Mouseflow

Mouseflow

Mouseflow records session replays, generates heatmaps, and tracks form analytics for web optimization teams. The Mouseflow script captures all mouse movements, clicks, scrolls, and keystrokes (excluding sensitive fields) and uploads sessions to Mouseflow's cloud platform.

Back to Vendor Library

Overview

Mouseflow is a behavioral analytics platform that records session replays, generates heatmaps, and provides form analytics for web optimization and UX research teams. It captures detailed user interaction data — mouse movements, clicks, scroll depth, and form interactions — and uploads this to Mouseflow's cloud platform where teams can watch video-like session replays and analyze aggregated heatmaps. Mouseflow is used by e-commerce, SaaS, and media companies to diagnose conversion funnel drop-offs, identify UX friction, and validate design changes. The platform processes significant volumes of behavioral data per session, making it one of the more privacy-sensitive analytics tools.

What This Script Does

The Mouseflow script (cdn.mouseflow.com/projects/<project-id>.js) loads asynchronously and begins capturing user interaction data from the moment it initializes.

Data capture mechanisms:

  • DOM snapshots: Mouseflow captures periodic DOM snapshots that reconstruct page appearance during replay, including dynamically loaded content
  • Mouse tracking: All cursor coordinates are recorded at high frequency throughout the session, enabling movement heatmaps and replay visualization
  • Click recording: Every click event is recorded with element target, coordinates, and timestamp
  • Scroll depth: Continuous scroll position tracking enables scroll heatmaps showing how far users read
  • Keystroke capture: Text input is recorded in form fields by default; sensitive fields (passwords, credit card numbers) are excluded via automatic detection and configurable rules. All other text input (search queries, form answers) is captured unless explicitly masked.
  • Rage clicks and error clicks: Automatically flagged for UX issue detection

Cookies set:

  • mf_<project-id> — first-party persistent cookie, typically 1-year expiry, stores Mouseflow's unique visitor and session identifiers
  • mf_user — links sessions from returning visitors to build longitudinal behavior profiles
  • Session-scoped cookies for active recording state management

Data transmitted:

  • Interaction event stream (mouse coordinates, click targets, scroll positions) uploaded continuously during the session to mouseflow.com recording endpoints
  • Page URL, referrer, viewport dimensions, device type, and browser version
  • Session duration, page count, and engagement metrics
  • Form interaction data: fields visited, time spent per field, hesitation patterns, and abandonment points

Privacy controls available to site operators:

  • Field masking for sensitive inputs (data-mf-ignore attribute)
  • Page-level recording suppression
  • Sampling rate configuration to record only a percentage of sessions
  • IP anonymization option

Consent & Compliance

Mouseflow falls under the analytics consent category and represents one of the higher-sensitivity analytics tools. Session replay captures extensive behavioral data — the visual reconstruction of what a user did on the page, including keystrokes in unmasked fields — which constitutes personal data under GDPR because it is tied to identifiable visitors via persistent cookies and IP addresses.

Under GDPR and ePrivacy, Mouseflow requires explicit opt-in consent. The persistent visitor identifier cookie is non-essential, and the processing of detailed behavioral data (interaction patterns, form behavior, text input) goes far beyond what is necessary for website operation. Several European DPAs have scrutinized session replay tools; the Irish DPC and CNIL have indicated that session recording requires valid consent. Mouseflow itself recommends obtaining consent before activating recording for EU visitors.

Under CCPA/CPRA, this level of behavioral monitoring constitutes "sensitive personal information" collection (given keystroke recording) and requires disclosure and opt-out rights. Mouseflow is headquartered in Copenhagen; EU data is processed within the EU, with an option to restrict data to EU-only servers.

Should You Block This Without Consent?

Yes. Session replay and keystroke recording capture extensive personal behavioral data including interaction patterns and form text input. Block Mouseflow until the user provides explicit analytics consent. Do not rely on legitimate interest as a lawful basis for session replay recording.

Visit website

Consent Categories

Analytics

Also Known As

Mouseflowsession replayheatmap toolMouseflow scriptvisitor recording

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (3)

mouseflow.comAnalytics
cdn.mouseflow.comAnalytics
o2.mouseflow.comAnalytics

Frequently Asked Questions

Does Mouseflow require consent on my website?

Yes. Mouseflow requires explicit opt-in consent. Session replay captures extensive behavioral data including mouse movements, clicks, scroll position, and keystrokes in unmasked form fields — all tied to persistent visitor identifiers. European data protection authorities have confirmed that session recording requires valid consent.

What cookies and data does Mouseflow collect?

Mouseflow sets the mf_ persistent cookie with a one-year expiry as a unique visitor and session identifier. The script records all cursor coordinates, click targets, scroll positions, and keystroke input in form fields. This interaction stream uploads continuously to mouseflow.com recording endpoints throughout the session.

How does ConsentStack handle Mouseflow?

ConsentStack blocks Mouseflow until the visitor grants explicit analytics consent. Because session replay captures keystroke data and detailed interaction patterns tied to persistent visitor IDs, ConsentStack treats Mouseflow as a high-sensitivity analytics tool requiring affirmative opt-in.

Related Vendors

Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Microsoft
Microsoft
Runs Clarity (session recording and heatmaps), the Microsoft Advertising UET tag (conversion tracking), and Bing's remarketing pixel. Clarity injects a recording script that captures mouse movements, clicks, and rage clicks. The UET tag fires conversion events to tie ad clicks to on-site actions across Microsoft's ad network.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
LinkedIn Insight Tag
LinkedIn Insight Tag
LinkedIn Insight Tag is a JavaScript tracking pixel for LinkedIn's advertising and analytics platform. The tag fires on every page view to collect URL, referrer, IP address, and device data for conversion tracking, website demographics reporting, and retargeting audience building. Sets cookies to identify LinkedIn members across advertiser websites.

Manage consent for Mouseflow

ConsentStack automatically detects and manages Mouseflow trackers so your site stays compliant with global privacy regulations.

Get started free