We strongly encourage a proactive approach to safeguarding potentially sensitive data, such as Personal Identifiable Information (PII) or financial information, when configuring Session Replay.
To help you meet the privacy needs of your app and comply with your company's policies, we offer several options to configure the privacy of your replays:
- Starting privacy configuration. Choose from three starting privacy configurations that provide different levels of text-masking for your app. This helps ensure that PII and sensitive content are appropriately handled based on the individual needs of your app and users.
- Granular privacy rules. Use CSS selector rules to fine-tune the privacy settings of your replays after you choose your starting privacy configuration. You can define specific elements to mask, unmask, or block so that you can have precise control over the information captured and displayed in replays.
- Audience capture. Define the audience for your replays with the Pendo segment builder. This ensures that only specific groups or subsets of visitors have their interactions captured in replays.
The following sections in this article detail each privacy option and how you can leverage them to ensure the utmost privacy while obtaining valuable insights from replays.
In the following example image, you can see a replay where the revealed text represents unmasked elements, the asterisks represent masked elements, and the teal placeholder elements represent blocked elements.
Complementing these privacy settings, Pendo's stringent security and privacy standards also cover Session Replay. You can find detailed information about our security practices, compliance, and privacy terms in our Trust Center.
Important: If you find that Session Replay has captured sensitive data that needs to be deleted prior to expiring, contact Pendo Support. All replays expire and are automatically deleted after 30 days. However, if you save a replay as a clip, it's available for one year.
Replay Settings page
Pendo admins set up each Session Replay privacy setting on the Replay Settings page for individual applications. To access this page:
- Navigate to Settings > Subscription Settings.
- Select the Applications tab, then open an app from the list.
- Select the Replay Settings tab.
Starting privacy configuration
Before you can enable Session Replay, you have to select a starting privacy configuration: Maximum Privacy, Inputs Only, or Minimum Privacy. You can only choose this starting privacy option once. After that's selected, you can create CSS selector rules to further configure the privacy of your replays.
To learn about each starting privacy configuration, you can select View example on the Replay Settings page or continue reading below.
Pendo's data filtering is conducted locally on the client side. When Session Replay captures visitor interactions, it immediately applies the chosen privacy settings to mask or block the relevant data in line with your selected privacy configuration. This way, the data sent to Pendo servers is already obfuscated, ensuring that sensitive information remains protected. The filtered data is then displayed in your replays in the Pendo UI.
After you decide on the privacy configuration that makes the most sense for your app, choose Select. This Privacy Configuration section populates a table with the corresponding selector rules and allows you to create new CSS selector rules as needed.
Note: No matter which privacy option you start with, you can’t unmask text entered into inputs that have tel
, email
, or password
used for the type attribute. Additionally, all audio
and video
elements are blocked by default. If you want to unblock these elements, you must explicitly unmask them using selector rules.
Maximum Privacy
The Maximum Privacy configuration attempts to replace all on-screen text with asterisks (*). This means that we make every effort to mask all PII, input fields, and user-entered text with this privacy configuration.
Here’s an example of what Maximum Privacy could look like without creating any selector rules:
Maximum Privacy is the most privacy-conscious option we provide and is recommended if your app displays sensitive content.
Inputs Only
The Inputs Only configuration attempts to replace text contained in inputs with asterisks (*). This means we make every effort to ensure that all text in most inputs is masked, while all other text is revealed. You can mask and unmask additional text using selector rules.
The table below details all elements that are masked with Inputs Only and which fields you can unmask using selector rules.
Element type | Mapped selector | Can unmask? |
Color input | input[type='color'] | Yes |
Date input | input[type='date'] | Yes |
Date and time input | input[type='datetime-local'] | Yes |
Editable content region | [contenteditable=true] | Yes |
Email input | input[type='email'] | No |
Month input | input[type='month'] | Yes |
Number input | input[type='number'] | Yes |
Password input | input[type='password'] | No |
Range input | input[type='range'] | Yes |
Search input | input[type='search'] | Yes |
Dropdown select | select | Yes |
Telephone number input | input[type='tel'] | No |
Single-line text input | input[type='text'] | Yes |
Multi-line text input | textarea | Yes |
Time input | input[type='time'] | Yes |
Here’s an example of what Inputs Only could look like without creating any selector rules:
Inputs Only is recommended for apps that keep all sensitive content contained in inputs or if you plan to create selector rules to mask all sensitive information that isn’t contained in an input.
Minimum Privacy
The Minimum Privacy configuration only replaces text entered into email, telephone, and password inputs with asterisks (*). This means that all other text contained in and out of inputs is revealed. You can mask additional text using selector rules.
The table below details all input types that are masked with Minimum Privacy and which fields you can unmask using selector rules.
