Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sentry is an application monitoring platform for error tracking, performance monitoring, and debugging. It captures exceptions, stack traces, breadcrumbs, and optionally user context (email, username) to help developers diagnose issues. The core error tracking function can rely on legitimate interest. However, Sentry commonly captures personal data accidentally in error events (email addresses in URLs, user objects in stack traces) — careful scrubbing configuration is essential for GDPR compliance. EU data storage is available on paid plans.
Sentry, operated by Functional Software Inc., is the open core application monitoring platform used by more than 100,000 organisations to capture exceptions, performance traces, profiling data and Session Replay on web, mobile and backend stacks. The product is available as Sentry SaaS in two regions (United States and European Union with the de.sentry.io endpoint) and as Sentry Self Hosted under the BSL license.
Backend Sentry SDKs (Python, Node, Java, PHP, Go) do not set any cookie because they run on the server. The browser SDK (@sentry/browser, @sentry/react, @sentry/vue) writes the entries sentryReplaySession and sentryReplayLastActivity in sessionStorage to keep the session id, plus the cookie sentry_session on the Sentry domain (de.sentry.io or us.sentry.io) when Session Replay sends data. The error payload submitted on each crash contains the stack trace, page URL, viewport, navigator user agent and visitor IP (truncated to /24 IPv4 or /48 IPv6 by Sentry default).
Backend Sentry can rely on legitimate interest (GDPR art. 6(1)(f)) because no personal visitor data is processed by default and the controller has a clear interest in keeping its software working. The browser SDK and Session Replay process the visitor IP and detailed behaviour; consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3) is required before loading them. The CNIL recognises observability tools as an analytics related use, but the exemption only applies when no personal data is transmitted to a third party and when the retention is capped, which Sentry by default does not respect.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sentry launched its EU region (de.sentry.io) in 2023, hosted on AWS Frankfurt. Customer error payloads, performance traces and Session Replay frames stay in Germany; only operational metadata (billing, support tickets, abuse detection) is processed in the United States. Functional Software Inc. is certified under the EU US Data Privacy Framework since 19 September 2023, and the Sentry DPA incorporates the EU Standard Contractual Clauses (module 2). Customers on the US region should perform a TIA and document supplementary measures.
Choose the EU region when creating the Sentry organisation. Enable IP truncation and disable user identification (setUser) unless you have a legal basis. Mask sensitive fields in Session Replay via maskAllText, maskAllInputs and blockAllMedia. Cap retention to 30 days for replays and 90 days for events through the Sentry Data Scrubbing and Retention settings. Document Sentry in your records of processing (GDPR art. 30) and trigger a DPIA when Session Replay is enabled or when special categories of data (health, payments) may end up in stack traces.
Open source self hosted alternatives are GlitchTip (fork of Sentry server, MIT license), Bugsink, Rollbar, Highlight.io and OpenTelemetry combined with a self hosted backend. Commercial competitors include Datadog APM (US), New Relic (US), Honeybadger and Bugsnag (now SmartBear, US).
Websites using Sentry must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for error monitoring alone. Session Replay deserves a DPIA when used at scale because it captures user interactions; document masking and retention.
Sample consent text
We use Sentry, an application monitoring platform, to capture errors and performance issues so we can fix them quickly. Backend Sentry runs on our servers without any cookie or visitor data. The browser Sentry SDK is only loaded after you accept the technical category in our cookie preferences; it stores a session id in localStorage and may report your IP address, browser, page URL and a short breadcrumb trail to Sentry in the European region (Frankfurt). When Session Replay is activated, additional masked DOM mutations are recorded for 10 seconds before and after each error.
Third-party domains contacted
sentry.iosentry.ioingest.sentry.iobrowser.sentry-cdn.como0.ingest.sentry.ioingest.de.sentry.iobrowser.sentry-cdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sentrysid | session | Session | Sentry session identifier for grouping browser errors and performance events within a single session |
| sentry-session-id | In memory (Sentry SDK) | Tab session | Volatile identifier used by the SDK to group events from the same browser tab. |
| sentryReplaySession | sessionStorage (Sentry Replay) | Tab session | Stores the active replay identifier when Session Replay is enabled. |
Sentry collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Legitimate interest (Art. 6(1)(f)) for operational error monitoring. However, this requires data minimisation — Sentry should be configured to capture only technical data necessary for debugging, not personal data. The balancing test supports error monitoring as proportionate to the operational benefit.
Configure data scrubbing in Sentry Settings, Security and Privacy: add sensitive fields (email, password, token, ssn, credit_card) to the data scrubber. In your SDK, use the before_send hook to filter PII from events. Set send_default_pii: false in your SDK configuration. Disable request body capture for forms.
Yes. Sentry session replay records individual user interactions and requires consent under the ePrivacy Directive and CNIL guidelines. Block session replay until analytics consent is obtained, or implement it only for authenticated users with an appropriate legal basis.
Yes, for customers on paid plans. In Sentry account settings, select the EU data storage region. This stores all error events and performance data within the EU. Standard (free tier) accounts use US infrastructure requiring SCCs.
Common accidental PII captures: email addresses in URL query parameters (e.g. /[email protected]), user objects serialised in JavaScript errors, request headers containing authentication tokens, POST body data from forms, error messages containing user input. Configure scrubbing for all these patterns.
Sentry provides an API for deleting all events associated with a specific user using the user identifier set in the SDK. Call DELETE /api/0/projects/{org}/{project}/events/ with a filter on the user identifier. Or use Sentry's user deletion feature in the Issues search. Respond within 30 days.
Yes. Sign the Sentry Data Processing Agreement available from Sentry's legal page. For EU-region accounts, verify the DPA covers your specific storage region configuration.
Glitchtip is an open-source Sentry-compatible error tracker that can be self-hosted on EU infrastructure. Rollbar and Bugsnag also provide error tracking with GDPR considerations. For maximum GDPR control, self-hosting Sentry or a compatible alternative on EU infrastructure provides full data sovereignty.
No tracking cookies. The browser SDK stores a volatile in memory session identifier. Session Replay uses sessionStorage (sentryReplaySession) for the active replay token. Server side, Sentry uses cookies for its own dashboard authentication only.
Not for standard error monitoring with PII filtering enabled. Sentry then qualifies as a strictly necessary security measure (Recital 49 GDPR). Consent is required for Session Replay, because it captures detailed user interactions.
Legitimate interest (Art. 6(1)(f) GDPR) for error monitoring, security and reliability. Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) for Session Replay.
Choose the EU region of sentry.io to keep event data in Frankfurt and Amsterdam. The control plane (account, billing) remains in the US in both regions. Transfers are covered by EU SCCs and the EU US Data Privacy Framework.
Not for error monitoring alone. A DPIA is recommended for Session Replay deployments at scale because of the detailed user interaction capture.
Pick the EU region, sign the DPA, enable PII filtering, configure beforeSend scrubbing, mask all inputs in Session Replay, limit retention, document Sentry as a processor in your Article 30 record.
Self hosted Sentry, GlitchTip (open source fork, EU friendly), Rollbar (US), Bugsnag/SmartBear (US), Raygun (NZ), Datadog APM (US/EU), New Relic (US), or self hosted alternatives like Errsole and Highlight.io.
Mention Sentry in the technical/security section: error monitoring, no tracking cookies, EU region or US region with EU US Data Privacy Framework, retention, link to Sentry's privacy notice. List Session Replay separately if used.