Inspectlet and Data Protection – What Belongs in the Privacy Policy

Inspectlet data protection is a central topic for website operators that use session recordings, heatmaps and form analytics. The tool collects movement patterns of visitors in a granular form – from the mouse pointer to click paths to keyboard inputs. This makes transparent, legally secure documentation in the privacy policy necessary. This guide shows what information is required, what data Inspectlet processes and on what legal bases.

A. Purpose and Function of Inspectlet

Inspectlet is a session recording and heatmap tool from a US provider that records and analyzes user interactions on websites. The core functions are:

• Session recordings: Automatic video recording of visitor sessions with mouse movements, clicks, scrolls and keyboard inputs
• Heatmaps: Visual representation of click, scroll and movement patterns to identify UX bottlenecks
• Form Analytics: Monitoring of form completions, errors and abandonments
• Feedback surveys: Integrated surveys on visitor satisfaction
• Conversion tracking: Tracking of target actions and user journeys

Integration is via a JavaScript snippet which is embedded in the <head> or <body> area of the website and continuously transmits data to Inspectlet servers.

B. Mandatory Disclosures of the Privacy Policy when Using Inspectlet

For legally compliant websites, it is essential to make the use of Inspectlet transparent in the privacy policy. This includes:

• Name and address of the provider (full contact details)
• Description of the data processed (session recordings, click paths, device and browser information, IP addresses, possibly form contents)
• Purposes of use (product improvement, user behavior analysis, conversion optimization, possibly security)
• Legal bases (typically consent under Art. 6(1)(a) GDPR + § 25(1) TDDDG)
• Data transfer to third countries (USA – data privacy framework/Standard Contractual Clauses)
• Data Processing Agreement (DPA) – whether a DPA exists with Inspectlet
• Data subject rights – access, rectification, erasure, objection
• Right of withdrawal – possibility to opt out of consent
• Data protection officers – contact to the supervisory authority

C. Provider of Inspectlet

D. Data Processing – Process in Steps

E. Data Collected by Inspectlet

Inspectlet collects a comprehensive spectrum of user data. The information collected can be classified into several categories:

Web server log data:

• IP address of the visitor
• Timestamps of page views
• HTTP referrer
• User agent (browser type, operating system)

Click paths and navigation data:

• Complete sequence of all clicks on the website
• Clicked links, buttons and elements
• Target pages after clicks

End-device and browser data:

• Device type (desktop, tablet, mobile)
• Screen resolution
• Browser name and version
• Operating system (Windows, macOS, iOS, Android)
• Language settings

Coarse location data:

• Geographic position based on IP (country, city – without exact GPS coordinates)

Interaction data (session recordings):

• Mouse movements and position in real time
• Scroll positions and direction
• Keystrokes (in form fields, possibly without masking – particularly sensitive)
• Focus and blur of input fields
• Window size changes

Conversion events:

• Defined target actions (e.g. button clicks, form submission tests)
• Conversion rates and times

User-generated content:

• Form completions (entries in text, select and textarea fields)
• Possibly inadvertently collected content (email addresses, phone numbers, search queries) if no field masking is configured

F. Purposes of Use

Inspectlet processes data for the following purposes:

General product improvement:

• Analysis of user behavior at aggregate level (e.g. "80% of visitors do not scroll below the fold")
• Identification of UX problems and optimization potential
• Benchmarking against industry standards

User-individual product improvement:

• Subsequent viewing of individual sessions (replay) for debugging and understanding specific user journeys
• Analysis of conversion funnel and abandonment points
• Personalization of website elements based on user behavior (possibly with extended features)

Security and abuse detection:

• Detection of suspicious patterns (automated access, bots)
• Protection against fraud (e.g. unusual form submissions)

G. Legal Bases for Inspectlet

Category: Tracking with Session Recording

Session recording with Inspectlet falls under tracking and statistics under German and European data protection law. It is not essential functionality, but optional analysis and optimization.

Required Legal Bases

1. Consent under Art. 6(1)(a) GDPR + § 25(1) TDDDG

The setting of cookies and tracking IDs is not permissible without consent. The website operator must obtain informed, voluntary consent before loading the Inspectlet snippet – typically via a cookie banner or consent tool.

• Form: Before the Inspectlet script is run (!) consent must be in place
• Content: Specific mention of "session recording", "heatmaps", Inspectlet as provider
• Right of withdrawal: Users must be able to withdraw consent at any time (e.g. via cookie settings)

2. Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) for USA transfer

Since Inspectlet servers are located in the USA, a mechanism for legally compliant data transfer must be in place:

• Data Privacy Framework (DPF): If Inspectlet is certified under the EU-US DPF → reference in the privacy policy
• Standard Contractual Clauses (SCCs): If DPF is not in place → DPA with Inspectlet must contain SCCs
• Supplementary measures: Additional technical/organizational measures may be required

H. Special Features and Notes regarding Inspectlet

• Session recording is highly sensitive: Keystrokes and movement patterns can reveal personal information. A clear, intelligible privacy notice is essential.

• Configure field masking: The website operator should explicitly determine which form fields are masked (passwords, credit cards, PIN fields, social security numbers).

• Check DPA: A data processing agreement must be in place and contain Standard Contractual Clauses or DPF certification. The operator must ensure that Inspectlet is classified as a processor (Art. 28 GDPR).

• Data Protection Impact Assessment (DPIA): Session recording with Inspectlet may trigger a DPIA under Art. 35 GDPR, especially if highly sensitive form contents are collected.

• Data subject rights: Users must be informed whether their session has been recorded and where they can view/erase it.

• Opt-out mechanism: Inspectlet should offer an opt-out link or cookie blocking option to exclude users from tracking.

• Retention period: The retention period of session recordings must be documented and should be limited to the necessary minimum (e.g. 30–90 days).

I. FAQ

J. Conclusion and CTA

The use of Inspectlet is permitted in Germany and the EU under strict conditions: informed consent, valid data transfer to the USA, data processing agreement and, if applicable, data protection impact assessment. A transparent, detailed privacy policy is not only a legal obligation but also fosters trust with visitors.

Website operators should:

1. Check Inspectlet configuration: Field masking, retention period, opt-out
2. Document legal bases: Consent, DPA, data transfer mechanism (DPF/SCCs)
3. Update privacy policy: Make Inspectlet, data types, purposes, data subject rights, contact details transparent
4. Audit regularly: Inspectlet policy and DPA should be reviewed at least annually – especially when there are DPF changes or provider updates

K. Further Resources