When configuring Session Replay, we strongly encourage a proactive approach to safeguarding potentially sensitive data, such as Personal Identifiable Information (PII) or financial information.
To help you meet the privacy needs of your app and comply with your company's policies, we offer several options to configure the privacy of your replays:
- Starting privacy configuration. Choose from three different privacy configurations for web apps or two for mobile apps, each providing varying levels of text masking for your app. This helps ensure that PII and sensitive content are appropriately handled based on the individual needs of your app and users.
- Granular privacy rules. For web apps, use CSS selector rules to mask, unmask, or block specific elements after choosing your starting privacy configuration. You can create these rules from the Replay Settings page or directly in the Visual Design Studio while tagging a Feature. For mobile apps, choose to block or allow image capture. Only web apps support CSS selector rules for granular masking or blocking.
- Audience capture. Define the audience for your replays with the Pendo segment builder. This ensures that only specific groups or subsets of visitors have their interactions captured in replays.
The following sections in this article explain each privacy option and how to configure it.
In the following example image, you can see a replay where the revealed text represents unmasked elements, the asterisks represent masked elements, and the striped placeholder elements represent blocked elements.
Complementing these privacy settings, Pendo's stringent security and privacy standards also cover Session Replay. You can find detailed information about our security practices, compliance, and privacy terms in our Trust Center.
Important: If you find that Session Replay has captured sensitive data that needs to be deleted before it expires, contact our support team. Replays are automatically deleted after 30 days, or 90 days if your subscription includes extended retention. If you save a replay as a clip, it's available for one year unless manually deleted sooner.
Access the Replay Settings page
Subscription admins configure most Session Replay privacy settings on the Replay Settings page for individual applications. To access this page:
- Go to Settings > Subscription settings.
- Select the Applications tab, then open an app from the list.
- Select the Replay Settings tab.
Starting privacy configuration
Before you can activate Session Replay, you have to select a starting privacy configuration: Maximum Privacy, Inputs Only, or Minimum Privacy (web only). You can only choose this starting privacy option once.
After that's selected, you can further configure the privacy of your replays. For web apps, create CSS selector rules. For mobile apps, choose whether to capture images.
To learn about each starting privacy configuration, you can select View example on the Replay Settings page or continue reading below.
Pendo's data filtering is conducted locally on the client side. When Session Replay captures visitor interactions, it immediately applies the selected privacy settings to mask or block the relevant data. This ensures that sensitive information is removed before it's ever sent to Pendo.
Regardless of which privacy configuration you choose, the following exceptions apply:
-
HTML attributes aren't masked. This includes
placeholder,alt, ortitleattributes. If these contain sensitive data, you must explicitly mask or block the elements using selector rules. -
Certain input types can't be unmasked. Text entered into inputs with the
tel,email,password, ornumbertype attributes is always masked and can't be unmasked, even with selector rules. - Audio and video elements are blocked by default. To include them in replays, you must remove the blocking selector rules for the related elements.
After you decide on the privacy configuration that makes the most sense for your application, choose Select. If you're managing privacy for a web app, the Privacy configuration section then populates a table with the corresponding selector rules and allows you to create new CSS selector rules as needed.
Maximum Privacy
The Maximum Privacy configuration attempts to replace all on-screen text with asterisks (*). This means that we make every effort to mask all PII, input fields, and user-entered text with this privacy configuration.
Here’s an example of what Maximum Privacy could look like without creating any selector rules:
Maximum Privacy is the most privacy-conscious option we provide and is recommended if your app displays sensitive content.
Inputs Only
The Inputs Only configuration attempts to replace text contained in inputs with asterisks (*). This means we make every effort to ensure that all text in most inputs is masked, while all other text is revealed. You can mask and unmask additional text using selector rules for web apps.
The table below details all elements that are masked with Inputs Only and which fields you can unmask using selector rules.
| Element type | Mapped selector | Can unmask? |
| Color input | input[type='color'] |
Yes |
| Date input | input[type='date'] |
Yes |
| Date and time input | input[type='datetime-local'] |
Yes |
| Editable content region | [contenteditable=true] |
Yes |
| Email input | input[type='email'] |
No |
| Month input | input[type='month'] |
Yes |
| Number input | input[type='number'] |
No |
| Password input | input[type='password'] |
No |
| Range input | input[type='range'] |
Yes |
| Search input | input[type='search'] |
Yes |
| Dropdown select | select |
Yes |
| Telephone number input | input[type='tel'] |
No |
| Single-line text input | input[type='text'] |
Yes |
| Multi-line text input | textarea |
Yes |
| Time input | input[type='time'] |
Yes |
Note: Number inputs only accept numerical values, so masked text appears as 0000000000 rather than asterisks in replays. The value is still masked.
