Do I need to disclose Statsig in my privacy policy?

Yes. Statsig processes personal data including user identifiers and custom attributes to evaluate experiment eligibility and track exposure, making it a data processor that requires disclosure. Under GDPR and CCPA, you must inform users about third-party services collecting their data and link to the processor's privacy practices.

What data does Statsig collect?

Statsig collects user IDs, custom user attributes, experiment exposure and assignment data, event logs for metrics tracking, and session or device metadata. This data is used to determine which experiment variant a user sees and to measure the outcomes of A/B tests and feature rollouts.

Does Statsig require a cookie consent banner?

Statsig does not set cookies itself, so cookie consent is not required specifically for Statsig. However, if your website uses cookies for other purposes (analytics, advertising), you must obtain consent and disclose all tracking technologies in your cookie policy.

Where is my data processed by Statsig?

Statsig Inc., headquartered in the United States, acts as your data processor. User identifiers and experiment data are transferred to Statsig's servers in the U.S. for processing. Statsig maintains SOC 2 Type II compliance. Ensure you have appropriate data transfer agreements (like Standard Contractual Clauses under GDPR) in place.

Feature Flags & Experimentation

Privacy policy clauses for Statsig

Statsig is a feature management and experimentation platform that enables websites to control feature rollouts, run A/B tests, and track user behavior across experiments. Companies use Statsig to safely deploy features to segments of users and measure their impact on key metrics.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Statsig collects

Your privacy policy must disclose each of the following data types when you use Statsig.

User ID and custom attributes

Experiment exposure and assignments

Event logging for metrics

Session and device metadata

When does Statsig trigger privacy obligations?

Installation Moment

The moment you install Statsig's SDK, you begin transmitting user identifiers and custom attributes to Statsig Inc.'s servers in the United States. This triggers data protection obligations immediately—*before* any experiment runs or flag is evaluated.

Applicable Regulations

GDPR (if you have EU users): Statsig processes personal data (user IDs, session metadata, event logs) on your behalf. You must have a Data Processing Agreement (DPA) in place with Statsig Inc. under GDPR Article 28. Even without explicit consent, you need a lawful basis (typically legitimate interest under Article 6(1)(f)) *and* must provide transparency under Article 13/14 (privacy notice disclosing Statsig as a processor, the categories of data shared, and cross-border transfer to the US).

Privacy policy clauses for Statsig

What data Statsig collects

When does Statsig trigger privacy obligations?

Installation Moment

Applicable Regulations

Where data goes

Common compliance pitfalls

Pitfall 1: No DPA with Statsig Inc.

Pitfall 2: Insufficient Privacy Disclosure of Data Sharing

Pitfall 3: Miscategorizing Statsig as "Analytics" Only

Legal note

Sample privacy policy clause

What regulators look for

DPA Audit Priorities

Transparency & Consent Gaps

US Data Adequacy & Storage

Enforcement Signal

Frequently asked questions

Do I need to disclose Statsig in my privacy policy?

What data does Statsig collect?

Does Statsig require a cookie consent banner?

Where is my data processed by Statsig?

Don't ship without Bandit.