Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Beusable is a Korean user experience analytics platform that records user sessions, generates heatmaps and tracks conversion funnels. Operated by 4Grit Inc., it deploys persistent cookies and a JavaScript tracker that capture every click, scroll and form interaction. Beusable counts as a non strictly necessary tracker under the ePrivacy Directive and requires prior consent across the European Union.
Beusable is a behavioural analytics platform developed by 4Grit Inc. in Seoul, South Korea, that combines heatmaps (click, attention, scroll, mouse movement), session replay, conversion funnel analysis and form analysis. The tag is delivered as an asynchronous JavaScript script loaded from cdn.beusable.com. It is widely used in Korea, Japan, Vietnam and increasingly in Europe as a Hotjar alternative.
Beusable sets first party cookies (typically prefixed _bes_) to identify the visitor and the active session, plus localStorage entries to buffer behavioural events. Data captured includes: clicks (target element, coordinates), scroll depth and speed, mouse movements, viewport size, page URL and referrer, time on element, full form interactions (input length and timing, optional input value), and reconstructed video like session replays. By default Beusable also captures IP and user agent.
Beusable falls squarely under Article 5(3) of the ePrivacy Directive: it reads from and writes to the user terminal and the data processed allows individuals to be singled out from their interaction patterns. Session replay is treated as high risk by the French CNIL and the Italian Garante, and the EDPB has repeatedly stressed that session replay tools require explicit, prior, granular opt in consent. Legitimate interest cannot be invoked as an alternative for non essential behavioural analytics.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Beusable loader before any consent is given. The script must not execute, set cookies or write to localStorage until the user opts in via the CMP. Inside the Beusable workspace, configure masking rules: mask all input fields by default, then explicitly unmask only the fields that do not carry personal data; add CSS selector based blocklists for known sensitive areas (checkout pages, profile pages, dashboards). Enable IP truncation and reduce the replay retention to the minimum needed for the analysis.
4Grit Inc. is established in Seoul, South Korea. The European Commission adopted an adequacy decision for the Republic of Korea on 17 December 2021 (Implementing Decision (EU) 2022/254), which means that personal data can flow from the EEA to commercial Korean recipients without the need for SCCs, provided the recipient complies with PIPA. The adequacy decision is reviewed every four years; controllers should still sign a Beusable DPA, document the lawful transfer mechanism in their Article 30 record, and monitor any future change in the adequacy status.
Concrete steps: 1) gate the Beusable tag behind your CMP and only load it on analytics consent; 2) configure default masking for all input fields in the Beusable workspace; 3) add CSS selector exclusions for checkout, account and health related pages; 4) enable IP truncation; 5) cap replay retention to 30 to 60 days; 6) sign the 4Grit DPA; 7) document the Korean adequacy decision as the transfer mechanism; 8) list Beusable in your Article 30 record; 9) update the privacy notice with the controller, the processor (4Grit Inc.), the purposes, the legal basis (consent), the retention and the rights of data subjects.
Websites using Beusable must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA under Article 35 GDPR is recommended. Session replay is, by nature, systematic and large scale monitoring of user behaviour (EDPB WP248 criterion 7). Focus the DPIA on: risk of capturing sensitive form data (passwords, payment, health), risk of identifying users from rare attributes (custom selectors, page combinations), retention of replays (default 90 days), access controls inside the Beusable admin, propagation of consent withdrawal and transfer to South Korea. Document the masking rules (CSS selectors, default password masking, input redaction) and the contractual safeguards (DPA, Korean adequacy decision).
Sample consent text
We use Beusable, a behavioural analytics service operated by 4Grit Inc. (South Korea), to record heatmaps and replays of how visitors interact with our pages. Beusable stores cookies on your device, captures clicks, scrolls and form interactions and transfers the data to South Korea under the European Commission adequacy decision. Beusable will only load if you accept analytics cookies.
Third-party domains contacted
beusable.netbeusable.netcdn.beusable.comcdn.beusable.netin.beusable.netapi.beusable.com4grit.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _bes_uid | HTTP cookie (first party) | 1 year | Stores the Beusable persistent visitor identifier used to link multiple sessions to the same visitor in heatmap and replay reports. |
| _bsa.uid | first_party | 2 years | Stores the unique visitor identifier used to link sessions, heatmaps and replays to the same user across visits. |
| _bes_sid | HTTP cookie (first party) | Session (30 minutes inactivity) | Marks the active Beusable recording session. Expires after 30 minutes of inactivity. |
| _bsa.sid | first_party | Session | Stores the active session identifier so that page views and events recorded during a single visit are correlated. |
| _bsa.bid | first_party | 30 days | Stores the recording bucket reference used by Beusable to associate the visitor with a specific session replay. |
| _bes_buf | localStorage | Persistent (until cleared) | Buffers behavioural events (clicks, scrolls, mouse paths) before they are flushed to the Beusable backend. |
| _bes_ref | HTTP cookie (first party) | 30 days | Stores the referrer and campaign that brought the visitor to the site, used for replay segmentation by entry source. |
Beusable collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Beusable typically writes three first party cookies. _bsa.uid stores the unique visitor identifier for up to two years, _bsa.sid stores the session identifier for the duration of the browsing session, and _bsa.bid stores the recording bucket reference. The script also collects technical metadata such as user agent, screen resolution and IP address.
