Mouseflow and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Mouseflow, they typically process server log data, click paths, interaction data, device data and coarse location data for the purpose of behavioural analysis, optimisation of user journeys and error diagnosis – usually based on consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. This page explains which data Mouseflow collects, what website operators use it for and which mandatory information regarding Mouseflow belongs in the website's privacy policy.

A. Purpose and Functionality of Mouseflow

Mouseflow is a web analytics tool from Mouseflow ApS, Denmark, which records and evaluates the behaviour of website visitors in detail. Unlike classic reach trackers, Mouseflow focuses on qualitative analysis: mouse movements, clicks, scroll behaviour, keyboard input (with a masking option), form interactions and page views are captured by a tracking script and made available to the website operator as session recordings and aggregated heatmaps.

According to the provider, Mouseflow's core functions include session recording (replay of individual visitor sessions), heatmaps (click, scroll, mouse and attention heatmaps), funnel analysis, form analysis, feedback surveys and friction-score calculations that are intended to detect unusual user behaviour (e.g. rage clicks or erratic mouse movements). This page focuses on the integration function – the Mouseflow tracker embedded in the website via a JavaScript snippet, with session recording and heatmaps; deviating functions such as client-side surveys must be reviewed individually by the website operator.

B. Mandatory Information in the Privacy Policy When Using Mouseflow

Beyond general information about the controller, data subject rights and the supervisory authority, the GDPR requires a number of specific items of mandatory information in connection with concrete tools such as Mouseflow. These include the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR) and – where processing is based on legitimate interests (Art. 6(1)(f) GDPR) – the specific legitimate interests pursued (Art. 13(1)(d) GDPR).

Further mandatory information concerns recipients or categories of recipients (Art. 13(1)(e) GDPR), transfers to unsafe third countries and the corresponding legal basis (Art. 13(1)(f) GDPR), the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR) and – where data is not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR). The following sections break down these items for Mouseflow.

It is not necessary to list every single tool – including Mouseflow – in the privacy policy with its own text module and named reference, even though this practice has become widespread. The "text-module-per-tool" approach produces long, repetitive texts, makes the entire privacy policy difficult to maintain and may run counter to the transparency requirement in Art. 12(1) GDPR. A more appropriate approach is topic-oriented: processing operations are described in overarching topic blocks (server operation, newsletter, tracking, sales …), while the specific recipients used – including Mouseflow – are listed in an appendix. This is precisely the methodology of the matterius generator.

C. Provider of Mouseflow

According to the publicly available information from the provider, the contracting partner for German website operators is Mouseflow ApS, Flæsketorvet 68, 1711 Copenhagen V, Denmark. Mouseflow is therefore established within the EU; a third-country transfer within the meaning of Art. 44 et seq. GDPR does not arise from the contractual relationship with ApS itself. According to its own information, Mouseflow operates data centres in the EU (including Germany and Ireland) and offers EU hosting at the tariff level; whether sub-processors outside the EU are used in a specific configuration must be reviewed individually by the website operator.

Mouseflow's privacy notice is available at https://mouseflow.com/privacy/; a Data Processing Agreement (DPA) is provided at https://mouseflow.com/legal/data-processing-agreement/.

D. Data Processing by Mouseflow – Step by Step

1. Collection: When a page with the embedded Mouseflow script is loaded, a JavaScript tracker is loaded in the visitor's browser. It captures click coordinates, mouse movements, scroll behaviour, keystrokes (with configurable masking), form focus changes and technical metadata (user agent, screen size, language settings). According to the provider, Mouseflow uses cookies and possibly local-storage entries for session recognition.
2. Storage: The data collected is transmitted to the Mouseflow infrastructure. According to the provider, storage is primarily in EU data centres (Germany, Ireland); the retention period is configurable and, by default, is up to twelve months but can be reduced by the website operator.
3. Use: Mouseflow reconstructs session recordings, heatmaps, funnel and form evaluations and friction scores from the raw data. The website operator accesses these via the Mouseflow dashboard.
4. Disclosure: According to its own information, Mouseflow uses sub-processors for hosting and infrastructure. A current list of sub-processors is available from the provider; the website operator should review it individually.
5. Deletion: Records are automatically deleted after the configured retention period. The website operator can also delete individual sessions or records manually and configure masking and exclusion rules in the Mouseflow dashboard.

