Crazy Egg and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Crazy Egg, according to the provider's information they process usage and interaction data of their website visitors – in particular clicks, mouse movements, scrolling behaviour, and optionally session recordings – in order to create heatmaps, scrollmaps, recordings, and A/B tests. This article explains what data Crazy Egg specifically processes, how the processing is to be classified legally, and what information belongs in the privacy policy. The presentation is based on publicly accessible information from the provider and does not replace a case-by-case examination.

A. Purpose and Function of Crazy Egg

Crazy Egg is a web-based tool for analysing and optimising user behaviour on websites. The provider makes available to website operators visual evaluations such as heatmaps (click maps), scrollmaps, confetti reports, overlay reports, and session recordings (recordings of individual user sessions). In addition, Crazy Egg offers A/B testing as well as simple surveys.

The central integration function for the website operator is the Crazy Egg tracking script: A JavaScript snippet is embedded in the website and captures visitor interactions. The collected data is aggregated into heatmaps, scroll visualisations, and – where activated – session recordings. Crazy Egg also offers other functions such as A/B tests and surveys, the integration of which takes place via the same script or additional components. The following article covers the core use case of Crazy Egg – that is, heatmaps, scrollmaps, and session recordings. Functions such as A/B tests or surveys process essentially similar data but are not separately the subject of this presentation.

B. Mandatory Disclosures in the Privacy Policy When Using Crazy Egg

In relation to the use of tools such as Crazy Egg, the GDPR prescribes specific mandatory disclosures in addition to the general information for the privacy policy. Specifically, information must be provided on the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), in the case of processing on the basis of a balancing of interests, additionally on the legitimate interests specifically pursued (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), and on any transfers to unsafe third countries outside the EU/EEA (Art. 13(1)(f) GDPR). In addition, the retention period or the criteria for determining it must be specified (Art. 13(2)(a) GDPR), and – in so far as the data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

The mandatory disclosures referred to above are broken down for Crazy Egg below.

It is not necessary to list every single tool – including Crazy Egg – by name and with its own text template in the privacy policy, even though precisely this practice has become widespread. This "text-template-per-tool" approach has established itself as bad form: It results in long, repetitive blocks of text and makes the entire privacy policy difficult to maintain and barely readable for users. A topic-oriented approach is more appropriate, describing the processing operations in an integrated manner (server operation, newsletter, tracking, sales, etc.) and listing the specific service providers used only in an annex. This is the methodology followed by the matterius generator.

C. Provider of Crazy Egg

The provider of Crazy Egg, according to the company's publicly accessible information, is

Crazy Egg, Inc. Registered office: United States of America (California)

The address listed by the provider on its website should be verified by the website operator on the basis of the current privacy policy. The provider's data protection notices are available at https://www.crazyegg.com/privacy, the cookie policy at https://www.crazyegg.com/cookies.

Since the provider is based in the USA, this is a transfer to a third country. Whether Crazy Egg, Inc. is certified under the EU-US Data Privacy Framework (DPF) must be checked currently by the website operator (DPF list: https://www.dataprivacyframework.gov/s/participant-search). If a DPF certification is not in place, the transfer must regularly be based on Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR, which are typically part of the data processing agreement offered by the provider.

D. Data Processing at Crazy Egg – Procedure in Steps

E. Data Collected by Crazy Egg

According to the publicly accessible information of the provider, Crazy Egg processes on the operator's website in particular: a randomly assigned visitor UUID, the URL of the pages accessed, referrer, clicked elements (with coordinates), mouse movements, scroll positions, device type, screen size, browser information, as well as – with the recording activated – session recordings with visual representations of user activity. Inputs into form fields (e.g. passwords, email addresses) are, according to the provider's information, already suppressed in the browser; the IP address is, according to the provider, not stored permanently.

The data can be classified into the following standardised data type categories:

• Web server log data: Data processed from the user's terminal device with each request, in particular access time, requested URL, referrer, browser and device identifier, and data volume. The IP address is, according to the provider's information, anonymised.
• Click paths: Pages visited on the website including referrer, as well as clicked links and buttons with date and time.
• Device data: Information on the terminal device, in particular device type, operating system, screen resolution and screen size, as well as device orientation and touch support.
• Browser information: Information about the browser used, in particular browser name and version.
• Coarse location data: Coarse location of the user, where applicable determined from the IP address.
• Interaction data: Information on how the user behaves on an individual page, in particular scroll movements, mouse movements, mouse pointer movements, and clicks – each with date and time.
• User content: With session recordings, screen renderings of the user session may be recorded; inputs into form fields are, according to the provider's information, suppressed client-side. The website operator must check on a case-by-case basis whether visible content may have a personal reference.
• Conversion events: User interactions defined as relevant by the website operator, where corresponding events or goals are configured.