Here’s an example of what Inputs Only could look like without creating any selector rules:
Inputs Only is recommended for apps that keep all sensitive content contained in inputs or if you plan to create selector rules to mask all sensitive information that isn’t contained in an input.
Minimum Privacy (web apps only)
The Minimum Privacy configuration only replaces text entered into email, telephone, and password inputs with asterisks (*). This means that all other text contained in and out of inputs is revealed. You can mask additional text using selector rules. Minimum Privacy is only available for web apps.
The table below details all input types that are masked with Minimum Privacy and which fields you can unmask using selector rules.
| Input type | Mapped selector | Can unmask? |
<input type="email" /> |
No | |
| password | <input type="password" /> |
No |
| tel | <input type="tel" /> |
No |
Here’s an example of what Minimum Privacy could look like without creating any selector rules:
Minimum Privacy is recommended for apps that have little sensitive content or if you plan to create selector rules to mask all sensitive information.
Selector rules (web apps only)
After you select a starting privacy option, you can create selector rules to further refine the privacy settings for your replays. With selector rules, you can mask, unmask, or block specific elements from capture. You can create selector rules in two ways:
- From the Visual Design Studio, by selecting a tagged Feature. (No CSS knowledge required.)
- From the Replay Settings page, by entering a CSS selector manually.
If you're less familiar with CSS selectors, start with the Visual Design Studio. It automatically generates the selector associated with the Feature tag rule, so you don't need to write one manually.
All new selector rules take approximately 10 minutes to fully process. If a visitor is using the application at the time a new rule is processed, the rules might not go into effect until the visitor refreshes their current page or navigates to a new page.
Note: Selector rules are available only for web apps. Mobile apps don't support CSS selectors; use the Block images setting to allow or block images in mobile replays. On web, blocked elements appear as teal placeholder blocks. On mobile, blocked images appear as gray boxes.
Tag with the Visual Design Studio
You can create replay privacy rules directly from the Visual Design Studio while tagging your web app. When you apply a privacy rule to a Feature, Pendo uses that Feature's existing tag rule as the selector; you don't write or edit the CSS selector directly. If the Feature's tag rule changes, the privacy rule updates with it.
Note: This option is available for web apps only. Some Feature selectors aren't supported for replay privacy rules, including :contains() statements and shadow DOM selectors. If a Feature uses an unsupported selector, the Replay Privacy Configuration section won't be available for that element.
To create a replay privacy rule from the Visual Design Studio:
- Open the Visual Design Studio by going to Product > Features, selecting Tag Features in the top-right corner, and choosing your preferred launch mode. For more information, see Feature tagging.
- Create a new Feature, or select an existing one from the list of tagged Features, then select Edit feature.
- Scroll to the Replay privacy configuration field and choose a privacy rule for the element:
- Unmask element. Session Replay captures interactions and reveals text as shown to the visitor.
- Mask element. Session Replay captures interactions but replaces text with asterisks (*).
- Block element. Session Replay replaces the element with a placeholder block and doesn't capture any interactions.
- Select Save or Save changes.
Important: If the Feature is tagged to apply only on a specific page, this rule will apply on every page where the element is found, not just the page you tagged it on. A warning appears under the Replay privacy configuration field before you save.
Create rules with CSS selectors
The table pre-populates the CSS selectors for password, telephone, and email input types, which you can’t unmask, and any other selectors based on the starting privacy option you selected.
Unlike rules created in the Visual Design Studio, CSS selector rules let you define a custom selector independent of any tagged Feature.
- In the top-right of the table, select + Create selector rule above the table to open the Create rule dialog.
- For Selector, enter the relevant CSS selector. If you need assistance understanding what value to enter here, Mozilla’s CSS selectors page might be helpful.
- Choose what type of rule you’d like to apply:
- Unmask element. Session Replay captures interactions associated with the specified CSS selector and reveals text as it’s shown to the visitor.
