Datadog RUM and Data Protection – What Belongs in the Privacy Policy

When a website operator deploys Datadog RUM, it typically processes web server log data, click paths, device and browser information as well as interaction and telemetry data for the purposes of performance and error analysis and general product improvement. The legal basis depends on the specific configuration and typically comes into question as consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG) or – for purely technical reach measurement – legitimate interest (Art. 6(1)(f) GDPR). The following overview helps website operators classify the processing carried out by Datadog RUM and identify the mandatory information for their privacy policy.

A. Purpose and how Datadog RUM works

Datadog Real User Monitoring (RUM) is a service offered by the US provider Datadog, Inc. that allows website operators to measure the actual user experience on their websites and web applications. By means of a JavaScript browser SDK embedded in the website source code, Datadog RUM captures – according to publicly available information from the provider – page views, sessions, user actions (e.g. clicks), frontend errors, resource loading times, long tasks and Web Vitals metrics. Optionally, the Session Replay feature can be enabled, which replays screen content and interactions of a session – functionally comparable with Hotjar or similar session-recording tools.

Datadog RUM is one of several modules of the Datadog observability platform. Other modules such as Logs, APM (Application Performance Monitoring) or Infrastructure Monitoring operate server-side and are not addressed here. This page focuses exclusively on the Datadog RUM browser integration that is embedded as a JavaScript snippet on the website and transmits data about website visitors to Datadog.

Typical use cases include identifying slow pages, detecting JavaScript errors in production, analysing conversion funnels and correlating frontend behaviour with backend performance.

B. Mandatory privacy-policy information when using Datadog RUM

In addition to general information on the website operator, data subject rights and supervisory authorities, the GDPR requires certain tool-specific mandatory information in relation to tools such as Datadog RUM: the purposes of the processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), additionally the specific legitimate interests pursued where processing relies on a balancing test under Art. 6(1)(f) GDPR (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), information on third-country transfers (Art. 13(1)(f) GDPR) as well as the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR).

Where data is not collected directly from the data subject, Art. 14(1)(d) GDPR adds the duty to state the categories of personal data processed. These mandatory items are broken down for Datadog RUM in the sections below.

In practice, however, it is not necessary to list every single tool – including Datadog RUM – with its own template clause in the privacy policy. Yet exactly this practice has become widespread and produces lengthy, largely redundant privacy policies that conflict with the transparency requirements of Art. 12(1) GDPR (concise, transparent, intelligible, easily accessible). A topic-oriented approach is more appropriate: processing operations are described across themes (server operation, tracking, newsletter, sales …) and the actual service providers, such as Datadog, are listed in a recipients annex. This is precisely the methodology followed by the matterius generator.

C. Provider of Datadog RUM

According to publicly available information from the provider, the contracting party for the use of Datadog RUM is

• Datadog, Inc.
• 620 8th Avenue, Floor 45, New York, NY 10018
• United States of America

The provider designates Datadog Ireland Limited as its EU representative under Art. 27 GDPR (contact: privacy@datadoghq.com). Which group entity acts as the contracting party for the German website operator follows from the relevant order form or the signed data processing addendum and must be verified by the website operator on a case-by-case basis.

Datadog states that it is certified under the EU-U.S. Data Privacy Framework (DPF), the UK Extension and the Swiss-U.S. DPF. The status can be verified at https://www.dataprivacyframework.gov/s/participant-search. In addition, Datadog offers a Data Processing Addendum (DPA) including the EU Standard Contractual Clauses (SCC), available on request via privacy@datadoghq.com.

Provider privacy notice: https://www.datadoghq.com/legal/privacy/. DPA overview: https://www.datadoghq.com/legal/data-processing-addendum/. Datadog provides several hosting regions, including an EU region (datadoghq.eu) with a data centre in Germany; the website operator selects the region when setting up the Datadog account.

This presentation is based on publicly available information from the provider and does not replace a case-by-case assessment.

D. Data processing in Datadog RUM – step by step

E. Data collected by Datadog RUM

According to publicly available information from the provider, Datadog RUM collects technical data about the access to and use of the website, including the URL of the page accessed, referrer, IP address (for geolocation server-side), device and browser information, screen size, clicks, scrolling behaviour, loading times, JavaScript error messages, Web Vitals values, and a session ID assigned by the SDK. With Session Replay enabled, DOM content and interactions are also recorded, which may include input in non-masked form fields. Datadog provides masking and a beforeSend API that can remove sensitive content before transmission.

These data fall into the following standardised data categories:

• Web server log data: data that arises when the Datadog endpoint is called, in particular IP address of the internet connection, date, time and time zone of the request, URL of the requested content, referrer, information about browser, operating system and device, and additional technical metadata such as status codes and data volumes.
• Click paths: pages visited including the referrer, as well as clicked links and buttons with date and time, e.g. links followed, button clicks or forms and functions accessed.
• Device data: information about the user's end device, such as device type, operating system, screen resolution and size, device orientation and touch support.
• Browser information: browser name and version, and other characteristics provided by the browser.
• Coarse location data: the user's coarse location at city or municipal level, derived from the IP address; according to provider information, geolocation can be deactivated server-side.
• Interaction data: information about how the user behaves within a single page, with date and time, e.g. scrolling, clicks, touch gestures on mobile devices and – with Session Replay enabled – mouse movements and keystrokes.
• Technical telemetry data: certain technical data about the use of the website, e.g. technical error messages, loading times and transferred data volume.
• Conversion events: user interactions defined by the website operator as relevant, e.g. visit to a thank-you page, completion of a form or click on a specific button.

