Server-side tracking that keeps delivering under GDPR
Client-side tracking loses 30 to 40 percent of signals. We build the EU-hosted server-side architecture that stops it.
- GA4
- GTM Server-Side
- stape.io
- BigQuery (Frankfurt)
- Consent Mode V2
- Meta CAPI
- Google Enhanced Conv.
- Usercentrics
✓ Certified stape.io & Usercentrics Partner
In short
We rebuild the measurement chain server-side, from the first impression through to GA4, BigQuery and back into Meta, Google and co. via Conversion APIs. Signals that adblockers, ITP and consent loss usually swallow arrive again. GDPR-conform and hosted in the EU.
- Who it is for
- E-commerce & lead-gen with meaningful ad spend
- What you get
- Server-side setup, CMP integration & QA against the blueprint
- Entry
- Audit Sprint from €2,400, in 2 weeks
01Quick self-check
You're in the right place if:
Tick what applies.
02How it works
From click to platform, in four steps.
First-party to your own server, not through dozens of third-party domains.
- browser → 1st-party
Signal
An event fires in the browser and goes first-party to your own subdomain, not directly to Google.
- GTM SS · stape.io
Server container
GTM Server-Side on stape.io receives the event, filters PII and enriches it.
- Consent Mode V2
Consent gate
Consent Mode V2 decides before every tag which data flows. Without consent, modelled only.
- GA4 · CAPI · BigQuery
Distribution
The clean event goes to GA4 and Meta CAPI, and in parallel to BigQuery Frankfurt.
03What we build
Was wir bauen
Client-side tracking loses signals to ITP, adblockers and consent gaps. Ad algorithms then optimise against noise. We rebuild the measurement chain, server-side.
100 percent via stape.io, routed into BigQuery Frankfurt. GDPR-compliant analytics from the ground up, ready for the EU AI Act. The model is simple: spec from us, code from your dev team, QA back to us. No vendor lock-in.
Marketing wants data. The DPO blocks. Both are right. That only ends when the separation is forced at server level, not in the analysis spreadsheet: PII filtered before it reaches Google, consent state server-side, an audit log the DPO can query any time.
04The difference
Client-side only vs. EU server-side.
Architecture: EU-first data routing with strict PII separation. BigQuery in the Frankfurt region sidesteps US CLOUD Act transfers before any anonymisation.
05The building blocks
Four modules. One setup.
Bookable individually or as a chain, depending on the maturity of your existing tracking.
Web Analytics Setup & Audit
Full implementation or technical audit of an existing web analytics setup. Tool-agnostic, we recommend what fits the use case.
Concretely: GA4, Plausible CE or Matomo, server-side via stape.io, UA-to-GA4 cleanup, cross-domain, bot and referral filters.
Tools: GA4 · Plausible CE · GTM · GTM Server-Side · stape.io
Mobile & App Analytics (Firebase)
Analytics for native and hybrid apps. Firebase properly configured, with an event schema that fits the web strategy and merges into BigQuery.
Concretely: iOS/Android event schema, privacy-first Firebase config, app consent with enterprise CMP, Firebase ↔ GA4 BigQuery export.
Tools: Firebase Analytics · GA4 · BigQuery · Usercentrics · OneTrust
Cookie Consent & Consent Engineering
The consent layer is not a checkbox. Misconfigured it destroys data, configured properly it protects users and lets analysis run.
Concretely: CMP selection and setup, cookie scanning, Consent Mode V2, pre-consent scan, ongoing CMP operations.
Tools: Usercentrics · OneTrust · Cookiebot · Consent Mode V2
Conversion APIs & ad platforms
Pixel plus Conversion API per platform, distributed from one server container and deduplicated via a shared event ID. Conversions arrive in the platforms without counting twice.
Concretely: Meta, Google, TikTok, LinkedIn, Criteo, Outbrain. Click-ID capture (gclid, fbclid), CRM and offline conversions, match-quality monitoring.
Tools: Meta CAPI · Google Enhanced Conv. · TikTok Events · LinkedIn CAPI
06Who it is for
When it pays off.
