Data flow is the path information takes between a user device, a website, and any third-party services the site calls. It includes visible data like form entries, and hidden signals such as cookies, pixels, headers, identifiers, and telemetry sent by scripts or embedded resources.
In cyber security, data flow matters because risk is often created by where data goes, not just what is stored. A site may look harmless in a browser, yet still leak user actions to ad networks, analytics vendors, or other external processors. Attackers also study data flow to steal credentials, exfiltrate records, or pivot through trusted integrations. Defenders map data flow to find unsafe sharing, enforce least-privilege access, validate consent controls, and detect unexpected network requests. If you do not know the path data follows, you cannot reliably protect it.