F. Purposes of Use of Crazy Egg

Website operators typically use Crazy Egg in order to make user behaviour on their website visually comprehensible. This includes the identification of frequently clicked areas, uncovering usability issues (e.g. unrecognised buttons), the analysis of scrolling behaviour, and the optimisation of landing pages – for example through A/B tests and the evaluation of conversion paths.

The purposes typically pursued with the use of Crazy Egg can be classified into the following standardised categories of purposes of use:

• Provision of functionality: Provision of the analysis functionality, including error detection and remediation on the basis of identified usability issues.
• Security and abuse protection: Limited use to detect suspicious access patterns.
• General product improvement: General needs-oriented design of the website on the basis of frequently accessed content and functions, as well as improvement of the user-friendliness of the user interface (input forms and processes).
• General marketing: Non-user-individual orientation and optimisation of marketing measures, in particular reach analysis and success measurement of campaigns and landing pages.
• User profile creation: With activated session recordings and through A/B tests, an attribution of behavioural patterns to a visitor UUID may take place, even if Crazy Egg, according to the provider's information, does not directly link this identifier to identifying data.
• User-individual product improvement: Adaptation of the website to the behaviour of individual users, for example through segment-specific evaluations.

G. Legal Bases for the Use of Crazy Egg

Crazy Egg falls into the tool category tracking (statistics) with extended analysis elements (session recording, A/B testing) that move in the direction of user-individual analysis.

Since Crazy Egg, according to the provider's information, sets cookies on the user's terminal device, § 25(1) TDDDG regularly applies to its use in Germany: The storage of information in the end user's terminal equipment and access to information already stored therein are permissible only with consent. An exception under § 25(2) TDDDG (strict necessity) cannot regularly be justified for a heatmap and session recording tool. As a data protection legal basis for the downstream processing, consent under Art. 6(1)(a) GDPR is therefore typically the relevant basis.

In addition, for certain partial processing operations (e.g. technical logging), a legitimate interest under Art. 6(1)(f) GDPR in security, abuse protection, and improvement may apply. For the analytically oriented core use – that is, heatmaps, scrollmaps, and session recordings – consent is, however, generally required.

The specific legal basis depends on the case and must be examined by the website operator on a case-by-case basis.

H. Special Features and Notes on Crazy Egg

• Cookie use and consent: According to the provider's information, Crazy Egg uses cookies; its use in Germany therefore generally requires effective consent via a consent banner.
• Session recordings: Increased care is required when recording sessions. The website operator should examine which page areas are recorded, whether sensitive form fields are effectively masked, and which content masking settings Crazy Egg offers in the account.
• Third-country transfer: The provider is based in the USA. Without DPF certification or Standard Contractual Clauses, a transfer is not based on a sustainable legal basis. The DPF status is to be checked at https://www.dataprivacyframework.gov/s/participant-search.
• Data Processing Agreement (DPA): Crazy Egg describes itself, according to its own statements, as a processor ("Processor of Client Visitor Information") and provides a corresponding agreement. Conclusion of this is generally required when using the tool.
• Sub-processors: Crazy Egg states that it uses sub-processors. A specific public sub-processor list is not readily available; information can be requested from the provider at privacy@crazyegg.com.
• Settings for the website operator: Examination and configuration of the masking of sensitive content for session recordings, selection of the pages to be tracked, integration via a consent manager, and conclusion of the DPA.
• Opt-out for visitors: Visitors can prevent the use via browser settings, blocking the third-party scripts, or – where integrated via a consent banner – by refusing consent.

I. Frequently Asked Questions on Crazy Egg (FAQ)

J. Conclusion and Recommendation on the Use of Crazy Egg

Crazy Egg is an analysis tool with a strong behavioural component (heatmaps, session recordings) that, according to the provider's information, sets cookies, re-identifies visitors via a UUID, and anonymises the IP address. Due to the use of cookies, consent under § 25(1) TDDDG is generally required in Germany, flanked by a data protection consent under Art. 6(1)(a) GDPR. The provider's seat in the USA requires a clean third-country transfer solution (DPF or Standard Contractual Clauses).

For the privacy policy: It is generally not very useful to include a separate, lengthy text template for every individual tool – and thus also for Crazy Egg. This makes the privacy policy unwieldy, redundant in content, and difficult to maintain, and runs counter to the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach is more appropriate: The processing operations are described in an integrated manner by topic blocks (server operation, newsletter, tracking, sales, etc.); individual tools such as Crazy Egg are listed by name in the recipient annex. This is precisely the methodology followed by the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com