Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Online Succes is a Dutch performance marketing platform that installs a tracking script on client websites to measure ad conversions and feed audiences back to Google Ads, Microsoft Advertising and Meta.
Online Succes is a Dutch performance marketing and behavioural analytics platform. It provides session level analytics, conversion attribution, A/B testing and lead identification for visitors who fill in forms or are already in the customer database. Online Succes is operated by Online Succes B.V. in the Netherlands and its infrastructure is hosted on Dutch servers.
A JavaScript snippet is loaded on every page. The script captures pageviews, clicks, form submissions, scroll events and traffic sources, attributes them to a persistent visitor ID stored in a first party cookie, and forwards the data to the Online Succes ingestion service. When the visitor identifies themselves through a form the visitor profile is enriched and linked to the lead record.
Online Succes sets several first party cookies for visitor identification, session tracking and attribution (typical names include os_uid, os_session, os_referrer). It collects URL, referrer, browser, screen, full IP address, behavioural events and, for identified users, name, email and form contents.
Because Online Succes combines analytics with marketing attribution and lead enrichment, the cookies it sets are non essential. Under Art. 5(3) of the ePrivacy Directive and its national transpositions (art. 22 LSSI, § 25 TDDDG, art. 82 of the French Loi Informatique et Libertés, Dutch UAVG art. 11.7a Telecommunicatiewet) prior, informed and granular consent is required before the script may be loaded.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Online Succes script behind your Consent Management Platform in the analytics or marketing category. Only load it after the visitor accepts. Provide an easy mechanism to withdraw consent. Document the legal basis as consent in your privacy policy.
All data is processed and stored on Dutch servers. Online Succes does not rely on US sub processors for core analytics ingestion, which means it is not affected by Schrems II concerns. Verify your contract for any optional integrations that could trigger transfers.
Sign the Data Processing Agreement with Online Succes B.V. Categorise the cookies in your CMP, block the script before consent, document the processing in your Article 30 register, define retention (typically 13 months), and inform users in the privacy notice that lead and behavioural data are collected by a Dutch processor.
Websites using Online Succes must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because Online Succes combines session level analytics with lead enrichment and conversion attribution. Document the categories of data, retention, recipients and the consent mechanism.
Sample consent text
We use Online Succes (Dutch behavioural analytics) to measure conversions and recognise returning leads. Online Succes stores cookies and behavioural data in the Netherlands. By accepting marketing cookies you allow this processing.
Third-party domains contacted
onlinesucces.nltrack.onlinesucces.nltracking.onlinesucces.nlcdn.onlinesucces.nlcdn.onlinesucces.nlapp.onlinesucces.nlCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| os_uid | http_cookie | 13 months | Persistent third party cookie that stores a unique device identifier used by Online Succes to deduplicate visitors and attribute conversions across the campaign lifetime. |
| _os_id | first_party | 12 months | Unique visitor identifier used by Online Succes to recognise returning visitors and link their journey across pageviews for attribution and conversion analytics. |
| os_visitor_id | first-party | 1 year | Pseudonymous visitor identifier used to recognise returning users and attribute them to a marketing source. |
| os_sess | http_cookie | Session | Session cookie that records the current visit identifier so events captured during the same browser session can be correlated server side. |
| os_session | first-party | 30 minutes | Session identifier used to group pageviews and events within a single browsing session. |
| _os_session | first_party | 30 minutes | Session identifier that groups pageviews and events within the same visit, used to compute funnels and session level conversion metrics. |
| _os_attr | first_party | 90 days | Stores the original traffic source (UTM parameters, referrer, channel) so conversions can be attributed to the campaign that drove the visitor. |
| os_campaign | first-party | 30 days | Stores the campaign and channel of the last marketing touch for attribution windows. |
| os_camp | http_cookie | 30 days | Cookie that stores the last touch campaign source, medium and creative identifier, used by Online Succes for multi touch attribution within the conversion window. |
| os_dev | http_cookie | 6 months | Fraud detection cookie that fingerprints device characteristics to prevent inflated conversion counts from bots or repeated clicks. |
Online Succes places tracking cookies for advertising — comply with GDPR using FlowConsent.
Online Succes drops a persistent first or third party cookie that contains a pseudonymous visitor identifier, used to recognise returning users and tie them to a marketing source. Depending on the configuration, additional cookies may be set for attribution windows and consent state. All cookies are described in the Online Succes documentation and must be listed in your cookie policy.
