Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Statsig is a feature flagging, experimentation and product analytics platform used by engineering and product teams to run A/B tests, roll out features gradually and measure their impact. It deploys client and server SDKs that send event streams to Statsig's US cloud. For EU customers, Statsig requires careful configuration: prior consent for browser identifiers, optional EU data residency on enterprise plans, and a documented transfer mechanism when data leaves the EEA.
Statsig is a feature flagging, experimentation and product analytics platform. It ships JavaScript, iOS, Android, Node, Python, Go and other SDKs. The SDKs assign or read a stable user identifier, send exposure logs when a feature flag is evaluated, and forward custom events to the Statsig cloud where dashboards and statistical tests run.
Statsig collects stable user IDs, IP addresses, user agent, device platform, app version, language, country, timestamps, feature flag exposures, experiment assignments and custom events provided by the developer. Custom events can include order values, signup actions or any other product event. Statsig also stores cohort assignments for the duration of an experiment.
When Statsig runs in the browser, it reads or writes a stable user ID, typically in localStorage. Under article 5(3) ePrivacy, this requires prior consent unless the storage is strictly necessary. Experimentation and analytics are not strictly necessary, therefore consent is required. The merchant is the controller, Statsig the processor, and a DPA is mandatory.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In the browser, the Statsig SDK should be gated behind the Consent Management Platform and only initialised when the user has accepted analytics. For mobile apps, the user must be informed at first launch and have the ability to opt out. Server side flags evaluated solely on first party signals (account ID, plan tier) can rely on legitimate interest after a balancing test.
By default Statsig stores data in US regions and EU user data is transferred to the US. Enterprise customers can request EU data residency which keeps event and exposure data in EU regions. Without EU residency, transfers must rely on SCCs and the EU US Data Privacy Framework where Statsig is certified, with supplementary measures such as encryption and IP truncation.
Sign a DPA, evaluate EU data residency, gate Statsig behind consent for browser usage, document custom events in the records of processing, set conservative retention, avoid sending personal identifiers in event payloads, and audit who in the company can access Statsig dashboards. Refresh the cookie policy with any browser storage Statsig writes.
Websites using Statsig must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Statsig is used for behavioural experimentation on large EU user bases. Document necessity, minimisation, retention, the use of stable user IDs, IP collection, transfer to the US under SCCs, and the availability and configuration of EU data residency.
Sample consent text
We use Statsig to test and improve our product through feature flags and experiments. Statsig stores an identifier on your device and sends event data to its US cloud under Standard Contractual Clauses. We will only activate Statsig analytics if you accept.
Third-party domains contacted
statsig.comevents.statsigapi.netapi.statsig.comfeaturegates.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| statsig.stable_id | persistent | 2 years | Stable user identifier stored in localStorage (or fallback cookie) used by Statsig to consistently assign users to experiment variants. Requires consent. |
| statsig.overrides | persistent | 30 days | Optional storage of feature flag overrides for the current user, used during development and QA. Requires consent if used in production. |
Statsig collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Statsig stores a stable user identifier in localStorage (or a fallback cookie when localStorage is unavailable) and an exposure cache so that flag evaluations stay consistent across page loads. Server side use of Statsig does not store anything on the user device.
Yes, in the browser. Article 5(3) ePrivacy requires prior consent before Statsig writes its stable identifier to localStorage. Server side use that does not rely on browser storage and that processes only first party account data can rely on legitimate interest after a documented balancing test.
Browser analytics: user consent under article 6(1)(a) GDPR and article 5(3) ePrivacy. Server side experimentation on first party data: legitimate interest under article 6(1)(f) GDPR, with a balancing test that considers the necessity, the user impact and the safeguards in place.
By default yes. Statsig is a US company and stores data in US regions. Enterprise customers can request EU data residency. Without it, transfers must rely on SCCs, the EU US Data Privacy Framework where Statsig is certified, and supplementary safeguards.
A DPIA is recommended for large scale behavioural experimentation, particularly on consumer products. It should document the purpose, the categories of data, retention, transfers, the use of stable identifiers and the controls preventing harmful experiments.
Sign a DPA, evaluate the EU data residency option, gate the browser SDK behind consent, avoid sending direct personal identifiers in event payloads (use pseudonymous IDs), limit retention, restrict access to dashboards and document the practice in the records of processing.
Alternatives include Eppo, GrowthBook (open source and EU hostable), Unleash (open source), Flagsmith (EU hosted available), LaunchDarkly (US, with EU data residency option), and Optimizely Feature Experimentation. EU hosted or self hosted options reduce transfer risk.
List Statsig in the cookie policy with vendor name, purposes (feature flagging, A/B testing, product analytics), storage type (localStorage and optional cookies), lifetime, third country transfer to the US, and legal basis (consent). Update the policy whenever the Statsig SDK adds new storage or transfers data to new regions.