Mouseflow Blog

Want to try Mouseflow?


GDPR: Action Required & Changes to Mouseflow

In a previous post, we wrote about how in Europe, data privacy is about to be turned upside down. But, what does that mean for you as a Mouseflow user?

This post is the second in a series of posts about how we’re handling GDPR. We invite you to read the series, ask questions, and give us feedback. If you missed the first post, you can find it here.

What You Need To Do

Because Mouseflow saves historical data, you may need to make changes to how data is collected on your website.

Here’s a quick look at what you need to do by December 15th, 2017:

Exclude/Replace Content on Pages (via Code)

First, you need to check the pages on your site to identify where Personal Data is printed or shown. This can include names, addresses, payment details, and more. For each case, you need to implement the exclude/replace code. This prevents the data from ever reaching our system.

Whitelist Form Fields (via Code)

Next, Mouseflow will disable keystroke tracking for EU/EEA data subjects and accounts. This will affect form fields that you may still want to track, like search boxes.

If you have any form fields on your website(s) that will never contain Personal Data, you can whitelist them using the .mouseflow class, like this:

<input type="text" class="mouseflow some-other-class" />

You can learn more about this in our exclude input fields article.

Alternative Options (via Settings, in-app)

For both of the above methods, you’ll notice that they use extra code on the live pages. This is the preferred method because it exactly identifies the page elements in question. However, for clients who can’t easily modify the code on their website(s), we’re adding another way to implement both changes under “Settings” for each site. This “in app” method will be available before January 3rd, 2018 and more details will be announced soon.

What We’re Doing

As a web analytics tool, Mouseflow acts as a Data Processor for our clients. As such, we’re also making changes to our platform on or before December 15th, 2017:

Encryption at Rest
We always encrypted data in transit (via HTTPS).
We’ll now include encryption at rest for all accounts, too.

IP Address Anonymization
We’ll remove the last tuple (three digits) from IP addresses and ISP details.
This is for EU/EEA data subjects and accounts only.

Disable Keystrokes
We’ll disable keystroke tracking for EU/EEA data subjects and accounts.
This applies to all form fields, except the ones you whitelist.

Disable Visitor Identification
We’ll disable the visitor identification feature for EU/EEA data subjects and accounts.

Automatic Content Masking
We’ll automatically hide certain text from appearing in page content, if previously entered into a form field during the same session.

As we mentioned at the top of this post, there are some steps you need to take before December 15th, 2017.

IMPORTANT: Please review the “What You Need to Do” section of our GDPR page.

As we get closer to the deadline for GDPR, we’ll implement further changes and keep you informed of updates.

Let us know your thoughts and contact us at if you have any questions.