Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Bugsnag (now part of SmartBear Insight Hub) is a popular error monitoring platform for web, mobile and backend applications. It collects exception payloads, stack traces and breadcrumbs to help engineering teams diagnose and fix bugs. Bugsnag offers both US and EU regions; selecting the EU region keeps primary processing within the EU. Standard error monitoring relies on legitimate interest, but attaching personal user identifiers warrants extra care.
Bugsnag is an error monitoring and stability platform launched in 2013 and now part of SmartBear Insight Hub. SDKs are available for JavaScript, Node.js, Ruby, Python, PHP, .NET, Java, Go, iOS, Android and React Native. The platform groups exceptions, computes stability scores per release and integrates with Slack, Jira and modern CI/CD tooling.
Bugsnag does not set cookies on the publisher website by default. Each error event sent to Bugsnag includes the exception class and message, the stack trace, breadcrumbs (recent navigation, console logs, custom events), the app version, the device or runtime information, the request URL and the IP address of the originating request. Optional fields include the user identifier, email and any custom metadata attached by the developer.
Crash reporting strictly necessary to maintain the service can rely on legitimate interest (Art. 6(1)(f) GDPR). When the SDK runs in the browser and captures user input through breadcrumbs, or when persistent user identifiers are attached, you should reassess the balancing test and consider obtaining consent for the optional pieces. No client side cookies are set by default, so no Art. 5(3) ePrivacy banner is required for the basic SDK.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Bugsnag offers two regions: the default US region (notify.bugsnag.com) and the EU region (notify.eu.bugsnag.com, sessions.eu.bugsnag.com). Choose the EU region for European customers and verify the configured Notifier endpoint in your SDK init. SmartBear publishes Standard Contractual Clauses in the Bugsnag DPA for transfers and retains the right to access logs from the US for support, which should be assessed in your TIA.
Sign the Bugsnag (SmartBear) DPA. Configure the EU Notifier endpoints. Use the SDK redact filters to scrub authorisation headers, cookies, payment data and other sensitive fields from breadcrumbs and metadata. Avoid attaching email or full names to user identifiers; prefer hashed pseudonymous IDs. Mention Bugsnag in your privacy notice with the legitimate interest basis, the EU region and the Standard Contractual Clauses for any residual US transfer.
Websites using Bugsnag must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard backend error monitoring with Bugsnag. It can be relevant when the SDK runs in the browser, captures user input via breadcrumbs and is combined with persistent user identifiers, especially on the US region.
Sample consent text
We use Bugsnag (SmartBear Software, Inc.) to detect and fix errors. Crash reports including stack traces, application context and limited device information are processed under our legitimate interest in maintaining a secure and reliable service. EU customer data is processed in our EU region.
Third-party domains contacted
notify.bugsnag.comsessions.bugsnag.comnotify.eu.bugsnag.comsessions.eu.bugsnag.comapp.bugsnag.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| no_cookies_set | first_party | N/A | Bugsnag SDK does not set cookies on the publisher site by default. Error events are sent server side or via XHR without persistent client storage. |
Bugsnag collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Bugsnag does not set cookies on the publisher website by default. Error events are sent server side or via XHR without persistent client storage. The dashboard at app.bugsnag.com sets first party cookies, but those only affect logged in engineers, not your end users.
In most cases no banner is required because Bugsnag does not set cookies on the publisher site and only collects data needed to detect and fix errors. Consent becomes relevant when the SDK runs in the browser, captures user input through breadcrumbs and is combined with persistent user identifiers.
Crash reporting strictly necessary to maintain the service relies on legitimate interest (Art. 6(1)(f) GDPR). Optional features that attach personal user identifiers, capture form input or store extensive request payloads should be re evaluated and may require consent.
By default the SDK posts to the US Notifier endpoint (notify.bugsnag.com). Bugsnag also offers an EU region (notify.eu.bugsnag.com, sessions.eu.bugsnag.com) which keeps primary processing in the EU. Choose the EU region for European customers and verify the configured Notifier endpoint in the SDK init.
A DPIA is generally not required for standard backend error monitoring. It can be relevant when the SDK runs in the browser, captures user interactions and is combined with persistent user identifiers, especially on the US region.
Sign the Bugsnag (SmartBear) DPA. Configure the EU Notifier endpoints. Use the SDK redact filters to scrub authorisation headers, cookies, payment data and other sensitive fields. Avoid attaching email or full names to user identifiers; prefer pseudonymous hashed IDs. Mention Bugsnag in your privacy notice with legitimate interest and the EU region.
EU based or EU friendly alternatives include Sentry (with EU region), GlitchTip (open source, self hostable in the EU), Honeybadger (US but with strong redaction defaults) and self hosted Rollbar. Selecting the EU region or a self hosted option avoids transfers entirely.
State that Bugsnag (SmartBear Software, Inc.) is a processor for application error monitoring. Describe the categories of data sent in error events (stack traces, breadcrumbs, application context, IP address), the legitimate interest basis, the EU region (when configured) and the SCC reference for any residual US transfer.