Input type | Mapped element | Can unmask? |
<input type="email" /> | No | |
password | <input type="password" /> | No |
tel | <input type="tel" /> | No |
Here’s an example of what Minimum Privacy could look like without creating any selector rules:
Minimum Privacy is recommended for apps that have little sensitive content or if you plan to create selector rules to mask all sensitive information.
Selector rules
After you select a starting privacy option, you can create selector rules using CSS selectors to meet your needs. With selector rules, you can mask, unmask, or block elements from being captured at all—including interactions within the blocked areas—using the Privacy Configuration section on the Replay Settings page.
The table pre-populates the CSS selectors for password, telephone, and email input types, which you can’t unmask, and any other selectors based on the starting privacy option you selected.
- To get started, select Create Selector Rule above the table to open the Create Rule dialog.
- For Selector, enter the relevant CSS selector. If you need assistance understanding what value to enter here, Mozilla’s CSS selectors page is a useful resource.
- Choose what type of rule you’d like to apply:
- Unmask Element. Session Replay captures interactions associated with the specified CSS selector and reveals text as it’s shown to the visitor.
- Mask Element. Session Replay captures interactions associated with the specified CSS selector and replaces texts with asterisks (*).
- Block Element. Session Replay doesn’t capture any interactions associated with the specified CSS selector and replaces elements with teal placeholder blocks.
- Select Save Rule. After you save, the rule populates in the table and applies to all future replays.
- Repeat steps 1 to 4 for each new selector rule.
All new selector rules and rule updates take approximately 10 minutes to fully process. If a visitor is using the application at the time a new rule or rule update is processed, the rules might not go into effect until the visitor refreshes their current page or navigates to a new page.
Important: An attacker could potentially modify your app’s Document Object Model (DOM) to load an image with an external URL that’s used to extract a visitor’s IP address. This could pose a security vulnerability.
To prevent this from happening, you can block Session Replay from capturing images by following the steps above, entering img for your CSS selector, and selecting Block Element as the rule type.
Rule prioritization
Pendo uses a specific prioritization method to handle scenarios where multiple rules match elements in the DOM tree. In these cases, the order of precedence is as follows:
- Block. The block rule takes the highest precedence. If any rule specifies a block for a specific element, it overrides other conflicting rules, ensuring that the content remains blocked.
- Mask. The mask rule takes precedence after block. If multiple rules match the same element and one of them is a mask rule, it is applied, except when a higher-priority block rule exists.
- Unmask. The unmask rule has the lowest precedence. If both mask and unmask rules match an element, the mask rule takes precedence, ensuring that the element remains masked, except when a block rule is present.
Segmentation
Before you enable Session Replay for a large audience, we recommend enabling it for a smaller set of users or accounts so that you can monitor performance and ensure your privacy rules align with company policies.
When it comes to segmentation, you have two options for specifying an audience in the Replay capture settings section on the Replay Settings page:
- Create a custom segment. This is recommended if you don’t want this segment to appear in the list of segments and be editable by non-admin users in your company.
- Select an existing segment. This isn’t recommended if you don’t want the segment to show up in the general segments list throughout Pendo.
The default segment is set to all visitors. When you’re ready to update your segment, select Everyone, then select an option from the dropdown menu. If you don’t want your Session Replay segment to show up in the segments list throughout Pendo, create a custom segment by hovering over Custom Segment and selecting the Edit icon. Any audience updates can take up to 10 minutes to fully process.
After you have the appropriate segment applied and confirm your privacy configuration meets your needs, you’re ready to enable Session Replay. For step-by-step guidance on enabling, see Enable Session Replay.
If you have questions about the accuracy of audience capture, see our articles on Missing replays and Unexpected replays.
Existing privacy settings
There are several existing privacy configurations and settings in Pendo that can impact the capture or visibility of replays.
Content Security Policy (CSP) configuration
If your app uses CSP, it's essential to update your configuration with the two directives below so that you can capture all visitor activity and prevent app degradation due to CSP and Session Replay conflicts.
Directive | Host | Description |
connect-src |
If you don't have CNAME configured, use If you do have CNAME configured, use the "data" part of your CNAME, such as |
This entry allows for event communication. |
worker-src |
blob: |
This entry allows the Pendo agent to start a worker thread to compress and send replay capturing data, which minimizes performance impact on your application. |
Exclude List entries
Session Replay respects existing Exclude List entries defined in your subscription settings. If a visitor or account is in the subscription-level exclusion list, replay data is captured for those visitors or accounts but doesn’t appear in your Pendo application, unless you use a segment that includes excluded accounts and visitors.
Do Not Process setting
Session Replay respects the Do Not Process (GDPR) setting that’s set for specific visitors and accounts in the Details section of a visitor or account's details page. This setting prevents Pendo from collecting events for or displaying guides to a visitor or account. If this is enabled, Pendo doesn’t capture replays for that visitor or account.
For more information, see Opt out of tracking with DNP.