Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Inspectlet is a digital analytics solution that helps businesses measure and understand their online performance through comprehensive data collection and analysis. It provides visitor tracking, behavioral insights, and conversion metrics across websites and applications. Inspectlet supports custom event tracking, audience segmentation, and automated reporting. With intuitive dashboards and visualization tools, Inspectlet enables informed decisions that improve experience and drive results.
Inspectlet is a session recording and heatmap analytics service operated by Spectrum Group Holdings LLC in the United States. It records detailed visitor sessions including mouse movements, clicks, scrolling, key strokes and form interactions, and presents the data as session replays, heatmaps, scroll maps and conversion funnels.
Inspectlet loads a JavaScript snippet that captures the DOM and user interactions in near real time, sends them to the Inspectlet platform and replays them in a video like interface. It also generates heatmaps, conversion funnels and an A/B test analyser. Recordings can be filtered by URL, referrer, country, device, custom event or user identifier sent through the JavaScript API.
Inspectlet writes the __insp_uid, __insp_sid, __insp_targetref and similar first party cookies (one year). It collects IP address, user agent, browser version, screen size, page URL, referrer, every mouse and keyboard event, every input change and a serialised DOM snapshot. Without explicit masking, it can capture data typed in forms, including names, email addresses and free text fields. Credit card numbers and password fields are masked by default.
Session replay is classified as a high risk tracker by the CNIL and by the EDPB. Art. 5(3) ePrivacy requires prior consent before Inspectlet sets cookies or reads the DOM, and Art. 6 GDPR requires a valid lawful basis for processing the recorded personal data. The only realistic lawful basis is explicit consent. The EDPB Guidelines 03/2022 on dark patterns prohibit any pre selected acceptance.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All recordings are transferred to and stored in the United States on AWS infrastructure (us east 1, Virginia). The transfer requires an appropriate safeguard under Chapter V GDPR. The options are: Standard Contractual Clauses combined with supplementary technical and contractual measures, or reliance on the EU US Data Privacy Framework if Inspectlet is certified. A Transfer Impact Assessment must be documented in any case.
Block Inspectlet behind the marketing or statistics consent category of your CMP. Mask every input that may contain personal data using the data inspectlet sensitive attribute or the dashboard masking rules. Disable key stroke capture unless strictly necessary. Sign the Inspectlet Data Processing Agreement. Document Inspectlet in your records of processing and in your privacy notice with the US transfer and the retention period. Conduct a DPIA before going live.
Websites using Inspectlet must obtain user consent under GDPR regulations.
Third-party domains contacted
inspectlet.comcdn.inspectlet.comhn.inspectlet.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __insp_uid | first_party | 1 year | Unique visitor identifier used to link recordings to the same person across sessions. |
| __insp_sid | first_party | Session | Session identifier that groups the events of a single browsing session. |
| __insp_targetref | first_party | Session | Stores the referring URL that brought the visitor to the site. |
| __insp_norec_sess | first_party | Session | Flag that disables recording for the current session when the script is paused. |
| __insp_slim | first_party | Session | Timestamp of the last activity used to compute the session duration. |
Inspectlet collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Inspectlet writes first party cookies on your own domain, including __insp_uid (visitor identifier, one year), __insp_sid (session identifier), __insp_targetref (referrer), __insp_norec_sess (recording state) and a few internal flags. All require prior consent under Art. 5(3) ePrivacy as none of them is strictly necessary for the website.
Yes. Inspectlet captures behavioural data and may record personal data typed in forms, so it requires explicit, prior, granular and freely given consent under Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy. The script must be blocked until the visitor has accepted statistics or marketing cookies.
The only realistic legal basis is consent (Art. 6(1)(a) GDPR). Legitimate interest is not appropriate because the recording is intrusive, can capture sensitive information, and the visitor cannot reasonably anticipate it. The CNIL and the EDPB have repeatedly confirmed that session replay tools require consent.
Yes. All session recordings, heatmaps and event logs are stored in the United States on AWS infrastructure. The transfer must rely on Standard Contractual Clauses combined with supplementary measures, or on the EU US Data Privacy Framework if Inspectlet has self certified. A Transfer Impact Assessment is mandatory.
Yes. Session replay constitutes systematic monitoring of natural persons within the meaning of Art. 35(3)(c) GDPR and appears on the CNIL list of processing operations requiring a DPIA. The DPIA must cover the recording scope, masking strategy, retention, US transfer, lawful basis and rights of data subjects.
Block the script until consent is granted. Add the data inspectlet sensitive attribute to every input that may collect personal data. Disable keystroke capture for all input fields by default. Reduce the retention period to the minimum required. Sign the Inspectlet DPA. Update your privacy notice with the recording, the US transfer and the rights of data subjects.
EU based alternatives include Contentsquare (France), Mouseflow (Denmark) and Smartlook (Czech Republic). US alternatives include Hotjar (now Contentsquare), FullStory, LogRocket and Microsoft Clarity. Self hosted open source options include OpenReplay and PostHog session replay.
Whenever you change the masking rules, retention period or recording scope, update the Inspectlet entry in your cookie table and privacy notice, document the change in your records of processing, and consider invalidating previously collected consents by bumping the consent banner version.