- Mask element. Session Replay captures interactions associated with the specified CSS selector and replaces texts with asterisks (*).
- Block element. Session Replay doesn’t capture any interactions associated with the specified CSS selector and replaces elements with teal placeholder blocks.
- Select Save rule. After you save, the rule populates in the table and applies to all future replays.
- Repeat steps 1 through 4 for each new selector rule.
Note: To reduce the risk of IP address exposure through image elements, you can block image capture using a CSS selector rule. Enter img for your CSS selector, and select Block element as the rule type.
Rule prioritization
Pendo uses a specific prioritization method to handle scenarios where multiple rules match elements in the DOM tree. In these cases, the order of precedence is as follows:
- Block. The block rule takes the highest precedence. If any rule specifies a block for a specific element, it overrides other conflicting rules, ensuring that the content remains blocked.
- Mask. The mask rule takes precedence after block. If multiple rules match the same element and one of them is a mask rule, it is applied, except when a higher-priority block rule exists.
- Unmask. The unmask rule has the lowest precedence. If both mask and unmask rules match an element, the mask rule takes precedence, ensuring that the element remains masked, except when a block rule is present.
Image capture (mobile apps only)
After you select a starting privacy option, use the Block images toggle in the Privacy configuration section to decide whether images are included in Session Replay for your mobile app.
When on, images are blocked and appear as gray boxes in replays, and interactions within blocked areas aren’t captured.
When off, images are allowed and appear normally in replays.
Segmentation
Before you activate Session Replay for a large audience, we recommend capturing a smaller set of visitors or accounts so that you can monitor performance and ensure your privacy rules align with company policies.
When it comes to segmentation, you have two options for specifying an audience in the Replay capture settings section on the Replay Settings page:
- Create a custom segment. This is recommended if you don’t want this segment to appear in the list of segments and be editable by non-admin users in your company.
- Select an existing segment. We don't recommend this option if you don't want the segment to appear in the segments list throughout Pendo.
The default segment is set to all visitors. When you’re ready to update your segment, select Everyone, then select an option from the dropdown menu. If you don’t want your Session Replay segment to appear in the segments list throughout Pendo, create a custom segment by hovering over Custom Segment and selecting the Edit icon. Any audience updates can take up to 10 minutes to fully process.
After you apply the appropriate segment and confirm that your privacy configuration meets your needs, you’re ready to activate Session Replay. For step-by-step guidance, see Activate Session Replay.
Note: To watch replays, users must have the Replay User permission assigned to their role. This permission is required for non-admins to access the replay library. Admins can assign this permission in Settings > Users and teams.
If you have questions about the accuracy of audience capture, see our articles on Missing replays and Unexpected replays.
Existing privacy settings
There are several existing privacy configurations and settings in Pendo that can impact the capture or visibility of replays.
Content Security Policy (CSP) configuration
If your app uses CSP, it's essential to update your configuration with the two directives below so that you can capture all visitor activity and prevent app degradation due to CSP and Session Replay conflicts.
| Directive | Host | Description |
connect-src |
If you don't have CNAME configured, use If you do have CNAME configured, use the "data" part of your CNAME, such as |
This entry allows for event communication. |
worker-src |
blob: |
This entry allows the Pendo Web SDK to start a worker thread to compress and send replay capturing data, which minimizes performance impact on your application. |
Exclude list entries
Session Replay respects existing exclude list entries defined for your subscription. If a visitor or account is in the subscription-level exclusion list, replay data is captured for those visitors or accounts but doesn’t appear in your Pendo application, unless you use a segment that includes excluded accounts and visitors.
Do Not Process setting
Session Replay respects the Do Not Process (GDPR) setting that’s set for specific visitors and accounts in the Details section of a visitor or account's details page. This setting prevents Pendo from collecting events for or displaying guides to a visitor or account. If this is turned on, Pendo doesn’t capture replays for that visitor or account.
For more information, see Opt out of tracking with DNP.
Limit capture to specific domains
Modify the Session Replay segment to include a rule for Most recent server name. Session Replay only captures events from domains matching that rule.
If the segment is set up incorrectly or unintentionally modified, Session Replay may capture events from unwanted domains. To avoid this, turn off Session Replay using the install script instead, though this requires developer time.
Prevent capture on specific pages or environments
You can turn off Session Replay on specific pages or environments by modifying the Pendo install script using the options documented in our web SDK docs.