FoxMetrics Data Protection – Mandatory Disclosures and Legal Bases

FoxMetrics is a Customer Data Platform (CDP) and web analytics solution from the USA that enables website operators to collect, analyse, and use user data for personalisation. The use of FoxMetrics is associated with significant data protection requirements – in particular regarding the lawfulness of data collection, transparency obligations towards users, and third-country transfer to the USA.

This guide shows what information on FoxMetrics belongs in a German privacy policy, which legal bases are relevant, and what controllers must observe when using it.

A. Purpose and Function of FoxMetrics

FoxMetrics is a CDP and analytics platform offering the following core functions:

• Event tracking: Recording of user actions on websites and mobile apps (clicks, scrolls, forms, conversions)
• User profiling: Creation of user profiles based on behavioural patterns
• Personalisation: Data-driven adaptation of content and offers
• Analytics and reporting: Evaluation of usage patterns for business decisions
• Integration with third parties: Connection to email systems, CRMs, and ad networks

Technical integration typically takes place via a JavaScript snippet embedded on the website. Alternatively, FoxMetrics offers SDKs for mobile applications. The snippet automatically collects data on the visitor when the website loads and transmits it to the FoxMetrics servers.

B. Mandatory Disclosures in the Privacy Policy When Using FoxMetrics

If FoxMetrics is used, website operators must transparently disclose the following points in their privacy policy:

1. Controller and contact details of the operator
2. Name, function, and contact details of FoxMetrics (see Section C)
3. Type and scope of the data collected (see Section E)
4. Purposes of data processing (see Section F)
5. Legal bases (see Section G)
6. Retention period (to be determined and verified by the operator)
7. Recipients (FoxMetrics Inc., where applicable sub-processors)
8. Third-country transfer and protection mechanisms (SCC, DPF – see Section C)
9. Data subject rights (access, objection, erasure, portability)
10. Opt-out and cookie management (see Section H)

C. Provider of FoxMetrics

Company information (to be verified by the operator):

• Name: FoxMetrics Inc. (or affiliated legal entities)
• Registered office: USA (exact address to be checked in the privacy policy)
• Data protection contact: Available on the FoxMetrics website; where applicable privacy@foxmetrics.com (to be verified by the operator)

Privacy policy and Standard Contractual Clauses:

FoxMetrics should provide an English-language privacy policy that meets the requirements of US data protection. The exact link and the current status must be checked and documented by the website operator themselves on the FoxMetrics website.

Third-country status – USA and Data Protection Impact Assessment (DPIA):

• The seat of FoxMetrics in the USA means a third-country transfer under Art. 44 et seq. GDPR.
• The Adequacy Decision (Data Privacy Framework / DPF) has classified the USA as "adequate" again since December 2023 – the operator must, however, verify whether FoxMetrics Inc. is certified under the DPF framework.
• Where no DPF certification exists, Standard Contractual Clauses (SCC) or other suitable guarantees are required.
• The use requires a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR, in particular with regard to the third-country transfer and profiling.

D. Data Processing – Procedure in Steps

E. Data Collected by FoxMetrics

FoxMetrics typically records the following categories of data:

Web server log data

• IP address (where applicable anonymised – see Section H)
• Time of access
• Referrer (where the user came from)
• HTTP request data (user agent, HTTP method)

Click paths and user behaviour

• Pages accessed and dwell time
• Clicks on links, buttons, or forms
• Scroll depth
• Video plays, download actions

Device data

• Device type (desktop, smartphone, tablet)
• Operating system and version
• Screen resolution
• Memory and processing capacity (where applicable)

Browser information

• Browser type and version
• Installed plugins or extensions
• Do Not Track setting
• Time zone

Coarse location data

• Location derived from IP address (country, where applicable city level; no precise geolocation without explicit authorisation)

Conversion events and custom events

• Form submissions
• Transactions
• Custom events (depending on implementation)

User profiles

• Unique user IDs (cookie-based or device-based)
• Personal interest profiles
• Device graphs (linkage of multiple devices of one user)
• Sequences of interactions

F. Purposes of Use

Processing by FoxMetrics typically serves the following purposes:

General product improvement:

• Analysis of website and application performance
• Identification of usability issues
• Optimisation of user navigation

User profile creation:

• Segmentation of visitors by behaviour and characteristics
• Recognition of recurring users
• Cross-device tracking (linkage of devices)

User-individual product improvement:

• Personalisation of content and offers
• Recommendation systems
• Targeted marketing and retargeting

Business analysis:

• Evaluation of conversion funnels
• Attribution analysis (which touchpoints lead to conversions)
• Cohort analysis and trend reports

G. Legal Bases for FoxMetrics

1. Consent (Art. 6(1)(a) GDPR + § 25(1) TDDDG)

In most cases, a privacy policy alone is not sufficient for FoxMetrics tracking. In addition, explicit consent is required where:

• The JS snippet stores or reads out data on terminal devices (e.g. via cookies),
• or information about terminal devices is collected (§ 25(1) TDDDG – Telecommunications Telemedia Data Protection Act).

Consent must be obtained before the FoxMetrics snippet is loaded (e.g. via a cookie consent banner with user-friendly granularity).

2. Legitimate Interest (Art. 6(1)(f) GDPR) – Restricted

A legal basis on legitimate interests is conceivable only in exceptional cases:

• Only for data that does not stem from the JS snippet, but rather from server log files (IP, user agent, referrer).
• The balancing of interests must be documented and may fail in the case of profiling and tracking.
• Not suitable for cookies and event tracking – here consent is mandatory.

3. Third-country Transfer – Safeguards

Data flows to the USA. Permissible are:

• Data Privacy Framework (DPF): Where FoxMetrics is certified – check status.
• Standard Contractual Clauses (SCC): If DPF does not apply – document in privacy policy.
• Supplementary measures: Where applicable, additional security measures under EDPB guidelines (e.g. end-to-end encryption, but rarely implemented at FoxMetrics).

A DPIA is required in order to evaluate these transfers.

H. Special Features and Notes on FoxMetrics

• Data Processing Agreement (DPA): FoxMetrics should provide a standard DPA that meets the requirements of Art. 28 GDPR. This is to be reviewed and where applicable adjusted.

• DPF status and certification: The operator must verify whether FoxMetrics Inc. is currently certified under the Data Privacy Framework (DPF) (list: https://www.dataprivacyframework.gov/list).

• IP anonymisation: Check whether FoxMetrics offers an option to anonymise or pseudonymise IP addresses (e.g. IP masking by the last octet). This can ease the data protection impact assessment.

• Opt-out and cookie management: FoxMetrics should provide an opt-out mechanism or a cookie management dashboard. Link this in your privacy policy.

• Sub-processors: Check the list of sub-processors that FoxMetrics uses (e.g. cloud providers, analytics tools). These must be mentioned or linked in the privacy policy.

• Deletion period: Define how long FoxMetrics stores data (e.g. 13 months). This is documentable from the FoxMetrics configuration settings.

I. Frequently Asked Questions

J. Conclusion and Next Steps

FoxMetrics is a powerful tool for analysis and personalisation – but remains sensitive from a data protection perspective. For lawful use, the following are necessary:

1. Explicit consent before the snippet is loaded (cookie banner)
2. Full transparency in the privacy policy on scope, purpose, and third-country transfer
3. Data Protection Impact Assessment (DPIA under Art. 35 GDPR)
4. Data Processing Agreement between the operator and FoxMetrics
5. Verification of DPF status and where applicable Standard Contractual Clauses
6. Regular review of sub-processors and configurations

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com