Product & Engineering
Teams building a new app or website who want analytics set up correctly from day one, not as an afterthought in sprint 12.
Marketing
Teams who know their GA4 setup is broken but not how broken. Or whose numbers are questioned internally after the GA4 migration.
CMO / VP Marketing
Facing a budget decision and reliant on conversion data that is correct and defensible internally.
CTO / Tech Leads
Need a partner who talks to the dev team as peers, delivers implementable spec docs and does not disappear after launch.
07Deliverables
What you end up with.
Strategy & Planning
- Measurement Blueprint: event schema, naming convention, parameters
- Tracking guide for the dev team, directly implementable
- Tool recommendation with written reasoning
- Consent architecture documentation
Technical Implementation
- GTM container: tags, triggers, variables, structure
- Server-side GTM via stape.io
- CMP setup (Usercentrics / OneTrust / Cookiebot) plus Consent Mode V2
- Conversion APIs per platform (Meta, Google, TikTok, LinkedIn, Criteo, Outbrain), deduplicated
QA & Validation
- Event testing against the blueprint, each event individually
- Consent-flow validation, pre- and post-consent
- Monitoring dashboard with match quality and alerts per destination
- Sign-off document
Handover & Operations
- Handover documentation for the internal team
- Data-protection documentation, aligned with your counsel
- 30-day post-launch support
What we do NOT do
Engagement depths
Three depths. Clear scopes.
No retainer trap.
Audit Sprint
We audit what is wrong. Prioritised report + action plan.
plus statutory VAT
Included
- Full analysis of the existing setup
- Prioritised report with concrete actions
- 90-minute walkthrough with your team
Not included
- Implementation (follows in the Build Sprint)
- Code in your app or website
When it fits
When the setup runs but the numbers are questioned internally.
Fixed price by scope (Audit Sprint / Audit Sprint Plus). 50% credited toward a Build Sprint if commissioned within 30 days.
Request an Audit Sprint →Build Sprint
Fresh build or restructure, built to spec.
plus statutory VAT
Included
- Measurement Blueprint + GTM / server-side via stape.io
- CMP integration + Consent Mode V2
- QA sign-off against the blueprint + 30-day support
Not included
- Campaign execution, media buying, creative
- Tool licences (billed directly, no markup)
When it fits
When a clean rebuild beats patching in production.
Final fixed price after scope definition.
Discuss a Build Sprint →Managed Evolution
Ongoing partnership. Analytics as a product.
plus statutory VAT
Included
- Monthly development + roadmap
- QA on every release deploy
- Slack support, < 4 h response (Mon–Fri)
- Monthly report + executive summary
Not included
- 24/7 on-call rotation
- Campaign operations
When it fits
When analytics has to keep growing with you.
Monthly cancellation after the minimum term.
Request Managed Evolution →All prices net, plus statutory VAT. For companies in Germany, Austria and Switzerland.
Is GA4 still legally usable in 2026 without server-side tracking?
GA4 itself remains usable, but keeping it defensible under GDPR without server-side gets harder every quarter. Three forces effectively make server-side mandatory: Safari ITP 2.3 caps client-side cookies at 7-day TTL, ML-based adblockers filter 25 to 40 percent of all GA4 calls, and Google Consent Mode V2 expects a server-validated consent state. Without sGTM you are optimising on filtered data.
Why are our conversions counted twice?
Almost always the pixel and the Conversion API run in parallel without both paths carrying the same event ID. The platform cannot deduplicate and counts both reports. The shared event ID is therefore the first checkpoint in every tracking audit.
Do you also cover Microsoft Ads, Pinterest or Snap?
Yes, following the same pattern: capture the click ID, send events from the server container, consent signal in front. The six core platforms (Google, Meta, TikTok, LinkedIn, Criteo, Outbrain) are documented in the catalog; further destinations are added per project through the same server container.
What is Consent Mode V2?
A Google standard that checks before every tag whether consent exists. When it is missing, only modelled, aggregated data flows, nothing personal. Mandatory for Google Ads in the EEA.
What is Server-Side GTM?
A Google Tag Manager container that runs on your own server rather than in the browser. Signals are sent first-party, past adblockers and ITP.
