datascale
Datascale-led

Server-side tracking that keeps delivering under GDPR

Client-side tracking loses 30 to 40 percent of signals. We build the EU-hosted server-side architecture that stops it.

  • GA4
  • GTM Server-Side
  • stape.io
  • BigQuery (Frankfurt)
  • Consent Mode V2
  • Meta CAPI
  • Google Enhanced Conv.
  • Usercentrics

✓ Certified stape.io & Usercentrics Partner

In short

We rebuild the measurement chain server-side, from the first impression through to GA4, BigQuery and back into Meta, Google and co. via Conversion APIs. Signals that adblockers, ITP and consent loss usually swallow arrive again. GDPR-conform and hosted in the EU.

Who it is for
E-commerce & lead-gen with meaningful ad spend
What you get
Server-side setup, CMP integration & QA against the blueprint
Entry
Audit Sprint from €2,400, in 2 weeks

01Quick self-check

You're in the right place if:

Tick what applies.

02How it works

From click to platform, in four steps.

First-party to your own server, not through dozens of third-party domains.

  1. browser → 1st-party

    Signal

    An event fires in the browser and goes first-party to your own subdomain, not directly to Google.

  2. GTM SS · stape.io

    Server container

    GTM Server-Side on stape.io receives the event, filters PII and enriches it.

  3. Consent Mode V2

    Consent gate

    Consent Mode V2 decides before every tag which data flows. Without consent, modelled only.

  4. GA4 · CAPI · BigQuery

    Distribution

    The clean event goes to GA4 and Meta CAPI, and in parallel to BigQuery Frankfurt.

03What we build

Was wir bauen

Client-side tracking loses signals to ITP, adblockers and consent gaps. Ad algorithms then optimise against noise. We rebuild the measurement chain, server-side.

100 percent via stape.io, routed into BigQuery Frankfurt. GDPR-compliant analytics from the ground up, ready for the EU AI Act. The model is simple: spec from us, code from your dev team, QA back to us. No vendor lock-in.

Marketing wants data. The DPO blocks. Both are right. That only ends when the separation is forced at server level, not in the analysis spreadsheet: PII filtered before it reaches Google, consent state server-side, an audit log the DPO can query any time.

04The difference

Client-side only vs. EU server-side.

Legacy · client-side
Client-side GTM in the browser
Safari ITP 2.3 caps cookies
ML adblockers filter calls
3P cookies getting unreliable
Consent loss = signal gone
30 to 40% signal loss
Datascale · EU server-side
First-party subdomain
Server GTM on stape.io
Consent Mode V2 + PII filter
BigQuery in Frankfurt
GA4 + Meta CAPI server-side
Audit log stays with you

Architecture: EU-first data routing with strict PII separation. BigQuery in the Frankfurt region sidesteps US CLOUD Act transfers before any anonymisation.

05The building blocks

Four modules. One setup.

Bookable individually or as a chain, depending on the maturity of your existing tracking.

Web Analytics Setup & Audit

Full implementation or technical audit of an existing web analytics setup. Tool-agnostic, we recommend what fits the use case.

Concretely: GA4, Plausible CE or Matomo, server-side via stape.io, UA-to-GA4 cleanup, cross-domain, bot and referral filters.

Tools: GA4 · Plausible CE · GTM · GTM Server-Side · stape.io

Mobile & App Analytics (Firebase)

Analytics for native and hybrid apps. Firebase properly configured, with an event schema that fits the web strategy and merges into BigQuery.

Concretely: iOS/Android event schema, privacy-first Firebase config, app consent with enterprise CMP, Firebase ↔ GA4 BigQuery export.

Tools: Firebase Analytics · GA4 · BigQuery · Usercentrics · OneTrust

Cookie Consent & Consent Engineering

The consent layer is not a checkbox. Misconfigured it destroys data, configured properly it protects users and lets analysis run.

Concretely: CMP selection and setup, cookie scanning, Consent Mode V2, pre-consent scan, ongoing CMP operations.

Tools: Usercentrics · OneTrust · Cookiebot · Consent Mode V2

Conversion APIs & ad platforms

Pixel plus Conversion API per platform, distributed from one server container and deduplicated via a shared event ID. Conversions arrive in the platforms without counting twice.

Concretely: Meta, Google, TikTok, LinkedIn, Criteo, Outbrain. Click-ID capture (gclid, fbclid), CRM and offline conversions, match-quality monitoring.

Tools: Meta CAPI · Google Enhanced Conv. · TikTok Events · LinkedIn CAPI

06Who it is for

When it pays off.

