Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
RD Station is a Brazilian marketing automation suite (Marketing, CRM, Conversas) used by SMEs to capture and nurture leads.
RD Station is a Brazilian marketing automation company headquartered in Florianopolis, now owned by TOTVS. Its suite covers RD Station Marketing (lead capture, automation, email), RD Station CRM and RD Conversas (omnichannel messaging). It is one of the leading marketing automation tools in Latin America and is increasingly present in Portuguese and Spanish speaking SMEs across Europe.
The RD Station Marketing tag writes the rd_visitor cookie (visitor identifier), an rd_session cookie, an rd_event cookie tracking specific events and several auxiliary cookies for popups and lightboxes. The platform receives the visitor IP, user agent, source URL, UTM parameters, form payloads, opens, clicks and any custom event you send via the API.
Loading the RD Station tag writes to the user device, so Article 5(3) of the ePrivacy Directive requires consent. The behavioural lead scoring constitutes profiling under Art. 22 GDPR and, when it informs automated decisions, can trigger the right to human review. Marketing emails sent via RD Station also need a documented consent recorded with timestamp and source.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent for the tag, the marketing emails and the cross site profiling. Legitimate interest for fraud and abuse prevention. Contract performance for transactional emails closely linked to a paid service. Document the consent log per channel.
RD Station processes data in Brazil (where the LGPD applies) and on AWS regions including Sao Paulo and the United States. Brazil is not currently the subject of a Commission adequacy decision; transfers to Brazil for EU subjects rely on Standard Contractual Clauses in the RD Station DPA. Transfers to the US AWS region rely on the EU US Data Privacy Framework (when AWS is operating in scope) and on Standard Contractual Clauses.
Block the RD Station tag until consent. Enable double opt in on subscription forms. Disclose RD Sistemas in your privacy policy as a sub processor in Brazil. Sign the RD Station DPA and Standard Contractual Clauses. Set short retention on inactive leads. Audit RD Station integrations and disable any that you do not actually use.
Websites using RD Station must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when RD Station combines lead scoring with sensitive content (health, education, finance), when minors may subscribe, or when cross border transfers to Brazil and the United States are routine for EU subjects.
Sample consent text
We use RD Station to manage our marketing forms, lead scoring and email automations. RD Station writes cookies on your device, processes your email, IP and behaviour, and shares them with RD Sistemas in Brazil and on AWS in the United States. We only load RD Station if you accept.
Third-party domains contacted
rdstation.com.brrdstation.comanalytics.rdstation.com.brcdn.rdstation.com.brCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rd_visitor | first_party | 1 year | Persistent identifier used to recognise visitors across sessions for lead scoring |
| rd_session | first_party | session | Stores the current session for the RD Station tracking tag |
| rd_event | first_party | 30 days | Records the last event tracked by RD Station for funnel analysis |
RD Station places tracking cookies for advertising — comply with GDPR using FlowConsent.
The RD Station Marketing tag writes rd_visitor (visitor identifier), rd_session (session) and rd_event (event tracking), plus auxiliary cookies for popups and lightboxes. The chat module adds session cookies on the conversas subdomain.
Yes. The tag writes to the user device and processes personal data for behavioural marketing, so Article 5(3) ePrivacy and Art. 6(1)(a) GDPR consent are required. Marketing emails also need a documented consent.
Consent for the tag, marketing emails and profiling. Legitimate interest for fraud and abuse prevention. Contract performance for transactional emails tied to a paid service.
Yes. RD Station processes data in Brazil (no EU adequacy decision) and on AWS in the US. Both flows need to be covered by Standard Contractual Clauses; the US AWS leg can also rely on the EU US Data Privacy Framework when applicable.
Recommended when RD Station combines lead scoring with sensitive content, when minors are reached, or when the cross border transfers are routine for EU subjects.
Block the tag until consent, enable double opt in on forms, declare the Brazil sub processor, sign the RD Station DPA, set short retention and audit integrations.
EU based alternatives include Plezi (France), Webmecanik (France, open source), HubSpot EU residency, Brevo (France), GetResponse (Poland) and ActiveCampaign EU.
List rd_visitor, rd_session and rd_event with purpose, lifetime and controller. Add a transfer paragraph mentioning Brazil and the United States, with Standard Contractual Clauses and the EU US Data Privacy Framework where relevant.