Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Roistat is an end to end marketing analytics platform operated by Roistat OOO from Moscow. It combines website analytics, dynamic call tracking, form tracking and CRM integration to attribute every lead and order to a marketing source. Roistat sets persistent cookies, replaces phone numbers per visitor and exports personal data to servers in Russia. For European deployments this creates a high risk transfer to a jurisdiction without an EU adequacy decision and demands explicit consent plus supplementary safeguards.
Roistat is an end to end marketing analytics platform developed by Roistat OOO, a company based in Moscow. It is used by performance marketing teams to attribute every form lead, phone call and order to a specific advertising channel, campaign, keyword and creative. Roistat combines a JavaScript tracker on the website, dynamic call tracking that swaps phone numbers per visitor, integrations with CRM systems and ad platforms, and a centralised dashboard that computes return on investment, cost per lead and revenue per channel.
Originally designed for the Russian and CIS markets, Roistat is still used by European businesses that operate in those markets. From a GDPR perspective the central fact is that production data is processed on infrastructure in the Russian Federation, which has no adequacy decision and is subject to broad state surveillance powers.
Roistat sets persistent first party cookies such as roistat_visit, roistat_first_visit, roistat_visit_cookies_v2 and roistat_visit_id (typically 12 months) to identify the same visitor across sessions. It captures IP address, browser fingerprint, referrer, landing page, full URL parameters (utm, gclid, fbclid, yclid), interaction events and form submissions. The dynamic call tracking module reads the visitor cookie to replace the phone number displayed on the page with a number assigned to the visit, then logs caller ID, call duration, recording (if enabled) and the source campaign.
CRM integrations push lead identifiers, deal status, revenue and contact details into the Roistat warehouse. Server side connectors also export ad spend, click IDs and conversion data. All of this is concentrated on Roistat infrastructure in Russia.
Reading and writing cookies on a user terminal for analytics or marketing purposes triggers Article 5(3) of the ePrivacy Directive: prior, informed, freely given consent is required, with very narrow exemptions. Roistat does not qualify for any of those exemptions. Beyond cookies, Roistat processes personal data within the meaning of Article 4 GDPR (IP, persistent identifier, phone number, voice recording, CRM identity), so the merchant must also identify a valid Article 6 GDPR legal basis. CNIL guidance is explicit that call tracking with dynamic number insertion requires consent and proportionality analysis.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In practice the only sound legal basis for Roistat on a European site is consent under Article 6(1)(a) GDPR, paired with the ePrivacy consent for cookies. Given the destination country (Russia) and the breadth of processing (analytics, call tracking, CRM enrichment), explicit consent is recommended. The script must not run before the user opts in, the assigned tracking number must not replace the static number until consent is granted, and refusal must be as easy as acceptance under EDPB Guidelines 03/2022.
Russia is not covered by any EU adequacy decision. Any transfer of EEA personal data to Roistat infrastructure therefore relies on Article 46 GDPR safeguards, in practice the EU Standard Contractual Clauses combined with supplementary measures, and on a transfer impact assessment as set out in EDPB Recommendations 01/2020. The TIA must take into account Russian Federal Law 152 FZ, the SORM technical interception regime, the broad investigative powers of the FSB and the suspension of the Russia Council of Europe relationship since 2022, which removes ECHR redress. The CNIL, the EDPB and several DPAs have signalled that ordinary SCCs without strong supplementary measures are unlikely to be sufficient for Russia. Sanctions regimes may also restrict the ability to contract.
Carry out and document a DPIA. Sign SCCs with Roistat OOO, document supplementary measures (encryption in transit, pseudonymisation of identifiers, contractual prohibition on disclosure to authorities beyond binding orders, data minimisation, short retention, call recording disabled by default). Block the Roistat tag and the dynamic number swap until consent is recorded. Disclose the Russia transfer prominently in the privacy notice. Limit which forms feed Roistat. Review sanctions exposure with legal. For most EU only operations, consider replacing Roistat with EU hosted call tracking and attribution tools.
Websites using Roistat must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA under Article 35 GDPR is strongly recommended and likely mandatory because Roistat combines large scale behavioural tracking with dynamic call tracking, CRM enrichment and cross device profiling, and because it transfers personal data to Russia, a country without an EU adequacy decision. The DPIA must describe categories of data (IP, full URL, click ID, persistent visitor cookie, assigned phone number, call recordings if enabled, CRM identifiers), processing purposes, retention periods, the transfer mechanism, the supplementary technical and organisational measures (encryption, pseudonymisation, contractual restrictions on government access), the residual risk after measures and the legal basis (almost always explicit consent). Consider whether EU hosted alternatives reduce risk to acceptable levels.
Sample consent text
We use Roistat, a marketing analytics and call tracking platform operated from Russia by Roistat OOO, to measure how our advertising drives website visits, phone calls and orders. With your consent Roistat installs persistent cookies, replaces the phone number displayed on the page with a tracking number assigned to your visit, records call metadata and forwards your interactions to Roistat servers in the Russian Federation. Russia is not covered by an EU adequacy decision; transfers rely on EU Standard Contractual Clauses with supplementary measures. You can refuse without losing access to the site.