If the website operator activates the optional user identification feature (setUser) or sets custom attributes, user account data (e.g. user ID, email address) may additionally be processed. This configuration must be assessed by the website operator on a case-by-case basis.

F. Purposes of using Datadog RUM

Website operators typically use Datadog RUM to ensure the technical operation of the website, detect and resolve frontend errors, measure performance and optimise the website on the basis of real user data. With Session Replay enabled, qualitative analysis of individual user journeys is added, e.g. to identify usability issues.

These purposes can be assigned to the following standardised purpose categories:

• Provision of functionality: providing the functionality of the website, in particular error detection, error correction and error prevention.
• Security and abuse prevention: detecting and mitigating technical anomalies, bot activity and unusual usage behaviour.
• General product improvement: adapting the website on the basis of aggregated usage data, e.g. optimisation of frequently visited pages, improvement of usability of input forms and flows, and general business planning.
• General marketing: success measurement of campaigns and reach analysis at a non-individual level.
• User profile creation: where custom attributes or setUser are used, segment assignment may take place.
• User-individual product improvement: with linked user identification, display of interest-based content and pre-selection of settings.

G. Legal bases for Datadog RUM

Based on its function, Datadog RUM falls primarily into the tool category tracking (statistics) and – functionally – into the area of real user monitoring / performance and error monitoring. With Session Replay enabled, an additional component is added that enables session replays and is therefore similar in substance to session-recording tools such as Hotjar.

The following legal bases typically come into question:

• Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG (consent): As Datadog RUM, according to provider information, sets first-party cookies and reads data from the user's device that is not strictly necessary, prior consent of the website visitor obtained via a consent banner is regularly required. This applies in particular if Session Replay is enabled.
• Art. 6(1)(f) GDPR (legitimate interest): Reliance on legitimate interests in improvement, security, efficiency and business management may come into question if use is limited to purely technical, anonymised reach and error analysis without cookies. The admissibility of this variant is disputed; in practice, consent is often recommended here as well.

If identifying information is linked via setUser, the assessment shifts significantly in favour of a consent-based solution. The applicable legal basis is case-dependent and must be assessed by the website operator on a case-by-case basis.

H. Particularities and notes regarding Datadog RUM

• Third-country transfer / DPF: Datadog states that it is certified under the EU-U.S. Data Privacy Framework (as of the research date). Where a US region is selected, transfers typically take place on the basis of the DPF certification and additionally on the basis of the Standard Contractual Clauses contained in the DPA. The status should be verified at https://www.dataprivacyframework.gov/s/participant-search.
• EU hosting option: Datadog offers the region datadoghq.eu with a data centre in Germany. The choice lies with the website operator and determines the region to which data is transferred.
• DPA: Datadog provides a Data Processing Addendum with Standard Contractual Clauses on request via privacy@datadoghq.com (see https://www.datadoghq.com/legal/data-processing-addendum/). Concluding such an agreement is regularly required under Art. 28 GDPR where personal data is processed on instruction.
• Subprocessors: Datadog states that it engages subprocessors (in particular cloud hosters). The current list should be obtained from the provider and reviewed on a case-by-case basis by the website operator.
• Opt-out and configuration: Website operators can disable IP address and geolocation server-side, enable masking in Session Replay, remove sensitive fields via beforeSend, use the Sensitive Data Scanner, and reduce the sampling rate. The SDK can be initialised with trackingConsent: 'not-granted' so that tracking only starts after consent.
• Session Replay settings: Before enabling, it is advisable to configure masking rules (defaultPrivacyLevel) and explicitly mark sensitive input fields.
• Cookie consent: Because Datadog RUM sets cookies and reads device information, its use regularly falls within Section 25(1) TDDDG.

I. FAQ on Datadog RUM and data protection

J. Conclusion on Datadog RUM and call to action

Datadog RUM captures a range of technical and behavioural data when a website is visited – from web server log data through click paths and device information to interaction data and, with Session Replay enabled, DOM recordings. The provider is Datadog, Inc., headquartered in New York; an EU region in Germany and a DPA with Standard Contractual Clauses are available. The legal basis depends on the specific configuration and must be assessed by the website operator on a case-by-case basis.

It is rarely appropriate to include a dedicated template clause in the privacy policy for every single tool – including Datadog RUM. Doing so makes the privacy policy long, unclear, hard to maintain and stands in tension with the transparency requirements of Art. 12(1) GDPR. The recommended approach is a structured, topic-oriented one that explains processing operations across themes (server operation, tracking, newsletter, sales …) and lists the service providers used, such as Datadog, only in a recipients annex. This is exactly the methodology followed by the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com