What is a Conversion API (CAPI)?
A server-to-server interface that reports conversions directly to Meta, Google and others, independent of the browser pixel and therefore more robust.
How do you bypass adblockers without breaking privacy?
A first-party subdomain (analytics.client.com) routes requests to a stape.io server container. Tags run server-side, the browser only sees your own domain. This is not a trick, it is an architectural shift: PII is filtered before it reaches Google, Consent Mode V2 runs in front, the audit log stays with you.
Is Consent Mode V2 enough for GDPR on GA4?
Consent Mode V2 controls how Google tags react to the consent state, it does not replace a full CMP implementation. Used correctly they work together: the CMP owns the consent decision, Consent Mode V2 transmits the state correctly to Google services. Without a CMP behind it, Consent Mode V2 is just an API.
What changes for my tracking under the EU AI Act?
Pure event tracking is not affected. The Act becomes relevant the moment analytics data drives automated decisions: BigQuery ML for lookalike audiences, custom LLMs for content personalisation, predictive scoring in the CRM. Those pipelines need risk classification, data-provenance documentation and, in the high-risk case, an external audit. The EU AI Act takes effect in phases: many central obligations become relevant from 2 August 2026, with further rules into 2027. We document this in the Measurement Blueprint from day one.
Why BigQuery in Frankfurt and not in the US?
The Frankfurt region on Google Cloud means data stays within the EU legal space. That sidesteps the US CLOUD Act transfer problem before any anonymisation step. Standard Contractual Clauses then exist for the exceptions, not the default. This is the reading EU DPOs sign off on without discussion.
What is a Measurement Blueprint?
A complete technical spec doc that defines what gets measured, how events are named and which parameters carry which values. The foundation for dev-team implementation and downstream QA validation. Not a concept paper for the drawer.
Who implements the tracking in the app or on the website?
Your dev team, against our Measurement Blueprint. We write the spec, stay available for questions, and take over full QA and everything after implementation. Deliberate stance against vendor lock-in: the code stays with you.
Do I need a different approach for an app than for a website?
Yes. Apps use Firebase Analytics as the foundation, websites use GA4 or Plausible. Event schemas differ, consent architecture differs (app consent vs. browser consent), and QA methodology is technically different. We cover both worlds.
What does an analytics audit cost?
Audit Sprint at a fixed price of €2,400 net, 10 working days delivery. Includes prioritised defect list, concrete action plan and a 90-minute walkthrough call. Complex setups across multiple brands or app + web + shop run through Audit Sprint Plus at €3,900. No follow-on contract.
You are a Usercentrics partner. Do you still recommend other CMPs?
Yes. The certification (CMP Expert tech track, since June 2026) gives us direct escalation paths and early sight of product changes, not an obligation to recommend. Cookiebot stays our default for SMB setups, OneTrust fits group-wide privacy suites, and where a stack runs without consent-requiring services, we advise a banner-free architecture. All partnerships are listed openly on /en/integrations/.
Do you also work with OneTrust for smaller companies?
OneTrust is technically usable at any company size, but the license cost and configuration overhead are usually oversized for SMBs. For smaller companies we typically recommend Usercentrics (DACH market leader) or Cookiebot. We recommend what fits, not what we happen to know best.
We already have a setup from another agency, can we migrate?
Standard case. We usually start with an Audit Sprint: inventory of the current setup, prioritised defect report, migration plan. Depending on the depth of the existing issues, we decide together whether cleanup or rebuild is more economical. Vendor lock-in is never an argument: all GTM containers, BigQuery exports and CMP configurations stay in the client's ownership.
Integrations
From the integrations catalog
These are the tools we wire up for this service. Each catalog page rates the tool honestly: setup effort, GDPR classification and when it fits.
Next step
Tracking that survives the next three years.
Audit Sprint at a fixed €2,400 net, 10 working days delivery. Prioritised report, 90-minute walkthrough call. No follow-on contract, no forced retainer.
- Entry
- €2,400–3,900 net
- Delivery
- 2–6 weeks
- Scope
- 5 modules