Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Raygun is a New Zealand based application monitoring platform offering crash reporting, real user monitoring (RUM), and application performance monitoring (APM) for web and mobile applications. Founded in 2007 in Wellington, it tracks JavaScript errors, network requests, and user sessions to help developers debug production issues. Because RUM captures visitor IP and browser context, EU deployments must respect Art. 5(3) ePrivacy when client side scripts are loaded and document a clear lawful basis under GDPR.
Raygun is an application monitoring platform founded in 2007 in Wellington, New Zealand. It combines crash reporting, real user monitoring (RUM), and application performance monitoring (APM) for web, mobile, and backend applications. It is widely used by engineering teams to debug production issues and to track perceived performance.
On the client side, Raygun is integrated through the raygun4js library which captures JavaScript errors, unhandled promise rejections, and (optionally) page timings and user interactions. Server side SDKs in major languages handle backend error reporting.
For crash reporting, Raygun collects the visitor IP, User Agent, error message, stack trace, page URL, custom tags set by the developer, and browser environment information. For RUM, it additionally captures page load timings, network request timings, navigation events, and user interactions.
Optional user identifiers (email, account ID, name) can be attached by the developer via Raygun.setUser. When this happens, Raygun stores those identifiers and links them to all subsequent errors and sessions. This significantly increases the personal data footprint and the lawful basis analysis.
For crash reporting only, legitimate interest (Art. 6(1)(f) GDPR) is generally defensible: it is necessary to detect and fix bugs, and the data collected is limited to technical telemetry. A documented balancing test should be prepared, comparing the legitimate interest of the controller (service stability) against the user expectations and any potential identification via IP or stack trace content.
For Real User Monitoring with user identifiers, sample rates above standard, or capture of session content, consent becomes the safer basis. The raygun4js script itself may not require consent if it is strictly necessary for error detection, but it should be configured to anonymise the IP and to mask any identifiable data.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
New Zealand has had a full European Commission adequacy decision since 2012, which means EU to NZ transfers do not require additional safeguards. This makes Raygun an appealing option for EU GDPR strict deployments.
Enterprise customers may select US or EU regional clusters. The US region triggers SCCs and a Transfer Impact Assessment. An EU region (if available on the plan) avoids transfer concerns entirely.
Stack traces and HTTP request bodies can inadvertently contain personal or special category data (email addresses, session tokens, customer names, health information). Use Raygun before-send hooks to scrub identifiable data, ensure that URLs do not carry sensitive query strings, and avoid attaching unnecessary user identifiers.
Enable IP anonymisation in the Raygun account settings. Set sampling rates that balance debugging utility with data minimisation.
Sign the Raygun DPA. Add Raygun to your Records of Processing Activities. Select the NZ or EU region for EU traffic. Enable IP anonymisation. Configure scrubbing hooks for stack traces and request bodies. Limit user identifiers to what is necessary to debug.
Document the legal basis in your privacy notice (legitimate interest for basic crash reporting, consent for advanced RUM with identifiers). Provide a clear opt out for RUM if your sector or your audience demands it (regulated, public sector, children services).
Websites using Raygun must obtain user consent under GDPR regulations.
DPIA considerations
Raygun processes visitor IP, browser User Agent, JavaScript error stack traces, network request URLs, and (optionally) user session timings and identifiers. Key DPIA considerations: (1) basic crash reporting collects minimal personal data and is typically defensible on legitimate interest with a documented balancing test; (2) Real User Monitoring (RUM) is more intrusive: it can capture full URLs (potentially including query strings with personal data), session timings, and authenticated user identifiers passed by the developer; (3) when configured with user identifiers (email, account ID), the dataset becomes clearly personal and requires explicit lawful basis review; (4) New Zealand has EU adequacy, which simplifies transfers; (5) if the US region is selected, SCCs and a TIA apply; (6) error reports may inadvertently contain sensitive data (PII in stack traces, request bodies); developers must scrub such data at the SDK level.
Sample consent text
We use Raygun to detect technical errors and monitor performance on our website. Raygun stores basic technical telemetry (anonymised IP, browser, error stack traces) on its servers in New Zealand (or our chosen region) under a data processing agreement. We do not use Raygun for advertising or behavioural profiling. You can opt out of Real User Monitoring in our preferences page if you prefer.
Third-party domains contacted
raygun.comapi.raygun.comcdn.raygun.ioapp.raygun.comapi.raygun.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| raygun4js_userid | Functional | 1 year | Optional first party cookie that stores an anonymous browser identifier when the developer enables persistent affected user reporting in the raygun4js settings. Only set when the feature is explicitly enabled. |
| __raygun4js_queue | Functional | Session | localStorage entry (not a cookie) used to queue error reports between page loads if the network is temporarily unavailable. No identifying personal data. |
Raygun places tracking cookies for advertising — comply with GDPR using FlowConsent.
Raygun is largely cookieless by default. The raygun4js library sends error reports and RUM telemetry via XHR or fetch, without setting cookies. localStorage may be used to deduplicate error reports. If the user identifier API is used, Raygun stores that identifier server side but not in a client cookie.
Not always. For basic crash reporting without user identifiers, legitimate interest under Art. 6(1)(f) GDPR is generally defensible and Art. 5(3) ePrivacy does not require consent for cookies that are strictly necessary for the service. However, when RUM, full session URLs, or user identifiers are enabled, consent becomes the safer basis.
For technical telemetry only: legitimate interest (Art. 6(1)(f) GDPR) with a documented balancing test, supplemented by IP anonymisation and scrubbing of sensitive data. For RUM with identifiers: consent (Art. 6(1)(a) GDPR). For any user identifier that ties errors to individual users, consent is the safer choice.
By default, data is stored in New Zealand, which has a full EU adequacy decision (since 2012). Enterprise customers can select US or EU regional clusters. The US region triggers SCCs and a TIA. An EU region (if available) eliminates transfer concerns entirely.
A full DPIA is generally not required for basic crash reporting with IP anonymisation and no user identifiers. A DPIA becomes appropriate when RUM is enabled with identifiers, in highly regulated sectors (health, finance, public sector), or when stack traces / request bodies may inadvertently contain special category data.
Sign the Raygun DPA. List Raygun as a processor in your RoPA. Select NZ or EU region. Enable IP anonymisation. Configure before-send hooks to scrub sensitive data from stack traces and request bodies. Avoid pushing unnecessary user identifiers. Document the lawful basis in your privacy notice.
Error monitoring: Sentry (US/EU regions), Bugsnag (US, owned by SmartBear), Rollbar (US/EU), Honeybadger (US), Airbrake. EU based: Embrace (UK), GlitchTip (open source, self hosted). APM: New Relic, Datadog, Dynatrace, AppDynamics. Raygun differentiator is the NZ adequacy and the focus on perceived performance metrics.
Even if Raygun is cookieless, list it in your privacy notice as a processor (Raygun Limited, New Zealand or selected region) with the purpose (technical error monitoring and RUM), the lawful basis chosen, and the lack of cookies (or any localStorage usage). Mention the NZ adequacy decision when relevant.