E. Data Collected by Mouseflow

In a typical Mouseflow integration, the following are processed in particular: IP address (anonymisable according to the provider), date and time of the visit, URLs called up, referrer, user agent, screen resolution, click coordinates, mouse-movement paths, scroll positions, keystrokes (with maskable sensitive fields), form interactions and cookie/session IDs for session recognition.

These data can be classified into the following standardised data-type classes:

• Server log data: IP address, date, time, URL requested, referrer, technical request metadata.
• Click paths: pages visited, clicks on buttons and links, sequence of page views within the session.
• Interaction data: mouse movements, scroll movements, touch gestures, keystrokes and cursor movements, each with date and time – core to session recording and heatmaps.
• Device data: device type, operating system, screen resolution and size, device orientation, touch support.
• Browser information: browser name, browser version, language settings.
• Coarse location data: location derived from the IP address at city/municipality level.
• Technical telemetry data: technical error messages, loading times, JavaScript errors.

Where keyboard input in forms is captured and not masked, user content may also be contained in the recordings; Mouseflow provides masking options (e.g. excluded fields, data scrubbing) whose configuration is the responsibility of the website operator.

F. Purposes of Use When Deploying Mouseflow

Website operators typically deploy Mouseflow to understand and optimise the user flow on the website, to identify mis-operation and technical hurdles in forms or funnels, and to improve conversion paths. The evaluations therefore primarily serve product improvement and, secondarily, marketing controlling.

These purposes can be classified into the following standardised purpose classes:

• Function provision: technical provision of the tracker, error detection in scripts and forms, error correction.
• General product improvement: optimisation of the website on the basis of frequently viewed content and functions, improvement of the usability of input forms and processes, general business planning.
• User-profile creation: assignment to segments or target groups, where the website operator combines Mouseflow data with other data sources.
• User-individual product improvement: adaptation of the online services to the interests and behaviour of individual users, e.g. through A/B-testing evaluations.
• Security and abuse prevention: detection of erratic bot patterns via friction-score analyses.

G. Legal Bases for Using Mouseflow

According to the publicly available functional descriptions, Mouseflow falls primarily into the tool category of tracking (statistics) with a qualitative focus (session recording, heatmaps).

Consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG is regularly to be considered, since Mouseflow uses cookies and/or local-storage access according to the provider and collects detailed behavioural data (mouse, keyboard, scroll) that typically goes beyond what is required to provide a service explicitly requested by the user. Consent is therefore widely recommended in practice and is obtained as a statistics consent via the consent banner.

Reliance on legitimate interests under Art. 6(1)(f) GDPR – with interests in improvement and business management – is sometimes discussed but is controversial for session-recording tools given the depth of data captured and must be reviewed individually by the website operator. For purely technical provision of the tracker (e.g. masking scripts), Art. 6(1)(f) GDPR with interests in security and efficiency may be relied on additionally.

The choice of legal basis depends on the individual case and must be reviewed by the website operator.

H. Specific Considerations and Notes on Mouseflow

• IP anonymisation: According to the provider, Mouseflow offers an IP-anonymisation option; website operators should activate it unless a full IP is strictly required.
• Masking of sensitive fields: Through functions such as excluded fields, data scrubbing and CSS selectors, input fields containing sensitive content (passwords, payment data, health information) can be excluded from recording. Careful configuration is essential from a data-protection perspective.
• EU hosting: Mouseflow offers EU data residency on certain tariffs; the website operator should check which storage location is contractually agreed and whether sub-processors outside the EU are used.
• DPA: Mouseflow provides a Data Processing Agreement (https://mouseflow.com/legal/data-processing-agreement/); concluding it is regularly required.
• Opt-out: Mouseflow provides an opt-out option at https://mouseflow.com/opt-out/ via which visitors can object to recording.
• Retention period: The retention period for recordings can be configured in the Mouseflow dashboard; setting it to what is actually necessary serves data minimisation.

I. FAQ on Mouseflow and Data Protection

J. Conclusion and Call to Action regarding Mouseflow

Mouseflow is a qualitative analytics tool that captures in-depth behavioural data of website visitors. Website operators should ensure effective consent via a consent banner, careful masking of sensitive fields, activation of IP anonymisation and conclusion of a Data Processing Agreement. The retention period for recordings should be actively configured and limited to what is actually required.

For website operators, it usually makes little sense to include a separate text module in the privacy policy for every tool – including Mouseflow. This makes the privacy policy long, unclear, hard to maintain and conflicts with the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach that explains tracking tools collectively and lists specific recipients such as Mouseflow in an appendix is more appropriate. The matterius generator supports precisely this methodology.

K. Curator