Session Replay is a Pendo product that allows you to visualize a visitor’s journey in your application so that you can better understand their experience with your product.
This article reviews the privacy settings available for Session Replay.
Note: Pendo Replay is currently available to select customers through a closed beta program.
If you’re an Admin user, you can configure your Session Replay privacy settings for each of your apps on the Replay Settings page. To access this page, navigate to Settings > Subscription Settings > Applications > Replay Settings.
We strongly encourage a proactive approach to safeguarding potentially sensitive data, such as Personal Identifiable Information (PII) or financial information. To help you meet the privacy needs of your app and comply with your company's policies, we offer several options to configure the privacy of your replays effectively:
- Starting privacy configuration. Choose from three starting privacy configurations that provide different levels of text-masking for your app. This helps ensure that PII and sensitive content are appropriately handled based on the individual needs of your app and users.
- Granular privacy rules. Utilize CSS selector rules to fine-tune the privacy settings of your replays after you choose your starting privacy configuration. You can define specific elements to mask, unmask, or block so that you can have precise control over the information captured and displayed in replays.
- Audience capture. Define the audience for your replays with the Pendo segment builder. This ensures that only specific groups or subsets of visitors have their interactions captured in replays.
The following sections in this article detail each privacy option and how you can leverage them to ensure the utmost privacy while obtaining valuable insights from replays.
In the example image below, you can see a replay where the revealed text represents unmasked elements, the asterisks represent masked elements, and the teal placeholder elements represent blocked elements.
Complementing these privacy settings, Pendo's stringent security and privacy standards also cover Session Replay. You can find detailed information about our security practices, compliance, and privacy terms in our Trust Center.
Important: All replays are automatically deleted after 14 days. However, if you find that Session Replay has captured sensitive data that needs to be deleted, please let the Session Replay team know.
Starting privacy configuration
Before you can enable Session Replay, you have to select a starting privacy configuration: Maximum Privacy, Inputs Only, or Minimum Privacy. You can only choose this starting privacy option once. Once selected, you can create CSS selector rules to further configure the privacy of your replays.
To learn about each starting privacy configuration, you can select View example on the Replay Settings page or continue reading below.
Once you decide on the privacy configuration that makes the most sense for your app, choose Select. This Privacy Configuration section populates a table with the corresponding selector rules and allows you to create new CSS selector rules as needed.
Note: No matter which privacy option you start with, you can’t unmask text entered into inputs that have
password used for the type attribute.
The Maximum Privacy configuration attempts to replace all on-screen text with asterisks (*). This means that we make every effort to mask all PII, input fields, and user-entered text with this privacy configuration.
Here’s an example of what Maximum Privacy could look like without creating any selector rules:
Maximum Privacy is the most privacy-conscious option we provide and is recommended if your app displays sensitive content.
The Inputs Only configuration attempts to replace text contained in inputs with asterisks (*). This means we make every effort to ensure that all text in most inputs is masked, while all other text is revealed. You can mask and unmask additional text using selector rules.
The table below details all input types that are masked with Inputs Only and which fields you can unmask using selector rules.
|Input type||Mapped element||Can unmask?|
Here’s an example of what Inputs Only could look like without creating any selector rules:
Inputs Only is recommended for apps that keep all sensitive content contained in inputs or if you plan to create selector rules to mask all sensitive information that isn’t contained in an input.
The Minimum Privacy configuration only replaces text entered into email, telephone, and password inputs with asterisks (*). This means that all other text contained in and out of inputs is revealed. You can mask additional text using selector rules.
The table below details all input types that are masked with Minimum Privacy and which fields you can unmask using selector rules.
|Input type||Mapped element||Can unmask?|
Here’s an example of what Minimum Privacy could look like without creating any selector rules:
Minimum Privacy is recommended for apps that have little sensitive content or if you plan to create selector rules to mask all sensitive information.
Once you select a starting privacy option, you can create selector rules using CSS selectors to meet your needs. With selector rules, you can mask, unmask, or block elements from being captured at all—including interactions within the blocked areas—using the Privacy Configuration section on the Replay Settings page.
The table pre-populates the CSS selectors for password, telephone, and email input types, which you can’t unmask, and any other selectors based on the starting privacy option you selected.
- To get started, select Create Selector Rule above the table to open the Create Rule dialog.
- For Selector, enter the relevant CSS selector. If you need assistance understanding what value to enter here, Mozilla’s CSS selectors page is a useful resource.
- Choose what type of rule you’d like to apply:
- Unmask Element. Session Replay captures interactions associated with the specified CSS selector and reveals text as it’s shown to the visitor.
- Mask Element. Session Replay captures interactions associated with the specified CSS selector and replaces texts with asterisks (*).
- Block Element. Session Replay doesn’t capture any interactions associated with the specified CSS selector and replaces elements with teal placeholder blocks.
- Select Save Rule. Once saved, the rule populates in the table and applies to all future replays.
- Repeat steps 1–4 for each new selector rule.
All new selector rules and rule updates take approximately 10 minutes to fully process. If a visitor is using the application at the time a new rule or rule update is processed, the rules might not go into effect until the visitor refreshes their current page or navigates to a new page.
Important: An attacker could potentially modify your app’s Document Object Model (DOM) to load an image with an external URL that’s used to extract a visitor’s IP address. This could pose a security vulnerability.
To prevent this from happening, you can block Session Replay from capturing images by following the steps above, entering img for your CSS selector, and selecting Block Element as the rule type.
Before you enable Session Replay for a large audience, we recommend enabling it for a smaller set of users or accounts so that you can monitor performance and ensure your privacy rules align with company policies.
When it comes to segmentation, you have two options in the Audience Capture section on the Replay Settings page:
- Create a custom segment. This is recommended if you don’t want this segment to appear in the list of segments and be editable by non-Admin users in your company.
- Select an existing segment. This isn’t recommended if you don’t want the segment to show up in the general segments list throughout Pendo.
The default segment is set to all visitors. When you’re ready to update your segment, select Everyone, then select an option from the dropdown menu. If you don’t want your Session Replay segment to show up in the segments list throughout Pendo, create a custom segment by hovering over Custom Segment and selecting the Edit icon.
Once you have the appropriate segment applied and confirm your privacy configuration meets your needs, you’re ready to enable Session Replay. For step-by-step guidance and to learn what happens once you enable Session Replay, see Session Replay.
Existing privacy settings
There are several existing privacy configurations and settings in Pendo that are related to Session Replay.
Content Security Policy (CSP) configuration
If your app uses CSP, it's essential to update your configuration with the two directives below so that you can capture all visitor activity and prevent app degradation due to CSP and Session Replay conflicts.
If you don't have CNAME configured, use
If you do have CNAME configured, use the "data" part of your CNAME, such as
|This entry allows for event communication.|
This entry allows the Pendo agent to start a worker thread to compress and send replay capturing data, which minimizes performance impact on your application.
Session Replay respects existing Exclude List entries defined in your subscription settings. If a visitor or account is in the subscription-level exclusion list, replay data is captured for those visitors or accounts but doesn’t appear in your Pendo application.
Do Not Process setting
Session Replay respects the Do Not Process (GDPR) setting that’s set for specific visitors and accounts in the Details section of the Visitor Details and Account Details pages. This setting prevents Pendo from collecting events for or displaying guides to a visitor or account. If this is enabled, Pendo doesn’t capture replays for that visitor or account.