Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
RudderStack is a warehouse first customer data platform (CDP) that collects events from websites, mobile apps and servers and routes them to analytics, marketing and data destinations in real time. It positions itself as a privacy aware open source alternative to Segment. RudderStack can be deployed in an EU region of the cloud service or self hosted on the customer's own infrastructure for full data residency.
RudderStack is an open source, warehouse first customer data platform that captures events from web and mobile applications, the server side and even other data sources, then routes those events to a wide range of destinations: data warehouses (Snowflake, BigQuery, Redshift, Databricks), analytics tools (GA4, Amplitude, Mixpanel), marketing platforms (Meta, Google Ads, Klaviyo), reverse ETL connectors and customer support systems. Engineers consume RudderStack through the rudder-sdk-js library on the website, through server side SDKs in Node.js, Python, Java and Go and through transformation pipelines.
RudderStack collects identify, track, page, screen, group and alias events that include a user identifier or anonymous identifier, the page URL and Referer, the User Agent, the IP address, custom properties, traits and event context. By default the JavaScript SDK persists a pseudonymous anonymous_id in a first party cookie or in localStorage so that events can be tied to the same visitor over time. Server side events can be sent without any cookie. The platform also keeps queues, dead letter logs and audit trails that contain personal data.
RudderStack handles tracking events that are by nature analytics or marketing data, which triggers the ePrivacy consent rule for the JavaScript SDK and the GDPR consent requirement under Article 6(1)(a) for events routed to analytics or advertising destinations. Strict server side or transactional events that are necessary to operate the service can rely on performance of a contract under Article 6(1)(b) GDPR, while abuse and fraud signals can be processed under legitimate interest under Article 6(1)(f) GDPR. RudderStack offers a native consent management integration that propagates the consent state to each downstream destination.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
RudderStack Cloud offers an EU region (eu-west-1 Dublin) alongside US and APAC. Even with an EU workspace, account, billing and observability data are processed in the United States. Transfers rely on the RudderStack Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, with TLS 1.3, encryption at rest, SOC 2 Type II, ISO 27001 and HIPAA (with a BAA) controls. Customers who require the strictest residency can self host RudderStack open source on AWS, GCP, Azure or OVHcloud in the EU.
Sign the RudderStack Data Processing Addendum, deploy your workspace in eu-west-1 or self host the open source distribution in the EU, integrate a consent management platform so that the JavaScript SDK only fires after consent, and configure destination level filtering to forward events only to consented destinations. Document the RudderStack pipeline in your record of processing activities, set short event retention windows in the warehouse, and review downstream destinations that may push personal data outside the EU.
Websites using Rudderstack must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required when RudderStack is deployed at scale to centralise behavioural data from EU users, especially when destinations include US advertising platforms (Google Ads, Meta, TikTok). A DPIA is also recommended for regulated sectors (financial services, health, public sector) or when sensitive user attributes are routed through the CDP.
Sample consent text
We use RudderStack, an open source customer data platform operated by RudderStack Inc. (USA, with an EU region available). RudderStack captures events about your browsing (page views, clicks, form submissions) and routes them to our analytics and marketing tools. By accepting, you allow this collection and transfer under EU Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
rudderlabs.comrudderstack.comdataplane.rudderstack.comcdn.rudderlabs.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rl_anonymous_id | Analytics | 1 year | First party cookie or localStorage entry set by the RudderStack JavaScript SDK to store a pseudonymous identifier for the visitor across sessions. |
| rl_user_id | Analytics | 1 year | First party cookie or localStorage entry that stores the identified user ID once the application calls rudderanalytics.identify(). |
| rl_trait | Analytics | 1 year | Stores user traits forwarded with subsequent track and page calls, such as locale, plan or pseudonymous segments. |
| rl_page_init_referrer | Analytics | 1 year | Stores the initial referrer of the visitor session for attribution and reporting purposes. |
Rudderstack collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The RudderStack JavaScript SDK persists a first party cookie or localStorage entry named rl_anonymous_id (sometimes ajs_anonymous_id for Segment compatibility) containing a pseudonymous identifier for the visitor. A rl_user_id cookie is added when the user is identified. Server side events do not require any cookie.
Yes. Because RudderStack typically forwards events to analytics or marketing destinations, the ePrivacy storage rule and Article 6(1)(a) GDPR apply. The JavaScript SDK must not load until consent is recorded, and RudderStack should be configured with destination level consent so that only consented destinations receive each event.
Consent under Article 6(1)(a) GDPR for analytics, marketing and advertising events. Performance of a contract under Article 6(1)(b) GDPR for transactional or product events that are required to deliver an authenticated service. Legitimate interest under Article 6(1)(f) GDPR for fraud detection and security events.
RudderStack signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Customers can deploy the cloud workspace in eu-west-1 (Dublin) or self host the open source distribution on EU infrastructure for full residency.
A DPIA is required when RudderStack centralises behavioural data from EU users at scale, when it routes events to US advertising platforms or when sensitive attributes (health, finance, location) are processed. A DPIA is also recommended for regulated sectors or when significant volumes of EU minors are tracked.
Sign the RudderStack Data Processing Addendum, deploy in eu-west-1 or self host in the EU, configure the consent management integration so that the SDK only fires after consent and so that destinations only receive consented events, define short retention windows in the warehouse and document RudderStack in your record of processing activities.
European or open source alternatives include Snowplow (self hosted, originally UK), PostHog (self hosted or EU cloud), Jitsu (self hosted open source), Castled.io, Inveterate (Germany) and Segment with the EU residency add on. Self hosting RudderStack open source on OVHcloud or Scaleway is also a strong residency option.
List RudderStack Inc. as the processor of the customer data platform, describe the first party rl_anonymous_id cookie or localStorage entry, mention the downstream destinations that receive events (GA4, Meta Pixel, Klaviyo, Snowflake, etc.), state the legal basis and the SCC plus DPF safeguards for US transfers, and link to the RudderStack Privacy Policy.