Beusable sets first party cookies (typically prefixed _bes_) to identify the visitor and the active session, plus localStorage entries to buffer behavioural events. The exact cookie names depend on the Beusable workspace configuration. No third party cookies are set, but the script is loaded from cdn.beusable.com, which still qualifies it as a third party tracker under EDPB and CNIL guidance.
Yes. Beusable is a behavioural analytics tracker that falls outside the strictly necessary exemption of Article 5(3) of the ePrivacy Directive. You must obtain a freely given, specific, informed and unambiguous consent through your Consent Management Platform before the Beusable script runs.
Yes. Beusable reads and writes to the user terminal and records session replays of behavioural interactions, which the CNIL, the Italian Garante and the EDPB consistently classify as a high risk processing that requires prior, explicit, granular consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive. Legitimate interest is not available.
The only valid legal basis under GDPR Article 6 is the user consent collected in line with Article 7. Legitimate interest cannot be used because the ePrivacy Directive imposes consent for any non strictly necessary access to terminal equipment, and the EDPB confirms this position in its Guidelines 03/2022.
Consent (Article 6(1)(a) GDPR) for the categories of data collected, and an Article 28 Data Processing Addendum with 4Grit Inc. as the processor. The DPA must cover the South Korean adequacy decision as the lawful transfer mechanism, the categories of data, the retention, the sub processors and the security measures.
Beusable processes data in South Korea on AWS Seoul. The European Commission adopted an adequacy decision for the Republic of Korea on 17 December 2021, so transfers can rely on this adequacy basis. There is no routine transfer to the United States, but you should confirm with 4Grit Inc. whether any sub processor is located outside Korea.
Yes. 4Grit Inc. is based in Seoul. Since 17 December 2021, the European Commission adequacy decision for the Republic of Korea (Implementing Decision (EU) 2022/254) allows personal data to flow from the EEA to commercial Korean recipients without Standard Contractual Clauses, provided they comply with the Personal Information Protection Act (PIPA). Monitor the decision, as it is reviewed every four years.
A DPIA is strongly recommended and often mandatory because session replay performs systematic monitoring of behaviour at scale and may capture sensitive data. The CNIL list of mandatory DPIA scenarios and the equivalent lists from the Spanish AEPD and the German DSK include systematic profiling and recording of user activity.
A DPIA is strongly recommended. Session replay constitutes systematic and large scale monitoring of behaviour (EDPB WP248 criterion 7). Focus the DPIA on: risk of capturing sensitive form data, identification through replay attributes, replay retention, propagation of consent withdrawal, internal access controls and transfer to South Korea under the adequacy decision.
Block the Beusable script through your Consent Management Platform until the analytics or marketing category is accepted. Enable input field masking by default, exclude pages with sensitive data, restrict access to authorised users, document the retention period and reference Beusable in your privacy policy and your record of processing.
Gate the loader behind your CMP, enable default masking on all input fields, exclude sensitive pages by CSS selector, activate IP truncation, cap replay retention, sign the 4Grit DPA, document Beusable in the Article 30 record, update the privacy notice with the lawful transfer basis (Korean adequacy) and the rights of data subjects, and verify with a network capture that Beusable is fully blocked when consent is refused.
For European session replay and heatmap tools: Mouseflow (Denmark, EU residency option), Contentsquare (France), VWO Insights (Netherlands data centres) and Smartlook (Czech Republic). For self hosted options: PostHog (open source, hostable in any EU region) and OpenReplay (open source, fully self hosted). For consent exempt heatmap only solutions: Plerdy (Ukraine) configured with anonymisation.
You can consider Matomo Heatmaps and Session Recording self hosted in the EU, Plausible Insights for cookieless analytics, or Microsoft Clarity which is free of charge but requires consent and US transfer safeguards. Each tool has different feature sets, so map your use case before switching.
Add a dedicated entry for Beusable in your cookie policy listing the cookie names, purpose, retention period, and the country where data is stored. Update your privacy notice to mention 4Grit Inc. as a processor, link to the Beusable Privacy Policy, and document the consent and revocation flow available to users.
Add an entry naming 4Grit Inc. (Seoul, South Korea) as the processor, the purpose (behavioural analytics, heatmaps, session replay), the legal basis (consent), the categories of data (identifier, behavioural events, replays, IP, device data), the retention, the international transfer to South Korea under the EU adequacy decision, the recipient categories and a direct link to the Beusable privacy policy.