Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sentry is an application monitoring platform for error tracking, performance monitoring, and debugging. It captures exceptions, stack traces, breadcrumbs, and optionally user context (email, username) to help developers diagnose issues. The core error tracking function can rely on legitimate interest. However, Sentry commonly captures personal data accidentally in error events (email addresses in URLs, user objects in stack traces) — careful scrubbing configuration is essential for GDPR compliance. EU data storage is available on paid plans.
Sentry is an open-source application monitoring platform specialising in error tracking and performance monitoring. When an exception occurs in a web or mobile application, Sentry captures the full stack trace, request context, user browser information, and a sequence of events leading to the error (breadcrumbs). This helps developers identify, prioritise, and fix bugs faster. Sentry supports all major programming languages and frameworks and integrates with GitHub, Jira, Slack, and other development tools.
The most significant GDPR challenge with Sentry is accidental personal data capture. Error events commonly contain PII: email addresses in URL parameters, user objects serialised in stack traces, session tokens in request headers, and form data in POST body captures. Unless actively configured to scrub this data, Sentry becomes a store of personal data that was never intended to be collected. Sentry provides data scrubbing features — configure these before going live.
Legitimate interest (Art. 6(1)(f)) supports error monitoring as an operational necessity. However, legitimate interest requires data minimisation — collect only what is needed for error debugging. Configure Sentry to: scrub sensitive fields (email, password, token, credit_card), remove request bodies and headers, use the before_send hook to filter PII, and only capture user context that aids debugging (user ID, not email).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sentry''s session replay feature records user interactions leading to errors. Like all session recording tools, this requires consent under the ePrivacy Directive and CNIL guidelines. Block Sentry session replay until analytics consent is obtained, or implement it conditionally only for authenticated users who have consented.
Sign the Sentry DPA. Configure data scrubbing for all sensitive fields. Disable request body capture. Use user ID (not email) in user context. Enable EU data storage if available on your plan. Set minimum event retention. Disable or consent-gate session replay. Disclose Sentry as an error monitoring processor in your privacy policy with data minimisation practices described.
Websites using Sentry must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Sentry deployments using session replay features, or for large-scale error monitoring where user context (PII) is systematically captured in error events. Session replay constitutes systematic monitoring requiring a DPIA.
Sample consent text
This application uses Sentry for error monitoring and performance tracking. When an error occurs, Sentry captures technical information including the error message and stack trace. We minimise personal data in error reports. Error monitoring is conducted under legitimate interest to maintain application quality.
Third-party domains contacted
sentry.iobrowser.sentry-cdn.como0.ingest.sentry.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sentrysid | session | Session | Sentry session identifier for grouping browser errors and performance events within a single session |
Sentry collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Legitimate interest (Art. 6(1)(f)) for operational error monitoring. However, this requires data minimisation — Sentry should be configured to capture only technical data necessary for debugging, not personal data. The balancing test supports error monitoring as proportionate to the operational benefit.
Configure data scrubbing in Sentry Settings, Security and Privacy: add sensitive fields (email, password, token, ssn, credit_card) to the data scrubber. In your SDK, use the before_send hook to filter PII from events. Set send_default_pii: false in your SDK configuration. Disable request body capture for forms.
Yes. Sentry session replay records individual user interactions and requires consent under the ePrivacy Directive and CNIL guidelines. Block session replay until analytics consent is obtained, or implement it only for authenticated users with an appropriate legal basis.
Yes, for customers on paid plans. In Sentry account settings, select the EU data storage region. This stores all error events and performance data within the EU. Standard (free tier) accounts use US infrastructure requiring SCCs.
Common accidental PII captures: email addresses in URL query parameters (e.g. /[email protected]), user objects serialised in JavaScript errors, request headers containing authentication tokens, POST body data from forms, error messages containing user input. Configure scrubbing for all these patterns.
Sentry provides an API for deleting all events associated with a specific user using the user identifier set in the SDK. Call DELETE /api/0/projects/{org}/{project}/events/ with a filter on the user identifier. Or use Sentry's user deletion feature in the Issues search. Respond within 30 days.
Yes. Sign the Sentry Data Processing Agreement available from Sentry's legal page. For EU-region accounts, verify the DPA covers your specific storage region configuration.
Glitchtip is an open-source Sentry-compatible error tracker that can be self-hosted on EU infrastructure. Rollbar and Bugsnag also provide error tracking with GDPR considerations. For maximum GDPR control, self-hosting Sentry or a compatible alternative on EU infrastructure provides full data sovereignty.