Product & Engineering

Teams building a new app or website who want analytics set up correctly from day one, not as an afterthought in sprint 12.

Marketing

Teams who know their GA4 setup is broken but not how broken. Or whose numbers are questioned internally after the GA4 migration.

CMO / VP Marketing

Facing a budget decision and reliant on conversion data that is correct and defensible internally.

CTO / Tech Leads

Need a partner who talks to the dev team as peers, delivers implementable spec docs and does not disappear after launch.

07Deliverables

What you end up with.

Strategy & Planning

  • Measurement Blueprint: event schema, naming convention, parameters
  • Tracking guide for the dev team, directly implementable
  • Tool recommendation with written reasoning
  • Consent architecture documentation

Technical Implementation

  • GTM container: tags, triggers, variables, structure
  • Server-side GTM via stape.io
  • CMP setup (Usercentrics / OneTrust / Cookiebot) plus Consent Mode V2
  • Conversion APIs per platform (Meta, Google, TikTok, LinkedIn, Criteo, Outbrain), deduplicated

QA & Validation

  • Event testing against the blueprint, each event individually
  • Consent-flow validation, pre- and post-consent
  • Monitoring dashboard with match quality and alerts per destination
  • Sign-off document

Handover & Operations

  • Handover documentation for the internal team
  • Data-protection documentation, aligned with your counsel
  • 30-day post-launch support

What we do NOT do

Mobile apps and app code, in your codebase. We define, the dev team builds
Code directly on websites, without GTM or a defined deployment process
US-cloud-only CMPs, without an EU server location
Hidden commissions, on tool licenses. Partnerships declared openly at /en/integrations/
SEO, paid-media campaigns and classical web development

Engagement depths

Three depths. Clear scopes.
No retainer trap.

Start here →

Audit Sprint

We audit what is wrong. Prioritised report + action plan.

Duration
10 working days
Price
€2,400–3,900 net

plus statutory VAT

Included

  • Full analysis of the existing setup
  • Prioritised report with concrete actions
  • 90-minute walkthrough with your team

Not included

  • Implementation (follows in the Build Sprint)
  • Code in your app or website

When it fits

When the setup runs but the numbers are questioned internally.

Fixed price by scope (Audit Sprint / Audit Sprint Plus). 50% credited toward a Build Sprint if commissioned within 30 days.

Request an Audit Sprint →

Build Sprint

Fresh build or restructure, built to spec.

Duration
2–6 weeks
Price
€8,500–18,000 net

plus statutory VAT

Included

  • Measurement Blueprint + GTM / server-side via stape.io
  • CMP integration + Consent Mode V2
  • QA sign-off against the blueprint + 30-day support

Not included

  • Campaign execution, media buying, creative
  • Tool licences (billed directly, no markup)

When it fits

When a clean rebuild beats patching in production.

Final fixed price after scope definition.

Discuss a Build Sprint →

Managed Evolution

Ongoing partnership. Analytics as a product.

Duration
3-month minimum
Price
€3,500–6,500 / month net

plus statutory VAT

Included

  • Monthly development + roadmap
  • QA on every release deploy
  • Slack support, < 4 h response (Mon–Fri)
  • Monthly report + executive summary

Not included

  • 24/7 on-call rotation
  • Campaign operations

When it fits

When analytics has to keep growing with you.

Monthly cancellation after the minimum term.

Request Managed Evolution →

All prices net, plus statutory VAT. For companies in Germany, Austria and Switzerland.

  • Q01
    Is GA4 still legally usable in 2026 without server-side tracking?

    GA4 itself remains usable, but keeping it defensible under GDPR without server-side gets harder every quarter. Three forces effectively make server-side mandatory: Safari ITP 2.3 caps client-side cookies at 7-day TTL, ML-based adblockers filter 25 to 40 percent of all GA4 calls, and Google Consent Mode V2 expects a server-validated consent state. Without sGTM you are optimising on filtered data.

  • Q02
    Why are our conversions counted twice?

    Almost always the pixel and the Conversion API run in parallel without both paths carrying the same event ID. The platform cannot deduplicate and counts both reports. The shared event ID is therefore the first checkpoint in every tracking audit.

  • Q03
    Do you also cover Microsoft Ads, Pinterest or Snap?

    Yes, following the same pattern: capture the click ID, send events from the server container, consent signal in front. The six core platforms (Google, Meta, TikTok, LinkedIn, Criteo, Outbrain) are documented in the catalog; further destinations are added per project through the same server container.

