Zenovay's session replay records DOM mutations, not pixels. That means we never see screenshots of your visitors' screens. But the recorded DOM still contains the text content of every node, so we apply layered masking to keep PII out of the recording.
What's masked by default
Without any configuration:
- All
<input>,<textarea>, and<select>values are recorded as*characters of the same length. passwordandemailinput types are stripped to a single asterisk.- Elements with
autocomplete="cc-number",cc-csc,cc-exp,tel, orstreet-addressare fully masked. - Anything inside a node with
data-privateor classzv-maskis replaced with***.
Adding your own masks
For custom fields that contain PII (a customer ID, an SSN field, an internal account number), add data-private="true" to the element:
<div data-private="true">
Customer #ABC-1234
</div>
Or via class:
<input class="zv-mask" name="ssn" />
Both approaches mask the element's text content before it leaves the browser — the unmasked value never reaches Zenovay's servers.
Blurring images and avatars
To blur an image (e.g. a profile photo) without removing it from the recording:
<img src="/avatars/user.jpg" data-private="blur" />
The image renders normally for the visitor; the recording shows a Gaussian-blurred placeholder.
Excluding entire sections
For pages where replay should not run at all (a high-privacy admin screen, an internal-only page):
<body data-zenovay-replay="off">
The page is still tracked for pageviews and events, but no DOM mutations are captured.
How to verify
Open a fresh recording in Replays → Sessions and pause on a frame that contains a masked field. The masked content should appear as ***. If you see the real value, double-check that the attribute is on the element BEFORE the user types — not added afterwards.