Privacy Impact Assessment under GDPR

Inspectlet is fully compliant under GDPR and maintains this Privacy Impact Assessment documenting our data collection, processing, storage, and security policies. We employ industry standard data security policies to keep all customer data safe and treat the protection of user privacy and data with the care it deserves.

Data collection and retention

As a data processor, Inspectlet collects and stores the following data in its data centers on behalf of users using the service:

  • Current URL
  • Country
  • Time zone
  • Browser type and version
  • Device type and version
  • Operating system type and version
  • Referrer URL
  • Screen size
  • User last seen date
  • Mouse activity including pixel coordinates for mouse movements and clicks and keyboard activity typed into non-sensitive input fields.
  • HTML content that isn't marked as sensitive content

As a data controller, we also collect the following data on users registered to use our service:

  • Email Address
  • Name (optional)
  • Time zone

The following cookies are created and stored on the client side in a visitor's browser to aid data collection:

  • __insp_sid - session cookie, deleted when visit is over
  • __insp_ref - session cookie, deleted when visit is over
  • __insp_scpt - session cookie, deleted when visit is over
  • __insp_nv - session cookie, deleted when visit is over
  • __insp_wid - session cookie, deleted when visit is over
  • __insp_identity - session cookie, deleted when visit is over
  • __insp_uid - long-term cookie that contains random ID assigned to visitor

All data collected is stored in the AWS US East data centers in Virginia. All customer data is stored for 1-24 months depending on the customer's subscription plan's retention policy (see retention policy per plan here). Data is permanently deleted from our data centers on a rolling basis when it becomes older than the retention policy for that data.

We collect data in full legal compliance, Customers grant consent for data processing by signing up for the service and installing our javascript tracking code on their website. For further details, see our Terms of Service.

Any data collected from the webpage that is marked as sensitive is ignored by Inspectlet, therefore data entered by the user is not transmitted to our servers. You can mark both input fields (like the credit card textarea on a checkout form) and HTML content (like a tax report in a DIV or TABLE) on your page as sensitive.

Any end-user can opt-out of data collection by Inspectlet by visiting our Opt out page

Technical and security measures

All data is encrypted during transmission and collected data is stored encrypted at rest using AES encryption. If the Customer has enabled IP address anonymization, the last two octets of the IP address will be removed and not be available to the user nor Inspectlet. Backups of data collected are made routinely and tested occasionally to verify restore procedure functionality. All data is physically stored only in AWS data centers meeting ISO 27001 compliance.