Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
WinLocal is a German local SEO and online presence management platform operated by WinLocal GmbH in Frankfurt am Main. It helps businesses synchronise their listings across Google Business Profile, Google Maps, Bing Places, Apple Maps and dozens of local directories, and tracks how customers find and contact them. Because WinLocal embeds tracking pixels and integrates with US based platforms, prior cookie consent is required under the GDPR and the German TTDSG.
WinLocal is a Frankfurt based platform that helps small and medium businesses, multi location brands and agencies manage their local online presence. It distributes business listings (address, opening hours, services, photos) to Google Business Profile, Bing Places, Apple Maps and a long tail of local directories, monitors customer reviews, and measures how potential customers find and contact a business. WinLocal is widely used by German SMEs, dealership networks and local service chains, so its tracking tag and integrations appear on many corporate and franchise websites.
When WinLocal is embedded on a website it typically loads a JavaScript tracking tag and one or more first party or third party cookies to identify returning visitors, attribute phone calls and clicks to specific listings, and measure conversions. Depending on the modules activated it can collect IP addresses, user agent strings, referrer URLs, page paths, click and call events, and, in the case of the optional call tracking module, dynamic phone numbers and call metadata. Listing data such as business addresses, opening hours and review content is also processed on WinLocal infrastructure.
Storing or reading information on a visitor device for marketing analytics purposes is regulated by section 25 TTDSG in Germany (which implements the ePrivacy Directive) and by equivalent national rules in other EU member states. As a result the WinLocal tracking pixel and conversion cookies require prior, freely given, specific, informed and unambiguous consent. The downstream sharing of customer interaction data with Google LLC and Microsoft Corporation also triggers Articles 13, 28 and 44 GDPR, which means an up to date data processing agreement and a transfer mechanism must be in place before the tag is fired.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The lawful basis for loading the WinLocal tag and storing its identifiers is consent under Article 6(1)(a) GDPR. Listing management itself, where WinLocal acts as a processor for the business owner data, can rely on legitimate interest or contract performance under Article 6(1)(b) or 6(1)(f) GDPR. In practice this means the analytics and conversion tracking elements must be gated behind a consent management platform and must not fire until the visitor has clicked accept on a banner that clearly mentions WinLocal or the broader marketing category to which it belongs.
WinLocal itself stores customer data on EU servers, which is favourable from a GDPR perspective. The relevant third country transfers come from its connectors, particularly Google Business Profile and Bing Places, which transmit listing performance metrics to servers in the United States. Operators relying on WinLocal therefore need to declare these transfers in their privacy notice, list the recipients, and rely on Standard Contractual Clauses or the EU US Data Privacy Framework as a transfer mechanism. Review collection modules that include free text customer feedback may also incidentally process special category data and require additional safeguards.
Treat WinLocal as a marketing analytics tag in your consent management platform, sign the WinLocal data processing agreement and document the Google and Bing transfers in your records of processing activities. Block the tag until the visitor accepts the marketing category, expose a clear opt out, and review the configuration whenever new modules (call tracking, heatmaps, review syndication) are activated, since each new module changes the volume and category of personal data processed.
Websites using WinLocal must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not mandatory for the use of WinLocal on a typical SME website because the processing is limited to listing management and standard local SEO analytics. A DPIA should however be considered when WinLocal is combined with call tracking (which records caller numbers), heatmaps, or large scale review aggregation that may include sensitive feedback, since these features increase the volume and sensitivity of personal data processed.
Sample consent text
We use WinLocal to manage our presence on Google Business Profile, Bing Places and other local directories, and to measure how visitors find and contact us. WinLocal sets a tracking pixel and may share aggregated interaction data with Google LLC and Microsoft Corporation in the United States. You can accept or refuse this tracking at any time in our cookie preferences.
Third-party domains contacted
winlocal.deapp.winlocal.detracking.winlocal.decdn.winlocal.deCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wl_uid | first_party | 13 months | Persistent visitor identifier used by WinLocal to recognise returning visitors and attribute multi session interactions to the same user. |
| wl_sid | first_party | Session | Session identifier used to link page views, clicks and form interactions within a single visit to a specific business listing. |
| wl_ct | first_party | 30 minutes | Short lived cookie used by the optional call tracking module to bind a visitor session to the dynamic phone number displayed on the page. |
| wl_consent | first_party | 6 months | Stores the visitor consent state for WinLocal tracking categories so the tag can decide whether to fire on subsequent page views. |
WinLocal uses cookies for user preferences — inform visitors with a consent banner.
When the WinLocal tracking tag is loaded, it typically writes a first party analytics cookie used to identify returning visitors, plus a session cookie used to attribute events (clicks, calls, form submissions) to a specific listing. Depending on the modules activated by the customer it may also store conversion identifiers and, for call tracking, a short lived cookie that links the visitor to a dynamic phone number. All identifiers have a defined retention, typically between the session and 13 months.
Yes. WinLocal sets non strictly necessary cookies and shares interaction data with US based listing providers, so its tracking tag falls under section 25 TTDSG in Germany and equivalent ePrivacy rules elsewhere. The tag must therefore be loaded only after the visitor has given prior, freely given and specific consent through a compliant consent banner. Listing management (the back office side of the service) does not require visitor consent because it does not involve reading or writing on the visitor device.
For the analytics and conversion tracking tag on the visitor side, the legal basis is consent under Article 6(1)(a) GDPR. For the management of business listings, customer accounts and review responses on the operator side, the controller can usually rely on contract performance (Article 6(1)(b) GDPR) or legitimate interest (Article 6(1)(f) GDPR). A data processing agreement with WinLocal GmbH under Article 28 GDPR is required in both cases.
WinLocal hosts its own infrastructure in Germany, so the core listing and analytics data stays in the EU. However, the platform pushes business information and pulls performance metrics from Google Business Profile, Bing Places and other directories, which are operated by US controllers. These onward transfers fall under Article 44 GDPR and must rely on Standard Contractual Clauses or the EU US Data Privacy Framework, and they must be disclosed in the privacy notice.
A DPIA is not automatically required for a standard WinLocal deployment focused on listing management and lightweight local SEO analytics. It becomes relevant when the operator activates call tracking that records caller numbers, large scale review aggregation with sensitive free text content, or systematic monitoring of customer behaviour across multiple locations. In those cases the combination of scope, sensitivity and tracking technologies should be assessed against Article 35 GDPR criteria.
Add the WinLocal tag as a separate, blocked tag in your consent management platform under the marketing or analytics category. Configure the tag manager so that the tag fires only when the visitor has accepted the relevant category, and document the integration in your records of processing activities. Sign the WinLocal data processing agreement, list the third party recipients (especially Google and Microsoft) in your privacy notice and provide a clear way for the visitor to withdraw consent.
Direct alternatives for local SEO and listing distribution include Uberall, Yext, Locatable, BrightLocal and Whitespark. EU based or hybrid solutions include Localoo, Partoo and Mapstr Pro, which often advertise stronger data residency guarantees. The compliance profile of each alternative is very similar because they all push data into Google Business Profile and other US directories, so the decision is usually based on coverage, pricing and integrations rather than on a fundamentally different risk profile.
Add an entry for WinLocal in the cookie list of your privacy or cookie policy, specifying the cookie names, retention, purpose, controller (WinLocal GmbH), processor relationship and the fact that aggregated interaction data may be shared with Google LLC and Microsoft Corporation. Update the marketing or analytics section of your CMP description and re prompt visitors for consent if you are adding meaningful new tracking that was not covered by the previous banner version.