Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Quantum Metric is a US based digital experience analytics platform used primarily by large enterprises in retail, banking, travel, and telecom. It captures every interaction on web and mobile apps to enable session replay, friction detection, anomaly alerting, and revenue impact quantification. Because the service involves systematic large scale monitoring with potential transfers to the US, deploying it on EU traffic requires consent under the GDPR and the ePrivacy Directive plus a Schrems II transfer assessment.
Quantum Metric is a continuous product intelligence platform founded in 2015 and headquartered in Colorado Springs. It captures every web and mobile interaction in real time and quantifies the revenue impact of friction points, errors, and abandoned journeys. Customers include large retailers, airlines, banks, and telcos.
Tracking is implemented through a single JavaScript SDK (qtm.js) on the web and native SDKs on mobile. The SDK captures DOM mutations, network requests, JavaScript errors, and user interactions, then streams them to Quantum Metric tenants on AWS.
Quantum Metric processes the visitor IP, device characteristics, geolocation, page URL, referrer, mouse movements, clicks, scroll, form input, file upload metadata, and JavaScript errors. Session replays reconstruct the visible page state from DOM mutations, which can include any visible personal data unless masked.
Masking is configurable: automatic input field masking, CSS class based masking (qm allow, qm block, qm encrypt), and server side redaction. The default safe posture is to mask everything and then explicitly whitelist non sensitive elements.
Quantum Metric Inc. is a US processor for customer data. The default deployment transfers data to AWS US under SCCs and the EU US Data Privacy Framework. EU regions (Ireland, Frankfurt) are available on enterprise contracts and must be explicitly requested. A Transfer Impact Assessment is required even when EU residency is selected, because Quantum Metric staff in the US may access data for support.
On cookies, the SDK is not strictly necessary, so Art. 5(3) ePrivacy and §25 TTDSG require prior consent before any cookie or capture starts. For full session replay, consent is also the safest Art. 6 basis.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Quantum Metric integrates AI capabilities (Felix AI) that summarise sessions, surface anomalies, and suggest optimisations. These features may rely on third party LLM backends, must be documented as sub processors, and assessed under Art. 22 GDPR if outputs feed automated decisions about users.
For regulated services, the AI features must be reviewed against sector specific rules (DORA for finance, NIS2 for critical infrastructure, AI Act risk classification once applicable).
Defer the Quantum Metric SDK until the visitor has accepted the Analytics or Marketing category in your CMP. The banner must explicitly name Quantum Metric, describe the session capture purpose, and link the Quantum Metric privacy notice.
Configure the SDK with a strict default (block all) plus explicit qm allow on safe elements. For pages containing health, financial, or government identification data, set retention to the minimum (often 7 to 30 days) and disable AI training on those sessions.
Negotiate EU residency where feasible, sign the DPA and SCCs, document the chain of sub processors (AWS, LLM providers, support tooling). Configure default masking with explicit allow lists. Defer the SDK until consent. Run a DPIA covering masking, retention, automated decisions, and AI features.
Review the configuration after every product launch: new flows often introduce new form fields that may not be masked by default. Provide a clear opt out and honour Global Privacy Control signals.
Websites using Quantum Metric must obtain user consent under GDPR regulations.
DPIA considerations
Quantum Metric performs continuous capture of user interactions on web and mobile, often on regulated services. Key DPIA considerations: (1) the SDK records the full DOM, mouse, keyboard, and form input; unless masking is configured globally, special category data (Art. 9 GDPR) can be captured; (2) Quantum Metric is a US controller; SCCs and a TIA are mandatory for transfers, and EU data residency must be negotiated explicitly; (3) the platform builds individual replay timelines that, when combined with backend identifiers, become rich profiles requiring an Art. 22 review; (4) AI driven anomaly detection introduces automated processing risks; (5) retention defaults (30 to 90 days) must be reviewed against data minimisation; (6) financial services deployments raise PCI DSS scope concerns for cardholder data masking; (7) sub processor chain includes AWS US and third party LLM providers for the AI features, which must be assessed separately.
Sample consent text
We use Quantum Metric to record and replay anonymised sessions on our website, identify friction in user journeys, and improve the experience. With your consent, Quantum Metric sets cookies and captures your interactions with the page. Sensitive fields are automatically masked at the SDK level. Recordings are transferred to Quantum Metric servers under Standard Contractual Clauses (or to our EU region when applicable). You can refuse this recording at any time without losing access to our services.
Third-party domains contacted
quantummetric.comcdn.quantummetric.comapi.quantummetric.comsdk.quantummetric.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| QSI_HistorySession | Analytics | Session | Maintains the Quantum Metric session identifier across the same browsing session for session replay reconstruction. |
| QSI_S_ZN | Analytics | 1 year | Persistent visitor identifier used to stitch sessions to the same digital experience profile in Quantum Metric. |
| qtm_session | Analytics | Session | Alternate session identifier set under the Quantum Metric branded namespace, with the same role as QSI_HistorySession. |
| qtm_visitor | Analytics | 1 year | Alternate persistent visitor identifier under the Quantum Metric branded namespace. |
Quantum Metric collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Quantum Metric writes first party cookies on your domain, primarily QSI_HistorySession (session identifier, session lifetime), QSI_S_ZN (visitor ID, ~1 year), and qtm_session and qtm_visitor in some configurations. The SDK also writes to localStorage and IndexedDB to queue captured events between page reloads. None of these are strictly necessary.
Yes for any EU traffic. The cookies and SDK are not strictly necessary under Art. 5(3) ePrivacy and §25 TTDSG, so prior informed consent is required. Because the platform records detailed personal data (potentially including special category data unless masked), consent is also the safest Art. 6 GDPR basis. Legitimate interest is generally not defensible for full session replay on consumer traffic.
Consent (Art. 6(1)(a) GDPR) is the default safe basis. In B2B settings or employee facing portals, legitimate interest (Art. 6(1)(f)) is conceivable provided masking is exhaustive and a documented balancing test exists. The chosen basis must appear in the privacy notice and the DPIA.
By default, yes. Data is processed on Quantum Metric infrastructure in the United States (AWS). EU regions (Ireland or Frankfurt) are available for enterprise customers but must be explicitly negotiated. Transfers rely on EU SCCs (Modules 2 and 3) and the EU US Data Privacy Framework, and require a documented Transfer Impact Assessment.
Yes, in nearly all EU deployments. Quantum Metric performs systematic large scale monitoring of users on consumer or business services. The DPIA must document masking, retention, sub processors (AWS US, LLM providers for AI features), residency, automated decisions, and data subject rights workflow.
Negotiate the EU region in the contract. Sign the DPA, the EU SCCs, and a Transfer Impact Assessment. Configure default block masking, then add qm allow attributes to safe elements. Defer the SDK until consent. Document the AI sub processor stack. Train product teams to test masking after each release.
Enterprise alternatives: Glassbox (Israel and UK), Contentsquare (France), FullStory (US, with EU residency), Decibel (US, now part of Medallia), Dynatrace Real User Monitoring. Open source / self hosted: PostHog, OpenReplay. Quantum Metric differentiator is the revenue impact quantification and the Felix AI session summarisation features.
List the Quantum Metric cookies (QSI_HistorySession, QSI_S_ZN, qtm_session, qtm_visitor) with provider (Quantum Metric Inc., United States), purpose (digital experience analytics and session replay), lifetime, and category (Analytics). Disclose session replay, masking configuration, retention, and data residency. Link the Quantum Metric privacy policy and provide a clear opt out.