Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Plerdy is a website conversion and user behaviour analytics platform that combines heatmaps, session recordings, form analytics, SEO checks, and feedback widgets. It was founded in Ukraine in 2017 and now offers EU data residency in Frankfurt for European customers. Because it records on page interactions and uses persistent visitor cookies, deploying Plerdy on EU traffic requires user consent under the GDPR and the ePrivacy Directive.
Plerdy is a website behaviour analytics suite that bundles heatmaps, click maps, session video recordings, form analytics, on page SEO checks, and feedback widgets in one tool. Founded in Kyiv in 2017, Plerdy now operates regional data centres in the European Union and the United States, allowing EU customers to keep data within Frankfurt.
Tracking is implemented through a single JavaScript snippet served from plerdy.com. Once loaded, the script writes visitor identification cookies, captures DOM interactions, and streams them to Plerdy backend servers.
On every tracked page, Plerdy collects the visitor IP address, browser User Agent, screen resolution, current URL, referrer, click coordinates, scroll depth, hover events, and form interactions. For session recordings, the entire DOM mutations are captured to reconstruct a replayable video.
Visitor identification relies on persistent cookies (_plerdyVisitorId, plerdy_uid) typically valid for 1 year, plus localStorage entries that hold queued events and session state. Plerdy supports automatic masking of input fields and manual data privacy class names (plerdy mask, plerdy ignore) that exclude elements from recording.
Plerdy LLC acts as a processor under Art. 28 GDPR. EU customers should explicitly select the Frankfurt region at account creation; otherwise data may be transferred to US servers under Standard Contractual Clauses. A signed Data Processing Agreement is required and should be referenced in your Records of Processing Activities (Art. 30 GDPR).
Because Plerdy cookies and recordings are not strictly necessary for the website itself, they fall under Art. 5(3) ePrivacy and §25 TTDSG: prior informed consent is required. Legitimate interest can be considered for aggregated, non identifying heatmap data only, with a documented balancing test and full transparency. For session recordings, consent is essentially mandatory due to the volume of personal data captured.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Inject the Plerdy script only after the visitor has accepted the Analytics or Marketing category in your consent management platform. Configure the Plerdy account to automatically mask all input fields, then add plerdy ignore CSS classes to any element that might contain sensitive data (health information, payment details, government identifiers).
For pages handling special categories of data (Art. 9 GDPR), disable session recording entirely and keep only aggregated heatmaps with all input masking enabled. Document the masking configuration in your DPIA.
Plerdy relies on AWS for primary storage (region depends on account region selected) and on Cloudflare for CDN and DDoS protection. The Cloudflare layer terminates TLS on global edge nodes, which can mean transit through third country infrastructure even for EU accounts. This must be documented in the transfer impact assessment.
Maintain an up to date list of Plerdy sub processors in your privacy notice. Plerdy publishes the list and notifies customers of changes, you must propagate these notifications to data subjects when relevant.
Choose the Frankfurt region for EU traffic. Sign the DPA. Add Plerdy to your RoPA. Enable automatic input masking and add plerdy ignore to any sensitive element. Defer the Plerdy script until consent is granted. Document the legal basis (consent) and the data residency choice in your privacy policy.
Set an explicit retention period for recordings (typically 30 to 90 days) and configure automatic deletion. For multi country deployments, document each region usage and review the TIA at least annually.
Websites using Plerdy must obtain user consent under GDPR regulations.
DPIA considerations
Plerdy combines heatmap collection, session video recordings, click maps, form analytics, and on page feedback widgets. Key DPIA considerations: (1) session recordings replay mouse, scroll, keyboard, and form input interactions and may capture personal data (including special category data) when input fields are not masked; (2) Plerdy provides per element masking and automatic input field masking, but these must be explicitly enabled; (3) the platform writes persistent visitor cookies (typically 1 year) that, combined with the IP address, constitute personal data and enable cross session re identification; (4) data residency is configurable: EU customers must explicitly select Frankfurt to avoid US transfers; (5) Plerdy uses sub processors (AWS, Cloudflare) that may extend the processing chain into third countries; (6) the on page feedback widget collects free text input which may include identifying information or special category data, retention must be reviewed.
Sample consent text
We use Plerdy to understand how visitors interact with our pages (heatmaps, click maps, scroll depth, session recordings). With your consent, Plerdy sets cookies and records anonymised interactions with the page, then sends them to its servers in the European Union under a Data Processing Agreement. Sensitive form fields are automatically masked. You can decline at any time without losing access to our services.
Third-party domains contacted
plerdy.coma.plerdy.comstatic.plerdy.comapi.plerdy.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _plerdyVisitorId | Analytics | 1 year | Persistent visitor identifier. Links sessions to the same visitor for heatmap, click map and recording reports. |
| plerdy_uid | Analytics | 1 year | User identifier passed to the Plerdy backend to stitch sessions and recordings to a single profile. |
| plerdy_jail | Functional | Session | Tracks whether the current session is being recorded to avoid duplicate recordings on the same visit. |
| plerdyExternalUserId | Analytics | 1 year | Stores an externally provided user identifier (set by the website owner) to correlate Plerdy recordings with customer profiles. |
Plerdy collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The main first party cookies are _plerdyVisitorId (persistent visitor ID, ~1 year), plerdy_uid (user identifier, 1 year), and several session and configuration cookies generated by the tracker. LocalStorage entries hold queued events, session timing, and the visitor token. None of these are strictly necessary for the website itself, so all of them require consent.
Yes for any EU traffic. Plerdy cookies and behavioural data collection are not strictly necessary, so Art. 5(3) ePrivacy and §25 TTDSG require prior informed consent. Session recordings in particular collect a wide range of personal data and should always be presented as a separate consent purpose, distinct from anonymous aggregated analytics.
Consent is the safe basis for both visitor tracking cookies and session recordings. For purely aggregated, non identifying heatmap snapshots (no individual replay, no IP, no fingerprint), legitimate interest can be considered with a documented balancing test, although consent remains preferable. The chosen basis must be reflected in your privacy notice.
It depends on the region selected. EU accounts hosted in Frankfurt keep data within the EU for the core service. Cloudflare CDN may still route traffic through global edge nodes. US accounts transfer data to AWS US under Standard Contractual Clauses. Verify your account region in the Plerdy dashboard and reflect the choice in your privacy notice.
A DPIA is generally recommended when session recordings are enabled because the EDPB classifies systematic monitoring and reproduction of user interactions as high risk processing. The DPIA must cover the masking configuration, the retention period, the sub processors used, the residency choice, and the user rights workflow (access, deletion).
Sign the DPA, select EU residency, enable automatic input masking, add plerdy ignore CSS classes to all sensitive elements, defer the script until consent, document the chain of sub processors, and configure an explicit retention period. For pages handling special category data, disable session recording and keep only aggregated heatmaps.
EU based alternatives: Mouseflow (Denmark), Smartlook (Czech Republic), Contentsquare (France), Hotjar with EU data residency. Open source / self hosted: PostHog (self hosted), Matomo Heatmaps and Session Recording add on. Plerdy main differentiator is the bundling of heatmaps with SEO checks and on page feedback in a single product.
List each Plerdy cookie with name (_plerdyVisitorId, plerdy_uid), provider (Plerdy LLC), purpose, lifetime, and category. Disclose the heatmap and session recording features explicitly. Indicate the data residency selected (Frankfurt or US). Mention any sub processors that may receive personal data and provide a link to the Plerdy privacy policy.