  • Q04
    What is Consent Mode V2?

    A Google standard that checks before every tag whether consent exists. When it is missing, only modelled, aggregated data flows, nothing personal. Mandatory for Google Ads in the EEA.

  • Q05
    What is Server-Side GTM?

    A Google Tag Manager container that runs on your own server rather than in the browser. Signals are sent first-party, past adblockers and ITP.

  • Q06
    What is a Conversion API (CAPI)?

    A server-to-server interface that reports conversions directly to Meta, Google and others, independent of the browser pixel and therefore more robust.

  • Q07
    How do you bypass adblockers without breaking privacy?

    A first-party subdomain (analytics.client.com) routes requests to a stape.io server container. Tags run server-side, the browser only sees your own domain. This is not a trick, it is an architectural shift: PII is filtered before it reaches Google, Consent Mode V2 runs in front, the audit log stays with you.

  • Q08
    Is Consent Mode V2 enough for GDPR on GA4?

    Consent Mode V2 controls how Google tags react to the consent state, it does not replace a full CMP implementation. Used correctly they work together: the CMP owns the consent decision, Consent Mode V2 transmits the state correctly to Google services. Without a CMP behind it, Consent Mode V2 is just an API.

  • Q09
    What changes for my tracking under the EU AI Act?

    Pure event tracking is not affected. The Act becomes relevant the moment analytics data drives automated decisions: BigQuery ML for lookalike audiences, custom LLMs for content personalisation, predictive scoring in the CRM. Those pipelines need risk classification, data-provenance documentation and, in the high-risk case, an external audit. The EU AI Act takes effect in phases: many central obligations become relevant from 2 August 2026, with further rules into 2027. We document this in the Measurement Blueprint from day one.

  • Q10
    Why BigQuery in Frankfurt and not in the US?

    The Frankfurt region on Google Cloud means data stays within the EU legal space. That sidesteps the US CLOUD Act transfer problem before any anonymisation step. Standard Contractual Clauses then exist for the exceptions, not the default. This is the reading EU DPOs sign off on without discussion.

  • Q11
    What is a Measurement Blueprint?

    A complete technical spec doc that defines what gets measured, how events are named and which parameters carry which values. The foundation for dev-team implementation and downstream QA validation. Not a concept paper for the drawer.

  • Q12
    Who implements the tracking in the app or on the website?

    Your dev team, against our Measurement Blueprint. We write the spec, stay available for questions, and take over full QA and everything after implementation. Deliberate stance against vendor lock-in: the code stays with you.

  • Q13
    Do I need a different approach for an app than for a website?

    Yes. Apps use Firebase Analytics as the foundation, websites use GA4 or Plausible. Event schemas differ, consent architecture differs (app consent vs. browser consent), and QA methodology is technically different. We cover both worlds.

  • Q14
    What does an analytics audit cost?

    Audit Sprint at a fixed price of €2,400 net, 10 working days delivery. Includes prioritised defect list, concrete action plan and a 90-minute walkthrough call. Complex setups across multiple brands or app + web + shop run through Audit Sprint Plus at €3,900. No follow-on contract.

  • Q15
    You are a Usercentrics partner. Do you still recommend other CMPs?

    Yes. The certification (CMP Expert tech track, since June 2026) gives us direct escalation paths and early sight of product changes, not an obligation to recommend. Cookiebot stays our default for SMB setups, OneTrust fits group-wide privacy suites, and where a stack runs without consent-requiring services, we advise a banner-free architecture. All partnerships are listed openly on /en/integrations/.

  • Q16
    Do you also work with OneTrust for smaller companies?

    OneTrust is technically usable at any company size, but the license cost and configuration overhead are usually oversized for SMBs. For smaller companies we typically recommend Usercentrics (DACH market leader) or Cookiebot. We recommend what fits, not what we happen to know best.

  • Q17
    We already have a setup from another agency, can we migrate?

    Standard case. We usually start with an Audit Sprint: inventory of the current setup, prioritised defect report, migration plan. Depending on the depth of the existing issues, we decide together whether cleanup or rebuild is more economical. Vendor lock-in is never an argument: all GTM containers, BigQuery exports and CMP configurations stay in the client's ownership.

Next step

Tracking that survives the next three years.

Audit Sprint at a fixed €2,400 net, 10 working days delivery. Prioritised report, 90-minute walkthrough call. No follow-on contract, no forced retainer.

Entry
€2,400–3,900 net
Delivery
2–6 weeks
Scope
5 modules