Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
WebSTAT is a website analytics and visitor tracking service operated from Denmark and used widely in the Nordic region. It provides traffic statistics, visitor sessions, page popularity, referrer analysis, geolocation by country and city, screen and browser data, search keyword reports and conversion tracking. WebSTAT is positioned as a European, privacy oriented alternative to Google Analytics, with data stored on EU servers, configurable retention and an optional cookieless mode that relies on hashed and truncated IP addresses. It is offered through a freemium model targeting small and mid sized websites and e commerce sites.
WebSTAT is one of the oldest European web analytics services, launched in 1999 and operated by a Danish company headquartered near Copenhagen. It targets website owners who want detailed traffic statistics with European hosting, no advertising network entanglements and a transparent pricing structure. The product covers core analytics such as visits, unique visitors, page views, bounce rate, average session duration, traffic sources, search keywords, geolocation, screen resolution and browsers. It also offers a basic e commerce module and integrations with content management systems through plugins.
In its default configuration, WebSTAT loads a small JavaScript tracker on each page that creates a first party cookie (typically ws_session and ws_visitor) to recognise returning visitors over a configurable retention period. The tracker collects URL, referrer, user agent, screen size, language, country derived from the IP address, time on page and clicks on outbound links. The IP address can be truncated server side. A cookieless mode is available which relies on a daily salted hash of IP and user agent.
Article 5(3) of the ePrivacy Directive treats analytics cookies as non strictly necessary by default, which means the standard WebSTAT integration requires consent. WebSTAT may be deployed under the legitimate interest basis only if it is configured in cookieless, anonymous mode with IP truncation, short retention and no cross site profiling. Even then, an information notice in the privacy policy remains mandatory and visitors must be able to object.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the default WebSTAT integration with persistent cookies, ask for prior consent through your consent management platform. Block the tracker until consent is given, and remove cookies on withdrawal. In cookieless mode you can rely on legitimate interest, provided the data is aggregated, IP addresses are truncated and visitors can opt out from your privacy notice.
WebSTAT processes visitor data on Danish data centres and does not export raw analytics outside the EEA. There are no Schrems II transfer concerns in the standard configuration. Customers that enable optional connectors (Google Sheets, Slack, email gateways operated by US providers) introduce a controlled transfer that must be declared, contractually covered and risk assessed.
Enable IP truncation, shorten the visitor cookie lifetime, choose cookieless mode where possible, sign the WebSTAT data processing agreement, integrate the tracker behind your consent management platform, document the processing in the record of processing activities, list WebSTAT in your cookie policy with cookie names and lifetimes, and review optional integrations that could trigger third country transfers.
Websites using WebSTAT must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is not usually required for WebSTAT thanks to EU only hosting and limited data scope, but a short analysis should cover IP address handling, the retention of visitor session histories, fingerprinting risk from screen and browser data, the cookieless mode and any optional third country integrations such as Google Sheets export or Slack alerts.
Sample consent text
We measure traffic on our website with WebSTAT, a Danish analytics provider whose servers are located in the European Union. WebSTAT places cookies on your device to count returning visitors and aggregate usage statistics. We do not share this data with advertising networks. You can refuse these analytics cookies without affecting site functionality.
Third-party domains contacted
webstat.comwebstat.dktracker.webstat.comcdn.webstat.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ws_visitor | first_party | 13 months (configurable) | Long lived first party cookie used by WebSTAT to recognise returning visitors and aggregate unique visitor counts. |
| ws_session | first_party | 30 minutes | Short lived first party cookie that ties page views to the current visitor session for bounce rate and session duration calculations. |
| ws_pref | preference | 1 year | Stores the visitor's consent preference for WebSTAT analytics so that the choice persists across page loads. |
| ws_geo | first_party | session | Caches the country and city derived from the IP address for the duration of the visit to reduce repeated geolocation lookups. |
WebSTAT collects user analytics data — you legally need a consent banner. Try FlowConsent free.
By default WebSTAT sets two first party cookies: ws_visitor, a long lived identifier used to recognise returning visitors and aggregate sessions, and ws_session, a short lived cookie used to attach page views to the current visit. In cookieless mode no persistent identifier is stored, only a daily salted hash is computed server side.
Yes for the default configuration. Persistent first party analytics cookies are considered non strictly necessary under Article 5(3) of the ePrivacy Directive and require prior opt in consent. Cookieless mode with IP truncation and short retention may rely on legitimate interest with an opt out, in line with several European DPA guidances.
Consent for the standard cookie based mode, legitimate interest only when WebSTAT runs in fully anonymous, cookieless mode with IP truncation, short retention and no cross site profiling. Document the chosen basis in your record of processing activities.
No, not by default. WebSTAT is operated from Denmark and stores all visitor data within the EU. Transfers may occur only if you enable optional integrations such as Google Sheets export, Slack notifications or US based email gateways, in which case standard transfer mechanisms apply.
Usually not, because data scope is limited and hosting is EU only. A short risk note is still recommended covering IP processing, session retention, fingerprinting from browser data and the use of any optional connectors. A full DPIA is only needed for high traffic deployments that combine WebSTAT with other identifying systems.
Activate IP truncation, shorten the visitor cookie to 13 months at most, prefer cookieless mode when feature gaps allow it, sign the data processing agreement, integrate the script behind your CMP, document WebSTAT in your privacy notice and cookie policy, and avoid combining the data with personally identifying CRM data.
EU based alternatives include Matomo (self hosted or Matomo Cloud in Germany), Plausible (Germany), Fathom (Canada with EU option), Piwik PRO and Etracker (Germany). Google Analytics 4 remains popular but raises Schrems II concerns that WebSTAT customers usually want to avoid.
Add a section that names WebSTAT as the analytics provider, lists the ws_visitor and ws_session cookies with their purpose and lifetime, states whether IP truncation is enabled, mentions any third party connectors used, indicates the retention period, and provides an opt out link or instructions to manage consent.