Sentry Browser SDK Privacy – What Belongs in Your Privacy Policy

When a website operator deploys the Sentry Browser SDK, they primarily process web server log data, device data, browser information and technical telemetry data for the purposes of error detection and remediation as well as functional provision – typically based on legitimate interests under Art. 6(1)(f) GDPR. This article explains which data the Sentry Browser SDK typically collects and what information should appear in the website's privacy policy.

A. Purpose and How the Sentry Browser SDK Works

The Sentry Browser SDK (packages @sentry/browser and @sentry/javascript) is a client-side JavaScript library embedded in the website that captures errors, exceptions and performance data occurring in the user's browser. The recorded events are transmitted to Sentry's servers, where they are aggregated, grouped and made available to developer teams in the Sentry dashboard. The overarching tool category is Real User Monitoring within frontend error monitoring.

The Sentry Browser SDK provides three core functions that are practically relevant for website operators:

1. Error and exception monitoring – capture of uncaught JavaScript errors including stack traces and so-called breadcrumbs (traces of recent user actions such as clicks, console logs, network requests).
2. Performance and tracing data – measurement of load times, web vitals and individual transactions (e.g. navigation, API calls).
3. Session Replay (optional add-on) – recording of DOM mutations of a session in order to reconstruct errors in the context of user interaction.

The following statements relate to the client-side Sentry Browser SDK with the functions named, to the extent that the website operator integrates them into the website. Server-side Sentry SDKs (e.g. for Node.js, Python, PHP) and other Sentry services (such as crons, profiling or mobile SDKs) are not addressed here.

B. Mandatory Information in the Privacy Policy When Using the Sentry Browser SDK

For the privacy policy, the GDPR – in addition to general information about the website operator, data subject rights and the supervisory authority – requires a number of specific mandatory disclosures with regard to the use of tools such as the Sentry Browser SDK. These include in particular:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases for processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of personal data (Art. 13(1)(e) GDPR),
• whether data is transferred to a third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• and – where data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory disclosures are broken down for the Sentry Browser SDK in sections C through H below.

In practice, it has become common to include each individual tool – including the Sentry Browser SDK – with its own, often lawyer-drafted boilerplate paragraph in the privacy policy. This "boilerplate-per-tool" approach has established itself as a less-than-ideal practice: it leads to lengthy, repetitive privacy policies that are hard to maintain and stand in tension with the transparency requirement of Art. 12(1) GDPR (concise, transparent, intelligible, easily accessible). A more appropriate approach is a topic-oriented one that describes processing operations across the board (hosting, error detection, tracking, sales …) and merely names the specific service providers actually used – including the Sentry Browser SDK provider – in a recipient appendix.

C. Provider of the Sentry Browser SDK

According to the provider's publicly available information, the contractual party for use of the Sentry Browser SDK is:

• Legal name: Functional Software, Inc. d/b/a Sentry
• Address: 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
• Country of establishment: United States of America
• EU representative (Art. 27 GDPR): Sentry Software Netherlands B.V., Schiphol Boulevard 359, 1118 BJ, Amsterdam Schiphol, Netherlands
• Privacy Policy: sentry.io/privacy/
• Data Processing Addendum (DPA): sentry.io/legal/dpa/
• Subprocessor list: sentry.io/legal/subprocessors/
• Data residency: Selectable between US region (Iowa, USA, us.sentry.io) and EU region (Frankfurt, Germany, de.sentry.io); see the Sentry data storage location documentation.
• DPF status: According to publicly available information, Functional Software, Inc. is an active participant in the EU-U.S. Data Privacy Framework as well as the UK and Swiss extensions. Website operators can verify the current status at dataprivacyframework.gov.

For processing of end-user data carried out on behalf of the website operator, the provider regularly acts as a processor; the DPA is typically concluded as part of the Sentry terms. The final classification of the role is to be reviewed by the website operator on a case-by-case basis.

