Want to learn more about our approach to GDPR?
Pick a category to learn more:
Prior to installing Mouseflow, you must exclude the tracking of Personal Data from Data Subjects in the EU/EEA.
"Personal Data" includes, but is not limited to, any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
We provide numerous ways to do this — see the next section below.
What We Do
Mouseflow has the following built-in features:
- We appointed German lawyer Axel Dreyer, LL.M. as our Data Protection Officer (DPO). He can be reached at email@example.com.
- We appointed an independent dispute resolution mechanism for unresolved complaints related to privacy.
- We self-certify compliance with EU-US Privacy Shield at the U.S. Department of Commerce.
- We prepared a standard Data Processing Agreement which can be executed upon request to firstname.lastname@example.org.
- We encrypt all data in transit (via HTTPS).
- We never send data outside the datacenter in which it is originally stored. For US clients, this is a US datacenter; for EU and EEA clients, this is a EU datacenter.
- We provide an opt-out feature for Data Subjects: https://mouseflow.com/opt-out.
- For all accounts, we prevent the tracking of all keystroke data for Data Subjects in the EU/EEA.
- For all accounts, we provide an option to honor the Do Not Track browser setting.
- For all accounts, we enable masking of data entered in form fields from appearing later in playback or heatmaps. This helps with order confirmation pages and prevents user-typed input from appearing later on, if a Data Controller (you) failed to adequately exclude it.
- For German accounts, we disable the tracking of keystroke data for all form fields. For accounts everywhere else, we provide a feature which you must implement if you track Personal Data from Data Subjects in the EU/EEA to disable tracking of keystrokes in all form fields or disable keystrokes in specific form fields.
- For all accounts, we provide a feature which you must implement to exclude/replace content shown in your HTML.
- For EU/EEA accounts, we automatically remove the last tuple of IP addresses to anonymize them. For accounts everywhere else, we allow you to anonymize IP addresses (just click Settings > Anonymize IPs). This removes the last tuple of IP address data. Alternatively, you can contact us to have stricter IP anonymization enabled which prevents the storage of any part of an IP address.
- For German accounts, because we disable the tracking of keystroke data, password fields and all other personal/sensitive form fields are also blocked. For accounts everywhere else, we block password fields and all fields where at least three (3) consecutive digits are entered and no letters (this blocks credit card numbers, CVV numbers, and the like).
- We encrypt all HTML and DOM mutation data (used in our recordings and heatmaps) at rest.
- We conduct routine vulnerability scans and penetration tests of our entire platform.
- We provide training to our employees on topics of security, privacy, and rules/regulations.
- We have a formal security policy detailing the technical measures we employ to protect the confidentiality, integrity, and availability of our platform and data.
In anticipation of GDPR, Mouseflow will add the following features before May 25, 2018:
- We will offer a tool which allows you to whitelist specific form fields to be tracked, after you've confirmed no Personal or Sensitive Data will be collected from Data Subjects in the EU/EEA.
- We will add a question type to our Feedback tool to allow you to obtain consent from Data Subjects in the EU/EEA before asking for their contact information.
- We may consider or implement additional features or changes not listed here to enforce or improve our compliance efforts.
What You Need to Do
Mouseflow requires you to take the following actions:
- You need to audit your website(s) to ensure no Personal Data from EU/EEA Data Subjects can or will be tracked.
- If Personal Data from EU/EEA Data Subjects can or could be tracked, you may need to implement the following exclusion mechanisms (as needed): disable tracking of keystrokes in all form fields, disable keystrokes in specific form fields, and exclude/replace content shown in your HTML.
- You may also wish to anonymize IP addresses (just click Settings > Anonymize IPs). This removes the last tuple of IP address data. Alternatively, you can contact us to have stricter IP anonymization enabled which prevents the storage of any part of an IP address.
- For German accounts, we prevent the storage of any IP addresses. For accounts in Europe or the EEA, we remove the last tuple from IP addresses to anonymize them.
- You should make a test recording in our platform to ensure all exclusions are working as intended.
- You may need to obtain active and explicit consent to track users on your site. We recommend checking the rules and regulations that apply to your website(s) and obtaining legal advice.
- You may be required to offer an opt-out for tracking on your website, depending on local laws/regulations. We recommend describing that you use Mouseflow, what it's for, and providing a link to our opt-out page: https://mouseflow.com/opt-out
- If you receive a request to correct, delete, amend, or give access to Personal Data from a Data Subject, you must notify us in writing with forty-eight (48) hours via email to email@example.com. We will acknowledge your request and assist in any way possible, providing an official response no later than ten (10) business days after receiving the request. However, please be advised, that if you've followed above requirements, no Personal Data from Data Subjects in the EU/EEA should ever exist in our platform.
- You need to agree that you've read, understand, and implemented any or all of the above items (as required) prior to tracking.
What information is collected?
When you visit a webpage that has Mouseflow, the following information may be collected:
- Clicks, Mouse Movements/Hovers, Scrolling
- Device (Desktop/Tablet/Phone)
- Operating System
- Screen Resolution
- Duration (Time on Site)
- Navigation (URLs)
- Page Content (HTML)
- ISP & ISP Location (City, State/Region, Country)*
- Keystrokes (except password, digit, and excluded fields)*
- Referrer URL
- Visitor Type (First Time/Returning)
- Custom Tags or Variables
The data is stored from 1-12 months, depending on the specific plan associated with a client account.
* This information will no longer be collected for EU/EEA accounts when GDPR takes effect.
What can I do?
If you wish to obtain a copy of your data*, please contact the website owner where the data was collected/obtained (the Data Controller). If they are unable to process your request or do not respond in a timely manner, please contact us at firstname.lastname@example.org.
If you wish to correct your data*, please contact the website owner where the data was collected/obtained (the Data Controller). If they are unable to process your request or do not respond in a timely manner, please contact us at email@example.com.
If you wish to erase your data*, please contact the website owner where the data was collected/obtained (the Data Controller). If they are unable to process your request or do not respond in a timely manner, please contact us at firstname.lastname@example.org.
If you gave your consent to have information processed by Mouseflow (in our feedback widget) and wish to revoke it, please both contact the website owner where the data was collected/obtained (the Data Controller) and us at email@example.com.
If you do not wish to be tracked, you can opt-out at:
This places a cookie on your computer which will prevent any further tracking (unless deleted).
* We require clients to exclude Personal Data from being captured. As such, the data stored by Mouseflow is expected to be anonymous in nature. This may alter your rights above or our ability to obtain a copy, correct, or erase your data as there is no way to trace it to you.