Zenovay
Pro Plan10 minutesintermediate

Session Storage & Privacy

Understand how session recordings are stored, privacy controls, data masking, and compliance with GDPR and other regulations.

session-replayprivacygdprdatasecurity
Last updated: January 15, 2025
Pro Plan

Learn how Zenovay handles session recordings responsibly - from data masking to GDPR compliance and storage security.

Privacy First Approach

Our Philosophy

Session Replay is designed with privacy:

  • Sensitive data masked by default
  • User control over what's captured
  • Compliance with privacy regulations
  • No personal data sold or shared

What We Don't Capture

By default, never recorded:

  • Password fields
  • Credit card numbers
  • Hidden form values
  • Clipboard content

Data Masking

Automatic Masking

These are masked automatically:

ElementTreatment
input[type="password"]Always masked
input[type="email"]Masked by default
input[type="tel"]Masked by default
.sensitive classMasked
[data-private]Masked

What Masking Looks Like

In recordings, masked content shows:

  • •••••••• for text inputs
  • Placeholder for images
  • Generic content for marked areas

Custom Masking

Add masking to specific elements:

<!-- Mask any element -->
<div data-private>
  Sensitive content here
</div>

<!-- Mask form fields -->
<input type="text" data-private>

<!-- Mask via CSS class -->
<span class="zenovay-mask-replay">Personal info</span>

Mask by CSS Selector

Configure masking with CSS classes on your HTML elements:

<!-- Add zenovay-mask-replay class to sensitive elements -->
<div class="zenovay-mask-replay">This content will be masked</div>
<form id="credit-card-form" class="zenovay-mask-replay">...</form>
<span data-sensitive class="zenovay-mask-replay">Sensitive data</span>

Input Recording

Default Behavior

Form inputs are handled:

Field TypeRecording
Text inputsKeystrokes masked
PasswordsAlways masked
DropdownsSelection recorded
CheckboxesState recorded
File uploadsName only (not content)

Keystroke Options

Configure keystroke recording:

OptionBehavior
OffNo keystrokes
Masked (default)Shows •••
OnShows actual text

Enabling Full Text

Only enable full text recording if necessary and with proper consent.

Input recording mode is configured in your SettingsSession Replay dashboard. Options: masked (default) or off.

Blocking Recording

Block Entire Pages

Exclude pages from recording:

Configure excluded URLs in SettingsSession ReplayExcluded Pages:

  • /admin/*
  • /account/settings
  • /checkout/payment

Block Elements

Exclude specific elements:

<!-- Don't record this element at all -->
<div data-private>
  This section won't appear in recordings
</div>

Block by Selector

In configuration:

sessionReplay: {
  blockSelectors: [
    '.internal-only',
    '#admin-panel',
    'iframe.third-party'
  ]
}

Depending on your jurisdiction:

RegionRequirement
EU (GDPR)Explicit consent often required
California (CCPA)Opt-out must be available
OtherVaries by law

Session recording is controlled from your dashboard settings (Settings -> Session Replay), not via JavaScript API calls. To disable all tracking (including recording) based on consent:

// Disable tracking if consent withdrawn
if (!userConsented) {
  zenovay('disable');
}

// Re-enable tracking when consent is granted
if (userConsented) {
  zenovay('enable');
}

Works with consent managers:

  • OneTrust
  • Cookiebot
  • CookieYes
  • Custom implementation
// Wait for consent signal
window.addEventListener('consent-given', function() {
  zenovay('enable');
});

window.addEventListener('consent-withdrawn', function() {
  zenovay('disable');
});

Data Storage

Where Data Is Stored

Session data is stored:

  • Encrypted at rest
  • Distributed globally (Cloudflare)
  • Region options available (Enterprise)

Retention Periods

PlanRetention
Pro60 days
Scale120 days
Enterprise180 days

After Retention

When retention expires:

  • Data automatically deleted
  • Cannot be recovered
  • Export before expiration

Data Residency

Enterprise Plan

Enterprise options:

  • EU-only storage
  • US-only storage
  • Specific country
  • Custom requirements

Data Security

Encryption

All session data:

  • Encrypted in transit (TLS 1.3)
  • Encrypted at rest (AES-256)
  • Keys managed securely

Access Control

Who can view recordings:

  • Team members with permission
  • Role-based access
  • Audit logging

Security Certifications

Zenovay maintains:

  • SOC 2 Type II
  • GDPR compliance
  • CCPA compliance

GDPR Compliance

For session recording under GDPR:

BasisNotes
ConsentExplicit user consent
Legitimate InterestWith proper assessment

Data Subject Rights

Users can request:

  • Access to their recordings
  • Deletion of recordings
  • Export of their data

Implementing Rights

Process user requests:

  1. User submits request
  2. Identify their sessions
  3. Export or delete
  4. Confirm completion

Right to Be Forgotten

Delete user's sessions:

  1. Go to your domain settings → Security tab
  2. Enter user identifier
  3. Delete all sessions
  4. Confirm deletion

User Controls

Opt-Out Options

Provide users control:

<!-- User-facing opt-out -->
<button onclick="zenovay('disable')">
  Don't track my activity
</button>

Respect Do Not Track

Optionally honor DNT:

Zenovay respects Do Not Track (DNT) and Global Privacy Control (GPC) signals by default. No additional attribute is needed. Use data-ignore-dnt="true" only if you need to override this behavior.

Third-Party Content

Iframes

Third-party iframes:

  • Not recorded by default
  • Can't access cross-origin
  • Shows placeholder

Third-Party Scripts

Content from other domains:

  • May show differently
  • Font fallbacks possible
  • External images may fail

Sensitive Industries

Healthcare (HIPAA)

For HIPAA compliance:

  • Mask all PHI
  • Use Business Associate Agreement
  • Consider Enterprise plan

Financial Services

For financial data:

  • Mask all financial fields
  • Block payment pages
  • Audit logging essential

Consult with legal team:

  • Industry requirements
  • Regional laws
  • Customer agreements

Audit & Compliance

Audit Logging

Scale Plan

Track who viewed recordings:

  • Viewer identity
  • Session viewed
  • Timestamp
  • Actions taken

Compliance Reports

Generate reports for:

  • Data access logs
  • Deletion requests
  • Consent records

Best Practices

Privacy Checklist

Before enabling recording:

  • Privacy policy updated
  • Consent mechanism in place
  • Sensitive fields masked
  • Excluded pages configured
  • Team trained on privacy

Regular Reviews

Periodically check:

  • Masking configuration
  • New sensitive fields
  • Consent compliance
  • Retention settings

Documentation

Maintain records of:

  • What you record
  • Legal basis
  • Retention periods
  • Access controls

Configuration Summary

Configure these in SettingsSession Replay:

  • Enable session replay
  • Mask text inputs (on by default)
  • Set excluded pages: /admin/*
  • Respect Do Not Track: enabled by default (use data-ignore-dnt="true" to override)

For element-level masking, use CSS classes in your HTML:

<div class="zenovay-mask-replay">Masked content</div>
<form id="payment-form" class="zenovay-block-replay">Blocked from recording</form>

Next Steps

Related articles

Click Heatmaps

Visualize where visitors click on your pages with aggregated heatmap data - identify popular elements and dead zones.

Filtering Sessions

Find specific session recordings using advanced filters - by behavior, errors, pages visited, and visitor attributes.

Heatmap Best Practices

Get the most from heatmaps with proven analysis techniques, common mistakes to avoid, and actionable optimization strategies.

Was this article helpful?