D. Data Processing – Step-by-Step Flow with the Sentry Browser SDK

1. Collection: When a page that has the Sentry Browser SDK embedded is loaded, the user's browser fetches the SDK code. If an error occurs in the browser or a transaction subject to capture runs, the SDK collects event data (stack trace, breadcrumbs, technical metadata). With Session Replay enabled, the SDK additionally records DOM mutations, inputs and console logs – with default settings that aggressively mask text and input fields.
2. Storage: The events are transmitted to Sentry servers in the region selected by the website operator (US or EU). Certain account and configuration data (Sentry user accounts of the website operator's staff, audit logs, SSO metadata) remain in the United States regardless of the region chosen, according to the provider.
3. Use: The provider groups and aggregates error events, displays them in the dashboard and may issue notifications. The website operator analyses the data for error analysis, prioritisation and remediation.
4. Disclosure: According to its subprocessor list, Sentry uses additional processors, in particular for cloud hosting and supporting infrastructure. Third-country transfers to the United States are, according to the provider, secured via the EU-U.S. Data Privacy Framework and supplementary standard contractual clauses (SCC).
5. Deletion: The storage period for individual data types depends on the Sentry account plan and the website operator's configurations (event retention typically 30 or 90 days). Upon contract termination, the DPA provides for deletion, subject to applicable retention obligations.

E. Data Collected by the Sentry Browser SDK

Depending on the activated functions, the Sentry Browser SDK collects in particular: the IP address of the internet connection (if sendDefaultPii is set to true; default is false), URL of the page accessed and referrer, browser and operating system information, screen resolution, JavaScript stack traces including source code excerpts, error messages, breadcrumbs (e.g. recent button clicks, navigation, console logs, network requests), performance metrics (load times, web vitals) and – with Session Replay enabled – recorded DOM mutations, mouse movements and keyboard inputs.

The data fits into the following standardised data categories:

• Web server log data: data transmitted by the browser to the Sentry endpoints, in particular IP address (if enabled), date and time of the request, URL of the requested resource, referrer and information on browser, operating system and device.
• Click paths: sequences of pages visited, buttons clicked and navigation events captured via breadcrumbs, each with date and time.
• Device data: information about the user's device, e.g. device type, operating system, screen resolution and size.
• Browser information: browser name and version as well as language settings used.
• Coarse location data: location information derived from the IP address at city or region level, where IP collection is enabled.
• User content: with Session Replay enabled, in principle also DOM contents, inputs and visual representations of the page. By default, text and input values are masked (maskAllText, maskAllInputs) and media is blocked (blockAllMedia); the website operator may relax or tighten these defaults.
• Interaction data: mouse movements, scrolling, clicks and key presses, where Session Replay or performance tracing is active.
• Technical telemetry data: error messages, stack traces, load times, web vitals, data volumes and supplementary technical metadata.

F. Purposes of Use of the Sentry Browser SDK

Website operators typically deploy the Sentry Browser SDK to detect, reproduce and remediate errors in the frontend of their website in a timely manner, monitor the stability of the website, identify performance bottlenecks and – with Session Replay enabled – reconstruct the exact steps required to reproduce an error.

These purposes fit into the following standardised purpose categories:

• Functional provision: provision of the website's functionality, in particular error detection, remediation and prevention as well as the delivery of interactive content with documented stability.
• Security and abuse prevention: detection of unusual error patterns that may indicate attacks or manipulation attempts, as well as identification of configuration and integrity issues.
• General product improvement: non-individual optimisation of the website on the basis of aggregated error and performance data, e.g. improving the usability of input forms and flows.
• Compliance: evidence of proper software maintenance and care, where this follows from contractual or regulatory obligations.

User profile creation or user-individual marketing is not pursued with the Sentry Browser SDK in its typical configuration; analysis is regularly performed at the error or aggregate level.

G. Legal Bases for Use of the Sentry Browser SDK

In its typical embedding as a real user monitoring / error monitoring tool, the Sentry Browser SDK falls primarily within the third-party content / technical monitoring category. The applicable legal basis depends materially on the specific configuration and in particular on whether the SDK uses cookies or comparable storage access within the meaning of Section 25(1) TDDDG (the German national implementation of the ePrivacy Directive) and which functions (especially Session Replay) are activated.

