Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
LogRocket is a session replay and frontend monitoring platform that records visitor interactions on a website or web application: DOM mutations, clicks, scrolls, form inputs, console logs, JavaScript errors, network requests and Redux or Vuex state. The JavaScript SDK is loaded from cdn.logrocket.io and sends batched recordings to LogRocket servers on AWS US regions by default. EU operators must collect prior opt in consent under Article 5(3) of the ePrivacy Directive, configure aggressive PII masking, document the international transfer to the United States and, in most cases, run a DPIA.
LogRocket is a frontend monitoring and session replay platform developed by LogRocket Inc in Boston. It is loaded as a JavaScript SDK from cdn.logrocket.io and instruments the page to capture DOM mutations, user interactions (clicks, scrolls, typed inputs), console logs, JavaScript errors, network requests, Redux or Vuex state changes and performance metrics. The recording is batched in the browser and sent to LogRocket servers, where engineering and product teams can replay full sessions, group similar issues and correlate them with backend traces. LogRocket is widely used as a debugging tool but also offers product analytics and conversion funnel features.
LogRocket processes substantial behavioural data: every DOM mutation can capture the page content as the visitor sees it, every interaction records timing and target details, every network call exposes the request URL and headers, every console log contains the application messages. Without aggressive configuration, the SDK can therefore capture personally identifiable information typed in forms, content displayed for a logged in user, the visitor IP, the User Agent, and even special category data if the application happens to display it (medical records, banking details, religious or political content).
LogRocket is not strictly necessary to the requested service. The recording cannot rely on the exemption in Article 5(3) of the ePrivacy Directive and requires prior opt in consent. The legal basis for the related processing is Article 6(1)(a) GDPR (consent), because legitimate interest does not survive the balancing test when systematic session monitoring on a large scale is involved, especially when special category data may be captured. Consent must be granular, freely given and as easy to refuse as to accept.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
LogRocket Inc operates from the United States and processes session recordings on AWS US regions by default. EEA visitor data therefore crosses Chapter V GDPR boundaries. Transfers rely on the EU US Data Privacy Framework (LogRocket is self certified) and Standard Contractual Clauses, with a documented transfer impact assessment. Enterprise customers can subscribe to an EU data residency add on that stores session recordings in AWS Frankfurt, although the control plane and the analytics layer remain operated from the US.
Enable LogRocket Privacy Mode and mass mask all input fields, then explicitly allow the few inputs that are safe to record. Configure URL exclusions for sensitive pages (checkout, profile, health forms, customer support). Reduce the session retention to the shortest period necessary for debugging. Sign the LogRocket Data Processing Addendum, opt in to the EU data residency add on where available, run a DPIA and disclose the processing in the privacy policy with the link to LogRocket privacy terms. Consider safer alternatives such as Microsoft Clarity with EU residency, Datadog RUM with EU sites or self hosted PostHog session replay for high risk applications.
Websites using LogRocket must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for LogRocket in most EU deployments. Session replay is identified by the EDPB and the CNIL as a high risk activity due to systematic monitoring on a large scale. The DPIA must document the consent mechanism, the PII masking configuration, the data minimisation measures, the international transfer to the United States, the EU data residency add on if available, the retention of recordings, the access controls and the safer alternatives evaluated.
Sample consent text
We use LogRocket to record anonymised sessions in order to debug technical issues and improve our user experience. LogRocket processes DOM events, masked form inputs and network metadata, transferred to LogRocket Inc in the United States. The session replay only starts after you accept analytics and performance cookies, and you can withdraw your consent at any time from the cookie preferences panel.
Third-party domains contacted
r.logrocket.iocdn.logrocket.ioapp.logrocket.comlogrocket.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _logrocket_sid (localStorage) | first_party | Persistent | LogRocket unique session identifier stored in localStorage on the publisher domain. Allows the LogRocket SDK to attribute multiple page views to the same visitor recording. |
| _lr_uf_ | http | 12 months | Anonymous LogRocket visitor identifier used to stitch sessions together across page loads. |
| _lr_uf_-xxxxx (localStorage) | first_party | Persistent | LogRocket per project token used to authenticate the visitor recorder against the LogRocket ingest API. Stored in localStorage under the publisher domain. |
| lr_session | http | Session | Identifies the current LogRocket recording session and links it to the active user when the operator enables user identification. |
| _lr_session (cookie) | first_party | Session | Optional LogRocket session cookie set when the SDK is configured to use cookie based session attribution rather than localStorage. |
| lr_anon_id | http | 12 months | Anonymous identifier used by LogRocket when user identification is not enabled, to recognise the device across visits. |
LogRocket collects user analytics data — you legally need a consent banner. Try FlowConsent free.
LogRocket does not rely on classical cookies. It writes a unique session identifier (_logrocket_sid) and additional metadata in browser localStorage, plus a short lived recorder token. Both constitute terminal storage access under Article 5(3) ePrivacy and require consent.
Yes. Session replay is treated as profiling by the CNIL, DSK, AEPD and Garante. Prior, freely given, specific, informed and unambiguous consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR is required before initialising the LogRocket SDK.
Consent under Article 6(1)(a) GDPR is the only lawful basis for LogRocket session replay. LogRocket Inc. is a processor under Article 28 GDPR. Legitimate interest is generally not available because the depth and intrusiveness of the recording outweighs any legitimate interest argument.
Yes by default. Session replay data is processed on AWS US regions. Enterprise customers can opt for EU residency in Frankfurt. LogRocket Inc. self certifies under the EU US Data Privacy Framework. Standard Contractual Clauses are included in the LogRocket DPA.
Yes. Session replay falls within the systematic monitoring criterion of Article 35(3)(c) GDPR. The DPIA should document the data captured, the masking rules, the retention period, the EU residency option, the legal basis and the mechanism used to obtain consent.
Sign the LogRocket DPA, opt for EU residency where possible, gate LogRocket.init() behind your consent management platform, enable default masking for password, payment and free text fields, configure a strict retention period, and surface DSAR mechanisms through the LogRocket privacy portal.
EU based session replay alternatives include Microsoft Clarity Frankfurt region, Mouseflow (Denmark), Smartlook (Czech Republic) and Inspectlet. Cookieless heatmap alternatives include Plerdy and Hotjar with masked inputs. None are zero risk: every session replay tool requires consent and a DPIA at scale.
Add a dedicated session replay section disclosing LogRocket, the localStorage keys _logrocket_sid and recorder token, the purpose (UX debugging), the retention period, the EU or US data residency, the EU US Data Privacy Framework certification, and link to the LogRocket privacy notice.