Raygun Real User Monitoring and Data Protection – What Belongs in the Privacy Policy

When a website operator uses Raygun Real User Monitoring, it processes web server log data, click paths, device and browser information, and technical telemetry data (performance metrics, JavaScript errors) for the purpose of product improvement and error remediation – typically based on consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. This page sets out which data Raygun Real User Monitoring (RUM) typically collects, what a website operator uses it for, and which mandatory items belong in the privacy policy of its own website.

A. Purpose and Functioning of Raygun Real User Monitoring

Raygun Real User Monitoring is a service for observing the actual end-user experience on websites and web applications. The website operator integrates the service by embedding a JavaScript snippet (raygun4js) into the <head> area of its pages. The script then captures performance data (e.g. page load times, Core Web Vitals), JavaScript errors and so-called custom events in the user's browser and transmits these to Raygun's servers.

The provider Raygun also offers other products such as Crash Reporting for native apps, Application Performance Monitoring (APM, server-side) and Error Monitoring. This page covers exclusively the integration function Real User Monitoring for Web via the raygun4js snippet, because this is where data from website visitors is collected in the browser, which is what primarily triggers the data protection obligations of the website operator.

Typical use cases include identifying slow pages and devices, uncovering errors in production and analysing actual user journeys across sessions and click paths.

B. Mandatory Privacy Policy Items When Using Raygun Real User Monitoring

The GDPR requires website operators – in addition to general information about the controller, data subject rights and the supervisory authority – to provide specific items of information for tools such as Raygun Real User Monitoring.

These include in particular the purposes of the processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), where reliance is placed on Art. 6(1)(f) GDPR, the specific legitimate interests pursued (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), information on third country transfers and the safeguards used (Art. 13(1)(f) GDPR), the storage period or the criteria for determining it (Art. 13(2)(a) GDPR), and – where data is not collected directly from the data subject – the categories of personal data (Art. 14(1)(d) GDPR).

These items are set out below in relation to Raygun Real User Monitoring.

In practice, it has become customary to mention every individual tool – including Raygun RUM – with its own lawyer-drafted clause in the privacy policy. This "clause-per-tool" practice has established itself as poor style: it leads to long, repetitive privacy policies that are hard to maintain and difficult to read, which tends to run counter to the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented structure that describes processing across the board (server operation, newsletter, tracking, sales …) and lists specific service providers such as Raygun only in an Appendix: Recipients. This is precisely the methodology followed by the matterius generator.

C. Provider of Raygun Real User Monitoring

According to publicly available information from the provider, the contractual partner for German website operators is:

• Raygun Limited (originally founded as "Mindscape Limited"; trading as "Raygun")
• Level 2, 14 Allen Street, Te Aro, Wellington 6011, New Zealand
• Country of establishment: New Zealand (NZBN 9429033667485)
• Privacy Policy: raygun.com/privacy
• Provider GDPR information: raygun.com/gdpr
• Documentation: raygun.com/documentation/product-guides/real-user-monitoring

According to the provider, data is stored in the AWS region US-EAST-1 (USA). Amazon Web Services acts as a sub-processor in this respect. There is therefore a third-country transfer to the United States, which requires its own safeguard under Art. 46 GDPR (see Section H).

For New Zealand itself, the European Commission has issued an adequacy decision (Implementing Decision 2013/65/EU of 19 December 2012); a transfer to New Zealand is therefore generally treated under the GDPR as equivalent to a transfer within the EEA. What is decisive for the third-country implications here, however, is the actual storage location in the United States, not the country in which the provider is established.

D. Data Processing in Raygun Real User Monitoring – Step by Step

E. Data Collected by Raygun Real User Monitoring

According to the provider's publicly available information and the documentation for raygun4js, Raygun Real User Monitoring typically processes the following data: IP address (unless disabled in settings), coarse location based on the IP (if geolocation lookup is enabled), URL of the requested page, referrer, timestamp, browser name and version, operating system, device type, screen resolution, performance metrics (load times, Web Vitals, resource timings), stack traces and error messages for JavaScript errors, and a pseudonymous session/user ID stored in LocalStorage. The website operator may optionally enrich identifying data (e.g. a user ID from its own system).

This data falls into the following standardised data categories:

• Web server log data: data generated with each request to the Raygun endpoints, in particular IP address, date and time of the request, URL of the requested content, referrer and supplementary technical metadata.
• Click paths: pages accessed, sequence of accesses and transitions within a session, each with date and time; depending on the configuration, also clicks on buttons or links.
• Device data: device type, operating system, screen resolution and, where applicable, touch support.
• Browser information: browser name and browser version.
• Coarse location data: location at city or country level derived from the IP address (provided geolocation lookups are enabled in Raygun settings).
• Conversion events: user interactions defined by the website operator as custom events (e.g. visiting a thank-you page, submitting a form).
• Technical telemetry data: load times, Web Vitals, resource timings, JavaScript error messages and stack traces, data volume.
• User account data: only to the extent that the website operator deliberately enriches a user ID or further profile data to Raygun.

