Privacy at Mouseflow: Our Commitment to Trust & Transparency

Privacy by design & by default

At Mouseflow, we believe privacy is a fundamental right. We are committed to transparency, security, and compliance, ensuring that our customers and their end users have full confidence in how data is handled.

10 Key Facts About Mouseflow’s Privacy Principles

Discover our simplified privacy principles for a clear and concise overview of how we handle data responsibly. Download our Privacy Whitepaper here.

How we handle data

1. What data we collect & why

We only process behavioral analytics data, helping companies improve their websites based on user interactions – without compromising personal privacy. We follow a data minimization principle, meaning we only collect and process the absolute minimum data necessary for analytics purposes.

Session replay & heatmaps – to analyze user behavior, improve UX, and detect friction points.

Performance analytics – to optimize website responsiveness and content effectiveness.

Form analytics – to help businesses improve online conversions.

To achieve these goals, we rely solely on anonymized sessions and aggregated data, without identifying individual visitors.

What we do not collect:

Data that would enable us to identify an individual website visitor.

Keystroke logging or intrusive tracking.

Data beyond what is needed for analytics purposes.

2. Compliance with Global Privacy Laws

We adhere to international privacy frameworks, helping our customers stay compliant:

GDPR (EEA, UK) – We provide a Data Processing Agreement (DPA), enforce strict policies for vetting sub-processors, comply with cross-border data transfer requirements, support privacy-by-design solutions and implement robust security measures. For more details, visit our dedicated GDPR compliance page.

CCPA/CPRA (California) & other U.S. Privacy Laws – We do not sell or share personal data as defined under the CCPA and other applicable U.S. privacy laws. We implement strict controls to prevent unauthorized data sharing, offer Do Not Track (DNT) feature and ensure compliance with consumer privacy rights. For more details, visit our dedicated US Privacy compliance page.

LGPD, PIPEDA, POPIA & Global Privacy – We take a global-first approach to privacy, ensuring compliance with Brazil’s LGPD, Canada’s PIPEDA, South Africa’s POPIA, and other applicable privacy laws.

Where is data stored?

Secure cloud environments with ISO 27001 and SOC 2 Type II-certified infrastructure.
Data residency options available in EU or US.

3. Security & Data Protection

Keeping your data secure is our top priority.

End-to-end security – Encryption in transit and at rest.

Access controls – Strict policies ensure only authorized personnel can handle data.

Anonymization & masking – IPs and keystrokes are masked by default.

Data minimization – We store only what’s necessary for the shortest time needed.

Your control: Customers can customize privacy settings, define retention periods, and delete data upon request. They must exclude website elements that may contain or display personal data.

More questions? Visit our Security Pages.

Your rights & choices

For website visitors:

Opt-out of analytics tracking via cookie settings or by enabling Do Not Track (DNT) signals in your browser.

For customers:

Use our Visual Privacy Tool to configure tracking policies.
Set data retention rules according to your compliance needs.
Data residency in EU or US.

Request the Mouseflow Security Kit

We’ll include copies of audits, certificates, policies and more.

Frequently asked questions

Where is the Mouseflow data center located?

Mouseflow has data centers in both Europe (Amsterdam, EU) and United States (Virginia). Based on where your location during sign-up your data will be located either in the EU or the US. We never transmit or store data outside of the European Union or United States, respectively.

What industry-standard certificates does the Mouseflow data center maintain?

All Mouseflow Data centers
ISO27001
SOC 1 Type II
PCI DSS Compliance

Mouseflow US Data center
All of the above
HIPAA

How do I obtain documentation for the Mouseflow data center industry certificates?

You can request the “Mouseflow Security Kit” via the form above.

Does Mouseflow have an Information Security Policy (“ISP”) in place?

Yes, Mouseflow does have an ISP in place, and it’s also available from the Mouseflow Security Kit.

Are penetration and vulnerability tests performed by a third party?

Yes – Mouseflow conducts frequent penetration and vulnerability tests.

How does Mouseflow separate customer’s data?

All customer data is completely compartmentalized. All data is saved using unique keys that prevent any cross-contamination or pollution from other data-sets.

Does Mouseflow hold data within the US?

Mouseflow customers signing up from North and South America (USA, Canada, Mexico, Brazil etc.) will have the data located at the Mouseflow US data center.

Does Mouseflow hold data within the EU?

All customers signing up from within the EU will have the data located at the Mouseflow EU data center.

What systems are in place to prevent unauthorized access to my data?

For Enterprise plans, Mouseflow provides the option to enforce SSO (Single Server Sign-On) for all users under an account. In addition, two-factor authentication can optionally be enforced for all users with access to your account.

What is Mouseflow's data segregation strategy? Will there be a separate database instance or will it be shared with other customers?

Your data collected by Mouseflow is stored in the region you signed up for an account (separate US/EU data centers) and written to our database(s) with a unique account identifier. When we query records, all queries limit the result set returned to only those records with the unique account identifier.

Does Mouseflow collect Personal Identifiable Information (PII”)?

Personal Identifiable Information data is by default not stored in Mouseflow. Learn more.

Does Mouseflow comply with the General Data Protection Regulation ("GDPR")?

The Mouseflow platform is 100% compliant with the GDPR (General Data Protection Regulation) as set out by the European Union. We do our best to keep you and your visitors safe by aligning you with the industry’s best practices. We mask all IP addresses within the EU and do not track any keystrokes across all EU visitors (non-PII fields can be whitelisted). Read more about Mouseflow’s compliance with the GDPR here.

How does Mouseflow ensure my data collection is GDPR compliant?

All Personal Identifiable Information (“PII”) is pseudonymized prior to being collected by Mouseflow. Mouseflow does not need PII to provide valuable website analytics.

Does Mouseflow provide a Data Processor Agreement (“DPA”)?

As Mouseflow does not collect any Personal Identifiable Information it’s not a requirement under the GDPR to enter into a DPA. However, Mouseflow does offer a DPA for customers who are looking to ensure a data processor relationship with Mouseflow. You can find and digitally sign the DPA here.

Do you have a SOC2 report?

Although we do have SOC1 type II in place for all the Mouseflow data centers. The SOC1 is a similar standard as the SOC2, both are reports on controls at a service organization and are audited by accountants. The difference is that SOC2 has a mandatory set of controls. At the moment we consider the SOC1 as the preferred internal standard due to its flexibility, it allows us to completely tailor and update the framework to our activities, risks and client expectations.

What is the historical availability of the Mouseflow service?

Our historical uptime is 99.99%.

Do I have access to support and help?

Mouseflow provides 24/7 support from our in-app communication interface. In addition, you can reach out to our customer service team via support@mouseflow.com or by phone. See the “Contact Us” page for information on how to contact the Mouseflow customer service team.

Has Mouseflow had an independent assessment of Information Security relative to the services that are provided to clients?

Yes – Mouseflow maintains PCI assessed by ControlScan on a frequent basis. Please refer to the Mouseflow Security Kit for further information.

Features

More

By Team

By Industry

By Use Case

By resource type

By topic

Legal Hub Home