Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Flocktory is a Russian on site personalization, popup, referral and post purchase marketing platform owned by Sber. It tracks visitors on ecommerce sites and triggers behavioral campaigns. Consent is required and the use of this tool is high risk for EU operators because data is processed in the Russian Federation, which is not an adequate country under GDPR.
Flocktory is an on site marketing, personalization and referral platform widely deployed by ecommerce sites in Russia and the Commonwealth of Independent States. The tool injects a JavaScript tag in the page, observes visitor behavior in real time, builds a profile of each user and triggers campaigns such as exit intent popups, post purchase offers, email capture forms, member get member referral programs and personalized product recommendations. Flocktory was acquired by Sberbank, now Sber, a Russian state controlled bank that is subject to EU and US sanctions. The platform is operated from the Russian Federation and is primarily marketed to Russian and CIS retailers.
Flocktory collects IP address, user agent, device and browser fingerprinting signals, persistent first party and third party cookies, page URLs, referrer, scroll and click events, time spent, cart and order content, and any personal data the visitor enters into a form such as email address, phone number or name. The collected events are sent to Flocktory servers in real time over HTTPS, then matched server side with the visitor profile. The vendor also supports server to server integrations that enrich the profile with offline data uploaded by the merchant.
Flocktory hosts personal data primarily in the Russian Federation, in line with the Russian data localization rule of Federal Law 152 FZ which requires the personal data of Russian citizens to be stored on servers located in Russia. The Russian Federation is not covered by any European Commission adequacy decision under Article 45 GDPR. Any transfer of personal data from the EEA to Flocktory is therefore an international transfer that must rely on Article 46 safeguards, in practice Standard Contractual Clauses, and on a Transfer Impact Assessment as required by the Schrems II ruling of the Court of Justice of the European Union. The TIA must conclude that supplementary measures are effective against the broad surveillance powers of Russian authorities, in particular the SORM interception regime and Federal Law 374 FZ known as the Yarovaya package. In practice, most EU controllers will find that these measures cannot be made effective, which means the only remaining lawful basis for the transfer is the explicit consent derogation of Article 49(1)(a) GDPR, used on an occasional and non systematic basis only.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sber, the parent group of Flocktory, has been subject to EU restrictive measures since 2022, including correspondent banking restrictions and asset freezes on certain executives. EU operators that send personal data and payment commissions to a Sber owned vendor must check that the contractual relationship does not breach the EU sanctions regime, in particular the prohibitions of Council Regulation 833/2014 and the SWIFT disconnection measures. Beyond the legal risk, deploying a Russian state linked marketing tool on a European brand site is a reputational risk that should be assessed by the legal, compliance and communications teams.
Because Flocktory drops cookies and reads device identifiers for marketing purposes, Article 5(3) of the ePrivacy Directive applies. Prior, free, specific, informed and unambiguous consent is required before any Flocktory script is loaded. The script must therefore be conditionally injected by a Consent Management Platform, never hard coded in the page header. The information notice presented to the user must disclose the transfer to the Russian Federation, the absence of an adequacy decision, the risk of access by Russian authorities, and the identity of Sber as the ultimate parent. The CNIL has repeatedly stressed that consent collected without disclosing a high risk third country transfer is not informed and therefore not valid.
For most EU controllers, Flocktory is not a recommended choice. The combination of a non adequate third country, an ownership structure exposed to EU sanctions, and the absence of effective supplementary measures against state surveillance makes the residual risk high. EU operators that still need to use the tool, for example to serve a Russian or CIS audience from a separate domain, should isolate that deployment, restrict it to consenting users, document the Article 49 derogation and exclude EU resident traffic by geo filtering at the consent management layer.
Websites using Flocktory must obtain user consent under GDPR regulations.
DPIA considerations
Flocktory processes personal data in the Russian Federation, a country without a GDPR adequacy decision. A Data Protection Impact Assessment under Article 35 GDPR is strongly recommended, and in most cases formally required, before deploying the tool on an EU facing site. The DPIA must cover: the categories of data collected (IP address, device and browser identifiers, behavioral events, email when provided, purchase data), the legal basis for transfer to Russia under Article 46 GDPR, the existence and effectiveness of supplementary measures against access by Russian authorities under Federal Law 374 FZ and the SORM interception regime, the impact of EU sanctions and the ownership by Sber, the retention period, the rights of data subjects in practice when the controller of the data is reachable only in Russia, and the availability of less intrusive alternatives hosted in the EEA.
Sample consent text
We use Flocktory, a marketing personalization service operated by Flocktory Ltd, part of the Sber group, to display popups and personalized offers on this site. Flocktory drops cookies on your device, builds a behavioral profile and transfers your personal data, including your IP address and browsing events, to servers located in the Russian Federation. The Russian Federation is not recognized as providing an adequate level of data protection by the European Commission, and your data may be accessed by Russian public authorities. By clicking Accept, you give your explicit consent to these cookies and to this international data transfer under Article 49(1)(a) GDPR.
