datascale

GDPR tools for marketing and analytics, mapped across the stack

A GDPR tool either works entirely without personal data or collects it only after documented consent. This page lists 24 tools from our integrations catalog with GDPR status, data location and a short verdict; 7 of them run without a consent banner.

What makes a tool GDPR-capable

Three questions decide it, not marketing claims. First, the legal basis: a tool that works without personal data needs no consent. Once cookies, IPs or IDs are processed, a CMP has to document consent before the first tag fires. Second, the data location: EU hosting or self-hosting ends the US-transfer discussion before it starts. Third, consent integration: a tool that cannot be wired cleanly to Consent Mode V2 or the CMP will, in doubt, fire before consent. That is the most common finding in our audits.

This produces the three tiers in the tables. GDPR-ready: runs without personal data, no banner needed. GDPR-configurable: operable cleanly once consent wiring, hosting region or contracts are right. GDPR-critical: usable only with substantial conditions. The rating comes from our integrations catalog, where each tool's assessment is explained.

What this page is not

Not a directory of privacy-management software. If you need tooling for records of processing, DPA management, risk analyses or audit reports, you are looking for GRC software, a separate category your data protection officer should select. This page covers the marketing and analytics stack: the tools that collect, process and activate data, and therefore have to hold up under the GDPR.

Consent & CMP

Consent & CMP: GDPR status, as of July 2026
ToolGDPR statusHostingVerdict
Borlabs CookieGDPR-readySelf-hostedWordPress CMP from Germany. One-time license, data stays on your own server.
UsercentricsGDPR-readyEUEnterprise CMP from Munich. The upper tier to Cookiebot, which belongs to the same company.
CookiebotGDPR-configurableEUFor SMBs. Automatic scanning, quick setup.
OneTrustGDPR-configurableUS / Global / Self-hostedEnterprise CMP. Full configuration complexity, worth it at scale.

Web & Marketing Analytics

Web & Marketing Analytics: GDPR status, as of July 2026
ToolGDPR statusHostingVerdict
Plausible Community EditionGDPR-readySelf-hosted / EUSelf-hosted, cookieless. Our default where granularity isn't critical.
Firebase AnalyticsGDPR-configurableUS / GlobalRequired for app tracking. GDPR-compatible when configured correctly.
MatomoGDPR-configurableEUOpen-source classic, darling of the DACH public sector. 100% data ownership, UI a bit dated.
Piano AnalyticsGDPR-configurableEUEuropean analytics leader with maximum GDPR safety (CNIL exemption). Strong for publishers and media.
Piwik PROGDPR-configurableEUEU-hosted, enterprise-grade. The GA4 alternative for consent-critical projects.
GA4GDPR-criticalUS / GlobalWeb standard. Configurable with care, but the defaults are problematic.

Server-Side & Tag Management

Server-Side & Tag Management: GDPR status, as of July 2026
ToolGDPR statusHostingVerdict
Google Tag ManagerGDPR-configurableUS / GlobalThe standard tag manager for the web. Free, huge ecosystem, needs governance.
Google Tag Manager Server-SideGDPR-configurableEUStandard tag management, server-side. All containers follow a naming convention.
JENTISGDPR-configurableEUPrivacy-focused server-side tracking platform from Austria. Twin-Server technology and data reduction before forwarding.
stape.ioGDPR-configurableEUManaged server-side GTM hosting in the EU region. Fast start, no GCP overhead.

Event Collection & CDI

Event Collection & CDI: GDPR status, as of July 2026
ToolGDPR statusHostingVerdict
SnowplowGDPR-readySelf-hosted / EUOpen-source behavioral-data platform, schema-validated and self-hostable. The cookieless first-party foundation.
RudderStackGDPR-configurableSelf-hosted / EU / USOpen-source event streaming and CDP for engineering teams. Segment-API-compatible, no marketer UI.
SegmentGDPR-configurableEUIndustry leader in event routing. Great UI and ecosystem, but strong lock-in and aggressive pricing.

Data Warehouse

Data Warehouse: GDPR status, as of July 2026
ToolGDPR statusHostingVerdict
BigQueryGDPR-configurableEUEU region (europe-west3) by default. Our default for the Marketing Lakehouse.
ClickHouseGDPR-configurableEUBlazing fast columnar database for real-time analytics. Open-source, self-hostable in the EU.
SnowflakeGDPR-configurableEU / GlobalAlternative for a multi-cloud strategy. EU region.

Marketing Automation & Lifecycle

Marketing Automation & Lifecycle: GDPR status, as of July 2026
ToolGDPR statusHostingVerdict
BrevoGDPR-readyEUMarketing automation from Paris. Email, SMS and WhatsApp, GDPR-native and affordable.
KlaviyoGDPR-configurableUSLeading e-commerce ESP for email and SMS automation. We implement it where it fits.

Hosting & Infrastructure

Hosting & Infrastructure: GDPR status, as of July 2026
ToolGDPR statusHostingVerdict
CoolifyGDPR-readySelf-hosted / EUSelf-hosted deployment platform on Hetzner EU. Astro SSR and Plausible CE run on it.
Hetzner CloudGDPR-readyEUGerman servers. All Datascale infrastructure runs here.

How to combine the tools

Two routes cover most setups. The cookieless route: Plausible CE or etracker, EU or self-hosting, no banner, full coverage. The price is less attribution depth. The consent route: GA4 or Piwik PRO behind a properly wired CMP, plus server-side tagging that filters PII and makes the consent state verifiable server-side. Mandatory once Google Ads runs with Smart Bidding.

For the analytics decision in detail, GDPR-compliant analytics compares GA4, Plausible, Piwik PRO, Matomo and etracker, including the cookie-banner question. To get the right combination for your setup, the GDPR stack calculator answers it in two minutes. And whether your current setup keeps what the banner promises: theMeasurement Health Check shows it in under 20 seconds.

  • Q01
    What is a GDPR tool?

    A tool that either works without personal data (cookieless, no IP storage, EU-hosted) or can be configured so data collection only starts after documented consent. Three questions decide it: legal basis, data location and consent integration.

  • Q02
    Is Google Analytics 4 a GDPR tool?

    Not with default settings. GA4 needs a DPA with Google Ireland, IP anonymisation, Consent Mode V2 and a properly wired CMP in front of it; then operation is possible with conditions. Teams that want to avoid the transfer risk entirely pick an EU alternative such as Plausible CE or Piwik PRO.

  • Q03
    Which tools work without a cookie banner?

    Tools that set no cookies and process no personal data: Plausible CE, etracker in Signalize mode, and server-side setups without PII. As soon as cookies or personal processing enter (GA4, ads pixels, Matomo with cookies), consent before the first tag is mandatory.

  • Q04
    Are US tools automatically GDPR-critical?

    No, but they carry the transfer question. Since the EU-US Data Privacy Framework (2023) there is an adequacy basis for certified vendors; it remains under political scrutiny. EU hosting or self-hosting takes the question off the table entirely, which is why we list the data location per tool.

  • Q05
    Where do I find privacy-management software (RoPA, DPA management, audits)?

    Not here. This page covers the marketing and analytics stack. Software for records of processing, DPA management or privacy audits is its own category (GRC), best selected by a data protection officer.

  • Q06
    Which GDPR tools fit agencies?

    Agencies need multi-client setups: self-hosted Plausible CE scales across many client sites at fixed cost, Usercentrics and Cookiebot cover CMP operations per client, stape.io hosts one server-side container per client. The stack calculator helps combine them per client profile.