All data collected by Pendo is treated as sensitive data. To further support your data privacy, policy, and compliance requirements, Pendo provides a variety of methods to prevent capturing data. You can use these methods to prevent general data capture across entire applications or sets of users, as well as to avoid capturing specific data attributes.
Conditionally initialize Pendo
The most general way to prevent Pendo from collecting data is to not initialize Pendo at all in certain circumstances. This can be achieved by only initializing Pendo when a certain condition is met. For more information, see Conditionally initialize Pendo. For example (pseudocode):
if ( condition ) {
}
else {
pendo.initialize(...)
}
Do Not Process (DNP) option
Use our "Do Not Process" (DNP) option to prevent data collection on specific visitors and accounts in Pendo by opting them out of Pendo analytics and guides. The DNP option doesn’t delete historical data.
The DNP option is typically used to help companies comply with General Data Protection Regulation (GDPR) requirements and allow end users to invoke their individual data rights. You can invoke these data rights on behalf of your end users, such as the right to erasure, programmatically using our deletion endpoints or by contacting Pendo Support.
When you use the DNP option for a visitor or account, the Pendo agent immediately discards their existing data and doesn't collect data on any subsequent events for that visitor or account. The visitor or account is no longer tracked and doesn't receive guides.
You can set the DNP option in Pendo in one of two ways:
- Manually through the Pendo UI.
- Programmatically using Pendo's endpoint.
For more information about how to set DNP, and how to see which visitors and accounts are no longer being processed, see Opt-out of tracking with DNP.
Manually turn on Do Not Process
You can turn on the DNP option on the details page of the individual visitor or account in the Pendo UI:
- Navigate to People from the left-side menu.
- Open either Visitors or Accounts as needed.
- Find and select the visitor or account you'd like to opt-out of data collection
- In the Overview tab for this visitor or account, select the Do Not Process (GDPR) checkbox.
Visitors and accounts that appear in the Pendo UI have already been tracked at least one. After manually selecting Do Not Process (GDPR) in the UI, no additional data is tracked.
Programmatically turn on Do Not Process
You can turn on the DNP option using the Pendo opt-out endpoint. For information, see Opt-out of tracking with DNP and our Engage API documentation. You can also programmatically:
- Bulk delete large numbers of visitors and accounts using Pendo's bulk deletion endpoint.
- Retrieve existing DNP records using Pendo's aggregation endpoint.
Turn off IP address and geolocation
You can request that we disable the collection of geolocation information, such as IP addresses, by Pendo servers (both logs and databases).
While geolocation isn't currently used in the Pendo UI, we might add features related to these data points in the future. Should that happen, subscriptions that have IP address and geolocation logging disabled won't be able to take advantage of these features.
To disable geolocation logging, contact Pendo technical support.
Turn off cookies
By default, Pendo uses localStorage
and falls back on cookies if certain conditions are met. For information, see the Agent Cookies article.
Disabling cookies has the following potential implications:
- Unidentified visitor tracking might produce more anonymous visitors than unique visitors. This is because every page load, regardless of authentication, generates a new Visitor ID. We don't recommend turning off cookies if you're tracking unidentified visitors.
- Guide throttling might not work correctly for visitors who don't have cookies enabled.
- Guides might show more than once to the same visitor.
- Only Me segmentation breaks for unidentified users until they're identified again.
- Any existing cookies still exist until they expire.
To disable the use of cookies, set disableCookies
to true in the initialize method of the Pendo install script, as shown below.
pendo.initialize({
disableCookies: true,
visitor: {
id: 'joe@acme.com'
},
account: {
id: 'Acme'
}
});
The above example would disable cookies for all visitors. You can disable cookies for specific visitors, such as those in the European Union or those who opt out of cookies, by using conditional logic.
Ignore specific HTML elements
Add the pendo-ignore
class to an element to prevent all data collection for that element. For example, adding pendo-ignore
to the BODY
element prevents all data capture. For more information, see Exclude specific element tracking in the HTML attributes in data collection article.
Exclude specific HTML attributes
Pendo collects HTML attributes, which is explained in the HTML attributes in data collection article. To prevent the collection of specific HTML attributes, for example, if PII is displayed in a data attribute, ask Pendo technical support to add HTML attributes to your htmlAttributeBlacklist
. This stops Pendo from collecting the attributes that you specify on all future Click Events and Focus Events.
Exclude inner text
Pendo collects text inside elements, which is explained in the HTML attributes in data collection article. To prevent the collection of an element's innerText
, for example, if PII is displayed, set excludeAllText
to true in the initialize method of the Pendo install script, as shown below.
pendo.initialize({
excludeAllText: true,
visitor: {
id: 'joe@acme.com'
},
account: {
id: 'Acme'
}
});
After excludeAllText
is enabled, you can allowlist specific text strings using allowedText
. Fore more information, see Analytics in the agent API documentation. You can also contact Technical Support to include allowedText
values by default.
Transform URLs
You can use the Location API to modify the browser URL that the Pendo agent receives from your application. The actual application is still using the original browser URL, and end users only see the browser URL, but the Pendo agent receives a more detailed or sanitized version of the URL that is used for analytics and guide targeting.
For more information, see Tech Note: Transform the URL collected by Pendo using Location API (web only).
Exclude lists
Exclude lists are a subscription-wide setting available to Pendo admins in Settings > Exclude lists. Exclude lists don't prevent data capture, but do remove it from the Pendo UI.
Pendo calculates metrics using events. Exclude lists filter out events from the details and metrics calculation for all segments (except Exclude lists Accounts and Visitors) that match at least one of the filter settings: Server Hostname or Domain, Source IP Address, Visitor ID, Account ID.
For more information, see Exclude and Include Listing.
Clear metadata on sign out
You can clear stored user metadata at the end of a session, which can be especially useful if multiple anonymous visitors use the same computer. If the stored metadata isn’t cleared, the behavior of a new anonymous visitor can be attributed to a previously identified visitor.
This can be resolved by calling pendo.clearSession()
in your application when the visitor signs out or before the next visitor is identified, for example, on a login screen. This is particularly important on a login screen that loads when an expired cookie is detected to catch sessions that ended when the browser was closed and didn't log out or time out as expected.