Woopra and Data Protection – What Belongs in the Privacy Policy

Woopra is a cloud-based customer journey analytics platform from the US company Woopra Inc. The tool collects and analyzes digital usage data on websites and in web apps. Anyone using Woopra must transparently disclose this and the associated data processing in their privacy policy – including notes on third-country transfers, legal bases and data subject rights.

A. Purpose and Function of Woopra

Woopra is a cloud-based customer journey analytics platform from the US company Woopra Inc. The tool collects and analyzes digital usage data on websites and in web apps. The range of functions includes:

• Event tracking: Capture of individual user actions such as clicks, form entries, page views
• User profiles: Aggregated user data with behavior patterns and preferences
• Segmentation: Categorization of users into groups based on properties and behavior
• Funnel analysis: Tracking of conversion steps and drop-offs
• Retention metrics: Analysis of user engagement and return

For data collection, a JavaScript snippet is usually embedded in the website source code or SDKs for mobile apps are used. Woopra processes all collected data on servers in the USA.

B. Mandatory Disclosures of the Privacy Policy when Using Woopra

Anyone using Woopra must transparently disclose the associated data processing in the privacy policy. The following are required:

1. Name and address of the provider (Woopra Inc.)
2. Type and scope of data processed (events, profiles, click paths, device and browser info, location data)
3. Purpose of processing (analysis, optimization, profiling)
4. Legal basis (usually consent under § 25 TDDDG or GDPR Art. 6(1)(a))
5. Notice of third-country transfer to the USA
6. Information on data subject rights (access, rectification, erasure, objection, complaint)

C. Provider of Woopra

Woopra is operated by:

Woopra Inc.
303 Twin Dolphin Drive
Redwood City, CA 94065, USA

The controller for the data processing is Woopra Inc. as a processor within the meaning of GDPR Art. 28. Woopra's privacy policy can be found at woopra.com/privacy. For all questions regarding data processing and exercising data subject rights, users can contact Woopra directly.

D. Data Processing – Workflow in Steps

E. Data Collected by Woopra

Woopra collects a wide range of usage data. This can be classified into the following classes:

Web server log data

• IP addresses (partly anonymised)
• Access times
• Referrer data

Click paths and usage behavior

• Page views
• Time spent
• Scroll depth
• Click positions
• Form entries

Device data

• Operating system
• Device class (desktop/mobile/tablet)
• Device manufacturer

Browser information

• Browser type and version
• Plugin status
• Screen resolution

Location data

• Coarse geographic location determination (at country/city level)
• Determination based on the IP address

Conversion events

• Goal conversions
• Purchases
• Registrations (if configured)

User profiles

• Aggregated profiles with segment membership
• Behavior patterns and preferences
• Possibly linking with other online identifiers

F. Purposes of Use

Woopra is used for the following purposes:

1. General product improvement: Analysis of website usage, identification of bottlenecks and optimization potential
2. Creation of user profiles: Aggregation of user data into profiles for better understanding of user groups
3. User-individual product improvement: Personalization of website content and functions based on user profiles
4. Marketing and retargeting: Possible use of Woopra data for targeted advertising (depending on configuration and third-party integrations)
5. Legal enforcement and security: Woopra also uses data to detect abuse and security breaches

G. Legal Bases for Woopra

The processing of usage data by Woopra requires a legal basis. In the EU and Germany:

Tracking cookie / consent
The Woopra script usually sets cookies or uses local storage to recognize users. Under § 25 TDDDG and GDPR Art. 6(1)(a), this is only permissible with prior consent (e.g. via a cookie consent banner).

Third country USA without DPF
The USA is not assessed as adequate by the European Commission. Therefore, additional safeguards must be put in place – typically through Standard Contractual Clauses (SCC) or similar transfer mechanisms.

Responsibility relationship
The website operator is the controller (GDPR Art. 6), Woopra is the processor (GDPR Art. 28) – a Data Processing Agreement (DPA) must be in place.

H. Special Features and Notes regarding Woopra

• Data Processing Agreement (DPA): Woopra provides a DPA; the website operator should conclude this before starting use
• Data Privacy Framework (DPF): The USA does not have DPF protection within the meaning of the Schrems II ruling; SCC or similar safeguards are necessary
• Opt-out options: Woopra offers opt-out links and cookies; these should be mentioned in the privacy policy
• Data retention period: Woopra stores data by default according to configured retention policies; the specific duration should be documented
• International transfers: Data transfers can be ensured via SCC or other transfer mechanisms
• Subprocessors: Woopra may use subcontractors; these should be listed in the DPA

I. Frequently Asked Questions (FAQ)

J. Conclusion and Next Steps

Woopra is a powerful analysis tool for customer journeys – but not without data protection requirements. Website operators must transparently communicate the data processing, obtain consent and conclude a DPA with Woopra. The third-country transfer to the USA requires legally compliant documentation.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com