Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Nimbata is a US based call tracking and conversation analytics platform. It performs Dynamic Number Insertion on websites to attribute phone calls to marketing channels, records and transcribes calls and stores caller metadata. Because call data is processed in the United States and includes recordings, prior consent and Article 46 GDPR transfer safeguards are required.
Nimbata is a call tracking and conversation analytics platform aimed at marketers who want to attribute inbound phone calls to the campaigns, keywords or pages that triggered them. After installing a JavaScript snippet on the site, Nimbata performs Dynamic Number Insertion (DNI): each visitor sees a unique tracking number that forwards to the operators real phone line. Calls are routed through Nimbata, where they are recorded, transcribed, scored and attributed back to the original marketing source.
The Nimbata script sets first party and third party cookies plus localStorage entries that identify the visitor, store the source attributes (utm, gclid, fbclid, referrer) and persist the assigned tracking number for the session. These cookies are not strictly necessary: they exist for advertising attribution. They therefore require prior opt in consent under Article 5(3) of the ePrivacy Directive and Article 7 GDPR before any value is written to the browser.
Nimbata also captures the call audio and produces a written transcript. Both are personal data under the GDPR, and the spoken content may unexpectedly reveal special category data (health, religion, political opinions). In France, Germany, Spain and the UK the supervisory authorities expect a clear announcement before the call is recorded, the option to object, and a documented retention period. Sensitive content such as health complaints must trigger additional safeguards under Article 9 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Nimbata is a United States company and processes call recordings, transcripts and tracking data on AWS US regions. Transfers from the EEA to the United States require an Article 46 GDPR safeguard. The most common path is the EU US Data Privacy Framework if Nimbata is certified, otherwise the EU Standard Contractual Clauses with a transfer impact assessment. Document the chain in the record of processing activities and inform the data subjects in the privacy notice.
Gate the Nimbata snippet behind a Consent Management Platform so it loads only after opt in. Add a clear pre call announcement (recorded message or human prompt) and offer a way to continue without recording. Sign a Data Processing Agreement with Nimbata, list it in the record of processing as a US processor and document the transfer safeguard. Restrict access to the recordings to specifically named users, set a retention policy (typically 6 to 12 months) and purge older calls automatically.
EU based alternatives include CallTrackingMetrics with EU residency, Dialogtech, Salesmsg with EU hosting, AdCalls (NL), Adversitement and Aircall (FR). They reduce the transfer risk but still require consent for the cookies and an announcement for the recording. Plan an exit strategy by exporting call data and recordings in a standard format and by signalling the change in the cookie policy.
Websites using Nimbata must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because Nimbata combines call recording, transcription and behavioural tracking, three operations that the EDPB and several supervisory authorities consider high risk individually. Document the recording purpose, the retention period, the access controls inside Nimbata, the announcement message to the caller, and the US data transfer chain. Reassess the DPIA when adding speech analytics, sentiment scoring or automated lead routing.
Sample consent text
We use Nimbata to track which marketing campaign brought you to our website and to record and analyse the calls we exchange. Click Accept to allow the call tracking cookies and the recording of our conversation. You can refuse and still call us: only the marketing attribution will be lost.
Third-party domains contacted
nimbata.comapp.nimbata.comjs.nimbata.comapi.nimbata.comcdn.nimbata.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| nimbata_visitor | http_cookie | 1 year | Persistent visitor identifier used by Nimbata to link a returning user to previous calls and attribution data |
| nimbata_session | http_cookie | session | Session identifier that ties the dynamically inserted phone number to the current browsing session |
| nimbata_attribution | http_cookie | 30 days | Stores the marketing source (utm parameters, gclid, fbclid, referrer) so an inbound call can be attributed to the campaign |
| nimbata_pool_assignment | http_cookie | 30 minutes | Reserves the swapped tracking number from the Nimbata number pool for the duration of the visit |
| nimbata_form | http_cookie | 30 days | Connects a form submission on the website to the matching Nimbata call for closed loop reporting |
Nimbata collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Nimbata sets first party and third party cookies plus localStorage entries on every page where the script is active. They identify the visitor (a nimbata_visitor id), persist the attribution parameters (utm, gclid, fbclid, referrer) and reserve a tracking phone number for the session. Some flows also load Google Analytics and Facebook pixels triggered by Nimbata. All of these are non essential cookies and require prior opt in consent.
Yes. The tracking cookies are not strictly necessary because they exist for advertising attribution, not for delivering the requested service. Article 5(3) of the ePrivacy Directive and Article 7 GDPR require prior opt in consent before any value is written to the visitor browser. Gate the snippet behind a Consent Management Platform and only load it after a clear opt in.
Two stacked bases usually apply. Consent (Article 6(1)(a) GDPR) covers the cookies and the analytics. Legitimate interest (Article 6(1)(f) GDPR) can cover the underlying marketing measurement once consent has been obtained, but it does not replace the consent requirement for cookies and call recording. The call recording itself often requires its own explicit consent or strict legitimate interest with a clear announcement, depending on the Member State.
Yes. Nimbata is a US company and hosts call recordings, transcripts and tracking data on AWS US regions. The EEA to US transfer must be covered by a valid Article 46 GDPR safeguard, either the EU US Data Privacy Framework (if Nimbata is certified) or the EU Standard Contractual Clauses combined with a documented transfer impact assessment. The transfer must be disclosed in the privacy notice.
Yes, a DPIA is strongly recommended. Nimbata combines large scale online tracking, call recording and automated transcription, three operations the EDPB places on the list of high risk processing. Document the recording purpose, the retention period, the access controls inside Nimbata, the announcement message to the caller and the US transfer chain.
Block the Nimbata snippet by default and only load it after granular opt in. Add a pre call announcement (recorded or live) and offer a no recording path. Sign a Data Processing Agreement with Nimbata, list it in the record of processing as a US processor, document the transfer safeguard. Restrict back office access to specifically named users, set a 6 to 12 month retention period for recordings and purge older calls automatically.
EU oriented alternatives include CallTrackingMetrics with EU residency, Dialogtech, AdCalls (Netherlands), Adversitement, Aircall (France), Sipgate and Salesmsg with EU hosting. They reduce transfer risk but do not remove the consent and announcement requirements. Server side call attribution with anonymised number pools is another option for low risk use cases.
Add a Nimbata section to the cookie policy that lists each cookie (name, purpose, duration, third party), explains the call recording, names the US processor and references the transfer safeguard. Map the lawful basis (consent for the cookies and the recording), the retention period and the data subject rights. Update the privacy notice and the record of processing activities in the same release and rerun your cookie scanner to confirm the inventory.