Third-party domains contacted
flocktory.comwww.flocktory.comapi.flocktory.comcdn.flocktory.comstatic.flocktory.comevents.flocktory.comp.flocktory.comtracking.flocktory.comsber.rusberbank.ruCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| flocktory | third_party | 1 year | Primary Flocktory identifier cookie used to recognize the visitor across sessions and to attribute popup impressions, conversions and referral events. Stores a unique pseudonymous user ID linked to the behavioral profile on Flocktory servers in Russia. |
| flocktory_uid | third_party | 1 year | Visitor unique identifier set by the Flocktory tag for cross page tracking, profile building and audience segmentation, used to trigger personalized campaigns. |
| flocktory_session | third_party | Session | Session cookie that groups the events of a single visit, used to evaluate campaign triggering rules such as exit intent, scroll depth and time on page. |
| _flocktory | first_party | 1 year | Mirrored first party cookie set on the merchant domain when first party context is enabled, carrying the same Flocktory user identifier to bypass third party cookie restrictions in modern browsers. |
| flocktory_referrer | first_party | 6 months | Stores the identifier of the referring user in a member get member referral campaign, used to attribute the reward when the referred visitor completes a qualifying action. |
| flocktory_popup_state | first_party | 30 days | Stores the state of each popup or exit intent campaign already shown to the visitor, used to enforce frequency capping and prevent re displaying a dismissed offer. |
| flocktory_test | third_party | 90 days | A or B test assignment cookie that pins the visitor to a specific variant of a personalization campaign for the duration of the test to ensure consistent experience and reliable measurement. |
| flocktory_email_lead | first_party | 180 days | Marker cookie indicating that the visitor has submitted an email address through a Flocktory capture form, used to suppress further email capture popups and link the future browsing to the captured contact. |
Flocktory is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Yes. Flocktory drops cookies and reads device identifiers for marketing personalization, so Article 5(3) of the ePrivacy Directive applies. Prior, free, specific, informed and unambiguous consent is required before any Flocktory script is loaded. The script must be conditionally injected by a Consent Management Platform. In addition, because Flocktory processes data in the Russian Federation, the consent must explicitly disclose the international transfer to a non adequate country, the absence of an adequacy decision, the risk of access by Russian authorities and the parent company Sber.
Flocktory hosts personal data primarily in the Russian Federation, in line with Russian Federal Law 152 FZ on data localization. This means that when a European visitor browses a site that loads Flocktory, identifiers and behavioral events are transmitted to servers under Russian jurisdiction. The Russian Federation is not the subject of an adequacy decision of the European Commission under Article 45 GDPR.
High. The combination of behavioral profiling, persistent identifiers, international transfer to a non adequate country, ownership by a sanctioned Russian state controlled bank and the broad surveillance powers of Russian authorities under SORM and Federal Law 374 FZ produces a high residual risk for EU controllers. A Data Protection Impact Assessment under Article 35 GDPR is strongly recommended, and the deployment should be considered only when no EEA hosted alternative is available.
Schrems II was about transfers to the United States, but its reasoning applies by analogy to any transfer to a third country that is not covered by an adequacy decision. Russia is one of those third countries. The controller must perform a Transfer Impact Assessment, assess whether Russian law, in particular Federal Law 374 FZ and the SORM interception regime, ensures a level of protection essentially equivalent to that of the EU, and identify supplementary measures. In most cases, those measures cannot be made effective against Russian state access powers.
On their own, no. SCCs are a paper instrument and cannot prevent access to data by Russian authorities. They must be complemented by supplementary measures, technical, contractual and organizational, that the controller can demonstrate to be effective in the Russian legal context. Given Russian surveillance and data access laws, the EDPB style analysis usually concludes that effective measures cannot be designed. The remaining legal route in practice is the occasional explicit consent derogation of Article 49(1)(a) GDPR.
They can. Sber, the parent company of Flocktory, is subject to EU restrictive measures under Council Regulation 833/2014 and related instruments, including correspondent banking restrictions and asset freezes affecting certain executives. EU operators should obtain a legal review confirming that the payment of fees, the contractual relationship and the data processing arrangement with a Sber owned vendor do not fall within the scope of any prohibition, including indirect facilitation, and that the counter party is not listed on the EU consolidated sanctions list.
In most EU deployments, yes. The CNIL and other supervisory authorities consider that systematic behavioral profiling of website visitors, combined with a transfer to a non adequate third country with a high level of state access to data, meets several criteria of the WP29 guidelines on DPIA. A DPIA under Article 35 GDPR should therefore be performed and documented before go live, and should include a clear conclusion on the residual risk and on the alternatives considered.
There are several EEA hosted alternatives for on site personalization, popups, exit intent and referral marketing, including European or US vendors with EU regions and proper Article 46 transfer mechanisms backed by effective supplementary measures. For most EU controllers, choosing one of those alternatives is the most defensible approach. Flocktory should only be considered for specifically Russian or CIS facing properties, deployed on isolated domains and with EU traffic excluded by geofencing.