The main cookie is os_uid, a third party identifier set on the os.tracking.amsterdam domain that persists for up to 13 months. It is accompanied by short lived session cookies (os_sess, os_camp) that remember the current campaign source and click identifier, and a fraud detection cookie (os_dev). Together they allow Online Succes to deduplicate visitors and attribute conversions.
Yes. The Online Succes tag stores and reads information on the visitor terminal for marketing purposes, which falls under article 5(3) ePrivacy Directive and article 6(1)(a) GDPR. The script must therefore be blocked until the visitor accepts marketing cookies, and the rejection option must be just as visible and easy to use as the acceptance option.
Yes. Because the script stores and reads information on the device and combines personal data for advertising purposes, prior consent is required under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR. The tag must remain blocked until the visitor has opted in to the marketing category through your consent banner.
The legal basis is consent under article 6(1)(a) GDPR. Legitimate interest is generally not adequate because Online Succes is used for marketing attribution and advertising performance, which the EDPB and most EU regulators treat as activities that require prior opt in via the consent banner.
Consent is the only viable legal basis. Legitimate interest is not appropriate because the script combines cross site identifiers with conversion data, builds advertising audiences and shares them with US based ad networks, which the EDPB Guidelines 8/2020 explicitly exclude from the legitimate interest pathway for behavioural advertising.
In its standard configuration Online Succes processes data on infrastructure located in the Netherlands, so no systematic transfer to the United States or other third countries is involved. Always verify the current setup with Online Succes and, if any transfer is added, document it and apply Standard Contractual Clauses or another article 46 GDPR mechanism.
Indirectly, yes. Online Succes itself runs on Dutch infrastructure, but it forwards conversions and audience signals to Google Ads, Microsoft Advertising and Meta, which transfer the data to the United States. These transfers rely on the EU US Data Privacy Framework when the recipient is certified, or on Standard Contractual Clauses with a Transfer Impact Assessment otherwise.
Article 35 GDPR makes a DPIA mandatory only for high risk processing. Standard marketing analytics with Online Succes does not typically meet that threshold, but a DPIA is strongly recommended if the integration is combined with broad cross site profiling, large scale visitor monitoring or sensitive sectors such as health, banking and minors.
A Data Protection Impact Assessment is recommended whenever the deployment involves large scale behavioural advertising, sensitive industries (health, finance) or minors. The DPIA should cover the joint controller relationship between your organisation and Online Succes B.V., the audience enrichment with hashed CRM data, and the downstream transfer to the US ad platforms.
Sign a data processing agreement with Online Succes, integrate the tag through your CMP, classify it as a marketing cookie and load it only after consent. Mention Online Succes in the privacy notice and cookie policy, log the consent state, and provide an easy mechanism to withdraw consent at any time.
Load the Online Succes script through a consent gated container (Google Tag Manager, server side container or your CMP), enable Google Consent Mode v2 to ensure that ad_storage and ad_user_data remain denied until consent, sign the joint controller agreement provided by Online Succes B.V., and document the cookies and recipients in your cookie policy.
Alternatives include first party server side conversion tracking with Google Ads Enhanced Conversions, the Meta Conversions API deployed via Stape or sGTM, attribution platforms such as Adtriba or Triple Whale, or pure first party measurement with Matomo and Piwik PRO. The right choice depends on whether you need a full service agency layer or pure measurement.
For more privacy friendly tracking you can consider EU based analytics such as Matomo, Plausible, Piano Analytics or Pirsch, some of which can run in cookieless or consent free mode under specific configurations. The trade off is that they typically focus on aggregated analytics rather than the granular attribution Online Succes provides.
List every cookie set by Online Succes with its name, purpose, duration and the data controller. Indicate that the cookies are dropped only after marketing consent, link to the Online Succes privacy notice and offer a link to the CMP preference centre so visitors can change their mind at any time.
Use your CMP automatic scanner (CookieFirst, Cookiebot, Iubenda, Didomi) to detect new os_* cookies after each release, then update the cookie register to list Online Succes B.V. as the controller of those cookies, the retention period and the recipients (Google, Microsoft, Meta). Revisit the privacy notice when Online Succes adds new destinations.