Kissmetrics and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Kissmetrics, according to the provider's information it processes usage and event data of its website visitors for the purpose of person-based behavioral and customer analysis on the basis of consent or legitimate interests. This article explains what data Kissmetrics processes specifically, how the processing is to be classified legally and what information belongs in the privacy policy. The presentation is based on publicly available information from the provider and does not replace a case-by-case examination.

A. Purpose and Function of Kissmetrics

Kissmetrics is a web-based analytics platform which, according to the provider, enables website and app operators to perform person-based ("person-based") behavioral analysis across the entire customer lifecycle. The platform links individual events of a user across sessions and devices once the user has been identified by an email address or another user ID. Kissmetrics is therefore not a pure reach measurement tool but explicitly addresses conversion and retention analyses at the individual user level.

The central integration function for the website operator is the Kissmetrics tracking script: a JavaScript snippet is embedded in the website and records page views, events (e.g. clicks, purchases, registrations) and properties. In addition, Kissmetrics offers server-side APIs, SDKs for mobile apps and integrations with third-party systems. This article deals with the standard practice – the integration of the tracking script in a website for product analytics and conversion tracking. Server-side integrations follow largely comparable legal requirements, but are not separately the subject of this presentation.

B. Mandatory Disclosures in the Privacy Policy when Using Kissmetrics

The GDPR prescribes specific mandatory disclosures with regard to the use of tools such as Kissmetrics in addition to the general information for the privacy policy. Specifically, information must be provided about the purposes of the processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), in case of processing on the basis of a balancing of interests additionally about the specific legitimate interests pursued (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), as well as any transfers to unsafe third countries outside the EU/EEA (Art. 13(1)(f) GDPR). In addition, the retention period or the criteria for determining it (Art. 13(2)(a) GDPR) must be stated and – insofar as the data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

The aforementioned mandatory disclosures are detailed below for Kissmetrics.

It is not necessary to list every single tool – including Kissmetrics – by name and with its own text block in the privacy policy, even though precisely this practice has become widespread. This "text block per tool" approach has become bad practice: it leads to long, redundant text blocks and makes the entire privacy policy difficult to maintain and barely readable for users. A more appropriate approach is a topic-oriented one that describes the processing operations across topics (server operation, newsletter, tracking, sales …) and only lists specific service providers used in an annex. The matterius generator pursues this methodology.

C. Provider of Kissmetrics

According to the publicly available information from the company, the provider of Kissmetrics is

Sandstorm Analytics, Inc. (dba Kissmetrics) Registered office: United States of America

According to publicly available information, the assets of Sandstorm Media Inc. were taken over in 2025 by Kissmetrics Holding Inc., which continues the service under the Kissmetrics brand. The provider's privacy notices specifically for the service are available at https://www.kissmetrics.io/privacy. Address and specific corporate structure are to be verified by the website operator on the basis of the current privacy policy and the data processing addendum provided by the provider.

Since the provider is based in the USA, this is a transfer to a third country. Whether Sandstorm Analytics, Inc. or Kissmetrics Holding Inc. are currently certified under the EU-US Data Privacy Framework (DPF) is to be checked by the website operator (DPF list: https://www.dataprivacyframework.gov/s/participant-search). The previous certification under the EU-US Privacy Shield became invalid with the Schrems II ruling of the CJEU of 16/07/2020 and does not replace the current DPF certification. If no DPF certification is in place, the transfer must regularly be based on Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR.

D. Data Processing in Kissmetrics – Process in Steps

E. Data Collected by Kissmetrics

According to the publicly available information from the provider, on the operator's website Kissmetrics processes in particular: a visitor ID (initially anonymous, later possibly linked to a user ID or email address), page views, events defined by the website operator (clicks, purchases, registrations, etc.), event properties, timestamps, referrer, end-device and browser information as well as, if applicable, coarse location data based on the IP address. The specific scope depends largely on the configuration by the website operator: Kissmetrics is designed in such a way that the website operator can specifically transfer further data (such as customer attributes, transaction data).

The data can be classified into the following standardized data type categories:

• Web server log data: Data transmitted from the user's end device to the Kissmetrics servers with every request, in particular IP address, time of access, requested URL, referrer and technical metadata.
• Click paths: Visited pages of the website including referrer as well as clicked links, accessed forms and functions, each with date and time.
• End-device data: Information about the end device, in particular device type, operating system and screen resolution.
• Browser information: Information about the browser used, in particular browser name and version.
• Coarse location data: Coarse location of the user determined on the basis of the IP address at city or municipality level.
• User account data: Insofar as the website operator transfers user identifiers (e.g. user ID, email address) to Kissmetrics upon identification, these are stored as identifiers and linked to the event data.
• Conversion events: User interactions defined as relevant by the website operator, in particular registration, cart creation, product purchase, appointment booking, contact request, download or visit to specific pages.
• User profiles: Interests, segment assignments, usage histories and key figures derived therefrom that are kept by the website operator in Kissmetrics for a user.

