GDPR + the ePrivacy directive say the same thing across 6 articles: without consent you must not track, store, or share personal data. Server-side tracking doesn't bypass consent — it makes compliance easier by giving you control over the data.
Checklist before launch
- CMP banner — implement Cookiebot, Usercentrics, OneTrust, or your own. It must come before the tracking scripts load.
- Consent Mode v2 — mandatory for Google Ads since 6 March 2024. Guide.
- Privacy policy — sections "What data we collect", "Who we share it with", "Retention period".
- DPA with DataNostro — sent automatically after signing the contract, downloadable in the dashboard (Settings → Contractual documents).
- Retention period — DataNostro keeps tracking logs for 90 days (for debugging). After 90 days they're deleted automatically.
- DSAR endpoint — the ability to delete a specific user's data. In the dashboard under Tools → DSAR.
Sub-processors
DataNostro uses EU sub-processors exclusively:
- Hetzner (Falkenstein, Nuremberg) — hosting the tracking server
- Cloudflare R2 (EU region) — file storage
- Comgate — payments (CZ)
- Superfaktura / Fakturoid — invoicing (SK / CZ)
All under EU GDPR jurisdiction. No US transfer, no Schrems II problem.
Common misconceptions
"Server-side tracking doesn't need consent." — Wrong. Consent is about the purpose (tracking behavior for advertising), not the location of the script.
"I just need a pixel + GTM, I don't need a server." — From a pure GDPR perspective true, but ITP/ad-block eats your data, so you'll never reach full attribution. Server-side is about data quality, not GDPR shortcuts.
We help with compliance
If you need a privacy policy review or CMP integration, the DataNostro Care Premium package includes a legal review + Consent Mode v2 deployment in the price.