Third-party domains contacted
roistat.comcloud.roistat.comcdn.roistat.comapi.roistat.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| roistat_visit | Persistent | 12 months | Persistent first party identifier that ties every page view, form submission and inbound phone call to the same visit and visitor for marketing attribution and ROI calculation in the Roistat warehouse. |
| roistat_visit_id | Persistent | 12 months | Unique numeric identifier of the current visit. Used by the dynamic call tracking module to assign and recall the phone number swapped on the page. |
| roistat_first_visit | Persistent | 12 months | Records the source, medium, campaign, content and term of the first observed visit. Enables first touch attribution alongside last touch. |
| roistat_visit_cookies_v2 | Persistent | 12 months | Stores the click identifiers (gclid, yclid, fbclid) and full set of UTM parameters captured at the start of the visit, used for cross channel attribution. |
| roistat_marker | Local Storage | Until cleared | Local storage marker written by the Roistat JavaScript bundle to detect repeat visitors when cookies are blocked and to coordinate the dynamic phone number swap. |
Roistat collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Roistat sets persistent first party cookies such as roistat_visit, roistat_first_visit, roistat_visit_cookies_v2 and roistat_visit_id, typically for 12 months, to identify the same visitor across sessions and channels. It collects IP address, browser fingerprint, referrer, full URL parameters (utm, gclid, fbclid, yclid), page interactions and form submissions. The dynamic call tracking module reads the visitor cookie to swap the phone number displayed on the page for a number assigned to that visit, and then captures caller line identity, call duration, recording audio when enabled, and the attributed campaign. CRM integrations push lead identifiers, deal status and revenue back into the Roistat warehouse hosted in Russia.
Yes. Roistat sets persistent cookies and reads identifiers from the user terminal for analytics and marketing purposes that are not strictly necessary, so Article 5(3) of the ePrivacy Directive and its national transpositions require prior, informed and freely given consent. The dynamic call tracking number swap and the CRM enrichment add behavioural and contact level processing that also requires Article 6 GDPR consent. The Roistat script must therefore not run, and the displayed phone number must not be replaced, until the consent management platform records an opt in. Refusal must be as easy as acceptance under EDPB Guidelines 03/2022.
On a European website the only sound legal basis is consent under Article 6(1)(a) GDPR, paired with the ePrivacy consent for cookies and identifiers. Legitimate interest under Article 6(1)(f) is not appropriate because the processing is intrusive (persistent identifier across sessions, dynamic phone number swap, voice recording, CRM enrichment) and because it entails a transfer to Russia, a country without an adequacy decision. Given those factors regulators expect explicit consent that is specific to analytics, call tracking and to the international transfer, with a granular refusal option.
Yes, and this is the central compliance issue. Roistat OOO operates its production infrastructure from the Russian Federation. Russia has no European Commission adequacy decision; its surveillance framework (notably Federal Law 152 FZ, the SORM technical interception regime, and the broad investigatory powers of the FSB) and the 2022 suspension of the Council of Europe relationship remove effective redress for EU data subjects. Transfers must rely on Article 46 GDPR safeguards, in practice the EU Standard Contractual Clauses with supplementary technical and organisational measures, and on a detailed transfer impact assessment in line with EDPB Recommendations 01/2020.
Yes. A DPIA under Article 35 GDPR is strongly recommended and likely mandatory because Roistat meets several of the criteria that trigger a high risk assessment: large scale behavioural tracking, persistent cross session identifier, dynamic call tracking that intercepts a real time voice channel, enrichment with CRM identity, and transfer to a country without an adequacy decision. The DPIA must describe data categories, retention, transfer mechanism, the supplementary measures applied (encryption, pseudonymisation, contractual restrictions), residual risk after measures and the chosen legal basis, and must be revisited if call recording or sensitive forms are added.
Sign SCCs with Roistat OOO and document supplementary measures (encryption in transit, pseudonymised visitor identifier, contractual restriction on disclosure to authorities beyond binding court orders, minimised retention, call recording disabled by default). Conduct and publish summary of the DPIA. Block the tracking tag and the dynamic phone swap until consent is recorded by a compliant CMP. List Russia transfer prominently in the privacy notice. Restrict the modules deployed (call tracking only on relevant pages, no recording, no extra profiling). Add Roistat to the vendor list of the CMP. Review sanctions exposure with legal.
EU hosted attribution and call tracking platforms typically reduce both consent friction and transfer risk. Consider Dialogtech, Phonexa, CallRail (with EU residency option), Hubspot or Salesforce native attribution, Matomo plus a European call tracking provider (Mediahawk, Infinity, FreeSpee, Magnetic North), Adobe Analytics with EU servers, Piwik PRO, or Mixpanel with EU residency. All of them still require consent for non essential cookies, but most operate from the EEA or under an adequacy decision, which simplifies the transfer impact assessment and the privacy notice.
In the cookie notice, list the Roistat first party cookies by name with their stated duration and category (analytics, marketing, call tracking), and tie them to the Roistat purpose in your CMP. In the privacy notice, name Roistat OOO as the data importer in Russia, identify it as a processor, give the legal basis (consent), name the data categories (IP, persistent identifier, phone, call metadata, CRM identity), name the destination country, link to the SCCs and the supplementary measures, give the retention period, and give the channels to withdraw consent and exercise rights. Re audit after every Roistat configuration change.