F. Purposes of Use of Kissmetrics

Website operators typically use Kissmetrics to track the path of individual users through their product or website on a person-based basis – from the first anonymous visit to registration to recurring use and purchases. Central areas of use are funnel analyses, conversion optimization, cohort building, retention measurement and segmentation for personalized marketing.

The purposes typically pursued with the use of Kissmetrics can be classified into the following standardized purpose categories:

• Functional provision: Provision of the analytics functionality, including error detection and avoidance.
• General product improvement: General needs-based design of the website and optimization of user-friendliness on the basis of aggregated analyses.
• General marketing: Non-user-individual targeting and optimization of marketing measures, in particular success measurement of advertising campaigns and reach analysis.
• User profile creation: Creation of user profiles, in particular determination of interests and preferences as well as assignment to segments or target groups on the basis of the event history kept in Kissmetrics.
• User-individual product improvement: Adaptation of online services to the behavior of the respective user, in particular display of interest-based content and pre-selection of settings.
• User-individual marketing: Targeting and optimization of marketing measures based on the individual interests and behavior of the respective user, in particular targeting of direct marketing (e.g. emails) and segment-based advertising.

G. Legal Bases for the Use of Kissmetrics

Kissmetrics falls into the tool category tracking (statistics and marketing) with a pronounced component for user profile creation and user-individual marketing.

Since, according to the provider, Kissmetrics sets cookies on the user's end device and recognizes the visitor across sessions and devices, § 25(1) TDDDG generally applies to use in Germany: the storage of information in the end device and access to information stored there are generally only permissible with consent. An exception under § 25(2) TDDDG (strict necessity) cannot generally be justified for a person-based product analytics tool. As a legal basis under data protection law for the downstream processing, consent under Art. 6(1)(a) GDPR therefore typically comes into consideration.

If Kissmetrics is also used for user-individual marketing (e.g. segmentation, personalization of advertising), the user's consent under Art. 6(1)(a) GDPR is also generally relevant for this. For the identification of logged-in users in the context of a contract (e.g. SaaS account), Art. 6(1)(b) GDPR (contract performance) may also play a role. For purely technical partial processing, such as protection against abuse, legitimate interests under Art. 6(1)(f) GDPR in security and abuse protection come into consideration.

The specific legal basis depends on the case and is to be examined by the website operator on a case-by-case basis.

H. Special Features and Notes regarding Kissmetrics

• Cookie use and consent: According to the provider, Kissmetrics sets first-party cookies and recognizes users across sessions and devices. Use in Germany therefore generally requires effective consent via a consent banner.
• Linking with identifying data: Kissmetrics is designed to link anonymous visitor IDs with user IDs or email addresses. The website operator should check what identifying data is actually transferred to Kissmetrics and how this can be reflected in the consent banner.
• Do Not Track and opt-out: Kissmetrics states that it respects the browser header "Do Not Track" and offers users opt-out options. The specific opt-out mechanism is to be checked in the privacy policy or support documentation of the provider.
• Third-country transfer: The provider is based in the USA. Without DPF certification or Standard Contractual Clauses, there is no viable legal basis for the transfer. The DPF status is to be checked at https://www.dataprivacyframework.gov/s/participant-search; the historical Privacy Shield certification no longer covers the transfer.
• Data Processing Agreement (DPA): According to its own information, the provider provides a data processing addendum. Its conclusion is generally required when using the tool. The role of the provider (processor) results from the contractual documents provided by the provider.
• Sub-processors: Kissmetrics states that it uses hosting and infrastructure service providers. A public sub-processor list is not readily available; details can be requested from the provider at privacy@kissmetrics.io.
• Settings for the website operator: Selection of the events and properties to be tracked, decision on the transfer of identifying data (user ID, email), integration via a consent manager, configuration of opt-out and conclusion of the DPA.

I. Frequently Asked Questions about Kissmetrics (FAQ)

J. Conclusion and Recommendation regarding the Use of Kissmetrics

Kissmetrics is a person-based analytics and marketing tool which recognizes individual users across sessions and devices and is typically linked to identifying data of the website operator (user ID, email). Due to the use of cookies and user-individual profile creation, in Germany consent under § 25(1) TDDDG and Art. 6(1)(a) GDPR is generally required. The provider's location in the USA requires a viable third-country transfer solution (DPF or Standard Contractual Clauses).

For the privacy policy: it generally makes little sense to include a separate, long text block for each individual tool – including Kissmetrics. This makes the privacy policy confusing, redundant in content and difficult to maintain, and runs counter to the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a structured, topic-oriented one: the processing operations are described across topics (server operation, newsletter, tracking, sales …); individual tools such as Kissmetrics are listed by name in the recipient annex. The matterius generator pursues precisely this methodology.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com