F. Purposes of Use When Deploying Raygun Real User Monitoring

The website operator typically uses the data collected by Raygun Real User Monitoring to identify and remediate errors in its online services, to measure and optimise the performance of individual pages and functions, to understand actual user journeys and to make technical and business decisions (e.g. investments in particular areas of the website) on a data-driven basis.

These purposes fall into the following standardised purpose categories:

• Functional provision: provision of the website's functionality, in particular error detection, error remediation and error avoidance based on the JavaScript errors reported by raygun4js.
• Security and abuse prevention: detection of unusual technical patterns indicating attacks or faulty automated access.
• General product improvement: optimisation of the website based on frequently accessed content, devices used and measured load times; improvement of usability of the interface.
• User profile creation: formation of pseudonymous session and user profiles to evaluate recurring visits and click paths.
• User-individual product improvement: adaptation of the online services to recurring usage and error patterns of individual sessions or identified users.

According to the provider's positioning, Raygun Real User Monitoring does not pursue marketing purposes; the service is positioned as performance and error monitoring, not as an advertising network.

G. Legal Bases for Raygun Real User Monitoring

Based on the data processed and purposes pursued, Raygun Real User Monitoring falls into the tool category Real User Monitoring / Tracking (Statistics).

For this category, the following legal bases typically come into consideration:

• Consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG): Since raygun4js stores information on the user's terminal (LocalStorage, fallback to cookie) and transfers non-anonymous data such as IP address, click paths and error stack traces to servers in the USA, consent via a consent banner is regularly required.
• Legitimate interest (Art. 6(1)(f) GDPR): Reliance solely on legitimate interests will at most come into consideration if IP storage and geolocation lookups are disabled in Raygun, no identifying custom data is added and an otherwise cookie- or access-free configuration is achieved. Relevant interests are then improvement, business management and security and abuse prevention (error and attack detection). This assessment is contested; in practice, an elevated risk will regularly exist without consent.

Which legal basis is relevant depends on the specific configuration (cookies, IP anonymisation, custom data) and the integration with the website operator's consent management and is to be assessed in the individual case by the website operator.

H. Specific Aspects and Notes on Raygun Real User Monitoring

• Third-country transfer USA: According to the provider, data is stored in the AWS region US-EAST-1 (USA). This constitutes a transfer to a third country within the meaning of Art. 44 et seq. GDPR. Since Raygun Limited, as a New Zealand company, is not itself certified under the EU-US Data Privacy Framework (DPF) and has no establishment in the USA, the transfer must as a rule be based on Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR, supplemented by appropriate additional measures. According to the provider, the DPA includes corresponding provisions.
• Country of establishment New Zealand: An adequacy decision of the EU Commission exists for New Zealand (Implementing Decision 2013/65/EU). To the extent that Raygun Limited carries out its own operations from New Zealand, this is treated under the GDPR as equivalent to processing within the EEA. What remains decisive for the SCC requirement, however, is the actual storage location in the USA.
• DPA: Raygun provides a Data Processing Addendum (DPA) which can be concluded via the account settings. The website operator should conclude the DPA before going live.
• Sub-processors: According to the provider, Amazon Web Services (AWS) is the principal sub-processor. A complete sub-processor list is, according to the provider, available via the customer account or in the DPA.
• Settings for the website operator: In the application settings, IP storage can be disabled and geolocation lookups can be switched off. Sensitive fields can be removed client-side before transmission ("Removing sensitive data" feature). These switches significantly reduce the personal reference of the data collected.
• Opt-out for users: A provider-supplied end-user opt-out URL is not documented. Users can remove the anonymous user ID by deleting LocalStorage or cookies; otherwise, control is exercised via the website operator's consent banner.
• Role of the provider: According to publicly available information, Raygun acts vis-à-vis website operators as a processor within the meaning of Art. 28 GDPR. The assessment in the individual case is a matter for the website operator.

I. FAQ on Raygun Real User Monitoring and Data Protection

J. Conclusion on Raygun Real User Monitoring and Call to Action

Raygun Real User Monitoring is a performance and error monitoring service based on JavaScript executed in the browser. The data collected includes web server log data, click paths, device and browser information, coarse location data and technical telemetry data; according to the provider, the data is stored in the AWS region US-EAST-1. For the website operator, this gives rise to the typical obligations associated with a tracking tool: an appropriate legal basis (regularly consent), conclusion of a DPA, third-country safeguards via SCC, and informing data subjects in the privacy policy.

For website operators, it is generally not very useful to list Raygun Real User Monitoring – or any other individual tool – with a separate clause in the privacy policy. Such tool-by-tool clauses make the privacy policy long, unclear, hard to maintain and tend to run counter to the transparency requirement of Art. 12(1) GDPR.

A more appropriate solution is a structured, topic-oriented approach: processing operations are described across the board by topic (server operation, newsletter, tracking, sales …), and the specific service providers used – such as Raygun Limited – are listed only in an Appendix: Recipients. This is precisely the methodology followed by the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com