Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mouseflow is a Danish behavioural analytics platform that records full user sessions, builds heatmaps, generates funnel reports, captures form analytics, and surfaces visitor feedback. The JavaScript tracker records mouse movements, clicks, scroll depth, and form interactions, replaying them as video-like session recordings. As a Danish (EU-headquartered) vendor with primary EU hosting, Mouseflow is a popular GDPR-friendly choice compared to US-based session-replay tools.
Mouseflow is a Danish behavioural analytics platform founded in 2009, headquartered in Aarhus. It records full user sessions, builds heatmaps (click, movement, scroll, attention), generates funnel and form analytics, and collects visitor feedback. The JavaScript tracker captures granular interaction events and replays them as video-like session recordings. Mouseflow is widely used by EU-focused product, growth, and UX teams who prefer an EU-based session-replay vendor over US peers (Hotjar US, FullStory US).
Per session: persistent visitor identifier (mf_user cookie), mouse trajectories, click coordinates, scroll position, keystroke events (excluding actual key values by default), form field interactions (masked by default for text inputs), URL, referrer, user agent, screen size, and (with replay) DOM snapshots used to reconstruct what was visible. IP addresses are processed for geo-attribution and can be truncated.
Session replay is one of the most consent-sensitive analytics technologies. The persistent visitor identifier qualifies as non-essential under ePrivacy and TTDSG, and the breadth of the behavioural capture (especially DOM snapshots) makes the consent requirement firm. Mouseflow provides extensive privacy controls (field masking, IP truncation, exclusion of specific URLs and elements) that should be configured before going live.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Mouseflow is a Danish company and primary processing is in EU AWS regions for EU customers. North American customers can opt for US residency. The cookieless mode (no persistent identifier) and the field masking defaults make Mouseflow a clearly EU-favourable choice. Subprocessors outside the EEA are documented in the DPA with relevant SCCs.
Sign the Mouseflow DPA, gate the Mouseflow tracker behind your CMP, enable field masking and IP truncation, exclude payment and checkout pages from recording, configure short retention for session recordings (Mouseflow default is 6 months, can be shortened), document the DPIA for session replay activity, and inform visitors clearly in the privacy notice.
Websites using Mouse Flow must obtain user consent under GDPR regulations.
DPIA considerations
Mouseflow records full user sessions, including mouse trajectories, clicks, scroll, form interactions, and (with replay) what was visible on the page. Key DPIA considerations: (1) session recordings can incidentally capture special category data, payment data, or other sensitive content if not masked; (2) the persistent visitor identifier qualifies as non-essential under ePrivacy and TTDSG and requires consent; (3) Mouseflow provides field masking, IP truncation, and exclusion rules that significantly reduce the risk if properly configured; (4) EU hosting and Danish controller jurisdiction simplify the compliance posture compared to US peers; (5) session recordings stored on the platform must be subject to retention limits and access controls.
Sample consent text
We use Mouseflow, a Danish behavioural analytics platform, to record anonymised user sessions and build heatmaps that help us understand how visitors interact with our pages. Mouseflow sets a first-party visitor identifier cookie and records mouse, click, scroll, and form interactions; we have configured field masking for all sensitive form fields and IP truncation. Mouseflow is loaded only after you have accepted analytics cookies.
Third-party domains contacted
mouseflow.comwww.mouseflow.comapp.mouseflow.comcdn.mouseflow.comeu.mouseflow.commf-cdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mf_user | Analytics / Identification | 1 year | First-party persistent visitor identifier used by Mouseflow to associate page views, mouse movements, and form interactions with a unique visitor across sessions. |
| mf_*_session | Analytics / Session | Session | Short-lived session identifiers used to group recorded events into a single Mouseflow session record for replay and analysis. |
| mf_*_pageview | Analytics / Functional | Session | Tracks the current page view within a Mouseflow session, used to attribute events to the correct URL when the visitor navigates the site. |
Mouse Flow collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Mouseflow sets the mf_user cookie (first-party, ~1 year) for persistent visitor identification, plus short-lived session cookies (e.g., mf_*_session) to group events. In cookieless mode, the persistent identifier is not stored.
Yes. The persistent visitor identifier and the breadth of behavioural capture qualify as non-essential under ePrivacy and TTDSG. Mouseflow must be loaded only after explicit consent.
Consent (Art. 6(1)(a) GDPR) for the session recording and heatmap module. Legitimate interest can be considered only in tightly anonymised configurations (cookieless, no IP, no DOM snapshots), with documented LIA.
For EU customers, no by default: Mouseflow processes data in EU AWS regions. North American customers may choose US residency. Subprocessors outside the EEA are documented in the DPA with SCCs.
Yes. Session replay is a high-risk processing activity according to most EU DPAs (CNIL, ICO, datenschutzbeauftragter Hessen). Document a DPIA covering the masking configuration, retention, access control, and lawful basis.
Sign the Mouseflow DPA, gate the tracker behind your CMP, enable default field masking and IP truncation, exclude payment and checkout pages from recording, shorten the retention period, document a DPIA, and inform visitors in the privacy notice.
EU-based session replay and heatmap alternatives: Contentsquare (France, big enterprise), AB Tasty (France), Heap EU residency, Hotjar (UK/Finland with US transfers), Microsoft Clarity (US, free), and self-hosted options like OpenReplay or PostHog Session Replay.
List the mf_user cookie and any session cookies in the analytics section of the cookie policy. Specify the controller (Mouseflow ApS, Denmark), the EU hosting, and the CMP toggle to refuse the tracker. Inform visitors about session recording in plain language.