience to clients.
Live in under 5 minutes
From account creation to a working, GDPR-compliant widget on your site.
Sign up free
Create an account in under a minute. No credit card. You get the Free plan with 1 site immediately.
Free · Instant · No cardAdd your site
Register your site's domain. Verify ownership via a DNS/file check to ensure only you can submit to your forms.
Takes ~2 minutesConfigure the module
Set up your contact form, cookie consent banner, or comments widget from the dashboard. Choose fields, spam rules, notification mode.
No code requiredEmbed and go live
Copy the generated <script> tag. Paste it into your Hugo, Astro, Jekyll, or any template. The module is live immediately.
One paste · DoneSimple, transparent pricing
Free
Try every module. One site, forever free.
Single
For developers running one site seriously.
Pro
For developers & small agencies with multiple sites.
Agency
For agencies managing dozens of client sites.
All prices excl. VAT · No hidden costs · Cancel anytime · EU-based infrastructure
Yes. HugoHelper is framework-agnostic. It works with Hugo, Jekyll, Astro, Eleventy, Gatsby, Next.js, Nuxt, SvelteKit, Hexo, or plain HTML. All you need is the ability to embed a <script> tag in your template.
The Cookie Consent module is built for the GDPR from the ground up: prior informed consent before any cookies are placed (Art. 6/7), freely given with equal prominence for accept/reject, revocable at any time, purpose-limited, and logged with timestamps for audit purposes (Art. 7(1)). It also supports Google Consent Mode v2 natively, so all GCM signals fire correctly based on the visitor's choice.
No. Website Stats is fully cookie-less and collects no personal data — only aggregated pageview counts with a daily rotating visitor hash (no cross-day tracking). Under the GDPR, no consent is required for data that does not identify or track individuals across sessions. You get analytics without an additional consent popup.
Yes. The Cookie Consent module is a Consent Management Platform. It provides a banner, consent records, consent version management, re-consent prompts, geo-restriction, and a Google Consent Mode v2 integration. It is not IAB TCF-certified, but it supports TCF-compatible vendor/purpose ID fields on each service.
New submissions are rejected (the visitor sees an error). Existing submissions in your inbox are not affected. You'll receive an email warning before you reach the limit. Upgrading takes effect immediately and resets your quota from the current period.
Yes. The Agency plan includes team seats with role-based access control (Owner / Admin / Member). Owners can configure which role is required for each action (e.g. only Admins can delete submissions). All client sites are managed under one organisation.
Yes, on any paid plan (Single/Pro/Agency). You can set a custom accent colour, brand name, and URL. The "Powered by HugoHelper" footer can be hidden entirely on paid plans, giving your clients a seamless branded experience.
HugoHelper is deployed on Vercel Edge (EU regions) with Supabase (EU region). Email forwarding uses Resend, which processes data in the US under standard contractual clauses. We disclose all sub-processors in our privacy policy.
No. HugoHelper provides technical tools to help implement GDPR requirements. It does not constitute legal advice. Whether your specific use case is fully compliant depends on your legal basis, the data you process, and how you configure these tools. Consult a qualified DPO or legal counsel for your situation.
GDPR compliance,
live in 5 minutes.
Sign up, connect your site, and embed your first GDPR-compliant widget. Free forever on one site. No credit card required.