The following are typically relevant:

• Art. 6(1)(f) GDPR (legitimate interest) – for pure error capture and remediation with the default settings (sendDefaultPii: false, no Session Replay, no non-essential cookies). Specific legitimate interests pursued are in particular functional provision, security, improvement and compliance.
• Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG (consent) – where the Sentry Browser SDK accesses information on the end device that is not strictly necessary for a function expressly requested by the user, or where Session Replay is enabled, which extensively records contents and interactions. Especially for Session Replay, prior informed consent is regularly advisable, also in the practice of data protection supervisory authorities.
• Art. 6(1)(b) GDPR (contract performance) – additionally, where monitoring is necessary for the provision of a paid or contractually promised online function.

Which legal basis applies in the specific case is a matter of individual assessment by the website operator, in particular in light of the configuration, cookie usage and any data protection impact assessment regarding Session Replay.

H. Special Aspects and Notes Regarding the Sentry Browser SDK

• PII scrubbing via beforeSend: The Sentry Browser SDK provides a beforeSend hook with which website operators can modify or discard event data before transmission to Sentry. It is recommended to specifically remove or hash sensitive values (email addresses, tokens, IDs in URLs). In addition, breadcrumbs can be filtered via beforeBreadcrumb. See Sentry documentation: Sensitive Data.
• sendDefaultPii flag: By default, sendDefaultPii: false is set, so that IP addresses and similar PII are not transmitted automatically. Website operators should leave this flag in place deliberately, or only activate it under controlled conditions.
• Session Replay masking: When Session Replay is active, the default settings maskAllText: true, maskAllInputs: true and blockAllMedia: true are pre-configured in a privacy-friendly manner. Any relaxation of these defaults should be carefully reviewed; CSS classes such as sentry-mask, sentry-block and sentry-ignore allow fine-grained control. See Sentry documentation: Session Replay Privacy.
• EU data residency: Sentry offers an EU region (Frankfurt, de.sentry.io); however, certain account, audit and SSO data remain in the United States regardless of the region chosen, according to the provider. Once selected, the region cannot be changed.
• Third-country transfer / DPF: According to publicly available information, Functional Software, Inc. is certified under the EU-U.S. Data Privacy Framework; the provider additionally relies on standard contractual clauses. Status to be verified at dataprivacyframework.gov.
• DPA: The Sentry Data Processing Addendum is available online (sentry.io/legal/dpa/) and typically takes effect as part of the contractual relationship. Subprocessors are listed at sentry.io/legal/subprocessors/; changes are announced 30 days in advance.
• Recommended configuration: Website operators should consider (i) whether the EU region is sufficient, (ii) leaving sendDefaultPii deactivated, (iii) using beforeSend/beforeBreadcrumb to strip sensitive values, (iv) deploying Session Replay only with consent and retaining the masking defaults, and (v) integrating the tool into consent management to the extent that storage access within the meaning of Section 25 TDDDG occurs.

I. FAQ on the Sentry Browser SDK and Privacy

J. Conclusion on the Sentry Browser SDK and Call-to-Action

The Sentry Browser SDK is a client-side real user monitoring tool from Functional Software, Inc. d/b/a Sentry that is embedded in the website and primarily collects web server log data, device and browser information, click paths and technical telemetry data – plus, with Session Replay enabled, potentially also user content and interaction data. The legal basis is regularly Art. 6(1)(f) GDPR; for cookie access and Session Replay, consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG comes into consideration. An EU data residency option in Frankfurt is available, a DPA is offered and subprocessors are publicly listed. Privacy-friendly configuration via sendDefaultPii, beforeSend and Session Replay masking should be actively used.

For the website operator, it usually makes little sense to include a separate boilerplate paragraph for each individual tool – including the Sentry Browser SDK – in the privacy policy. This makes the privacy policy long, opaque, hard to read and hard to maintain – and stands in tension with the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach is more appropriate: it explains processing operations across topic blocks (hosting, error detection, tracking, sales …) and only refers to individual tools and service providers in the recipient appendix. This is precisely the methodology of the matterius generator.

K. Curator