Session Replay privacy

Last updated:

We strongly encourage a proactive approach to safeguarding potentially sensitive data, such as Personal Identifiable Information (PII) or financial information, when configuring Session Replay.

To help you meet the privacy needs of your app and comply with your company's policies, we offer several options to configure the privacy of your replays effectively:

  • Starting privacy configuration. Choose from three starting privacy configurations that provide different levels of text-masking for your app. This helps ensure that PII and sensitive content are appropriately handled based on the individual needs of your app and users.
  • Granular privacy rules. Utilize CSS selector rules to fine-tune the privacy settings of your replays after you choose your starting privacy configuration. You can define specific elements to mask, unmask, or block so that you can have precise control over the information captured and displayed in replays.
  • Audience capture. Define the audience for your replays with the Pendo segment builder. This ensures that only specific groups or subsets of visitors have their interactions captured in replays.

The following sections in this article detail each privacy option and how you can leverage them to ensure the utmost privacy while obtaining valuable insights from replays.

An Admin user must configure these privacy settings for each app on the Replay Settings page. To access this page, navigate to Settings > Subscription Settings > Applications, open an app from the list, and then select the Replay Settings tab.

In the example image below, you can see a replay where the revealed text represents unmasked elements, the asterisks represent masked elements, and the teal placeholder elements represent blocked elements.


Complementing these privacy settings, Pendo's stringent security and privacy standards also cover Session Replay. You can find detailed information about our security practices, compliance, and privacy terms in our Trust Center.

Important: If you find that Session Replay has captured sensitive data that needs to be deleted prior to expiring, contact Pendo Support. All replays expire and are automatically deleted after 30 days. However, if you save a replay as a clip, it's available for one year.

Starting privacy configuration

Before you can enable Session Replay, you have to select a starting privacy configuration: Maximum Privacy, Inputs Only, or Minimum Privacy. You can only choose this starting privacy option once. After that's selected, you can create CSS selector rules to further configure the privacy of your replays.

To learn about each starting privacy configuration, you can select View example on the Replay Settings page or continue reading below.


Pendo's data filtering is conducted locally on the client side. When Session Replay captures visitor interactions, it immediately applies the chosen privacy settings to mask or block the relevant data in line with your selected privacy configuration. This way, the data sent to Pendo servers is already obfuscated, ensuring that sensitive information remains protected. The filtered data is then displayed in your replays in the Pendo UI.

After you decide on the privacy configuration that makes the most sense for your app, choose Select. This Privacy Configuration section populates a table with the corresponding selector rules and allows you to create new CSS selector rules as needed.

Note: No matter which privacy option you start with, you can’t unmask text entered into inputs that have tel, email, or password used for the type attribute.

Maximum Privacy

The Maximum Privacy configuration attempts to replace all on-screen text with asterisks (*). This means that we make every effort to mask all PII, input fields, and user-entered text with this privacy configuration.

Here’s an example of what Maximum Privacy could look like without creating any selector rules:


Maximum Privacy is the most privacy-conscious option we provide and is recommended if your app displays sensitive content.

Inputs Only

The Inputs Only configuration attempts to replace text contained in inputs with asterisks (*). This means we make every effort to ensure that all text in most inputs is masked, while all other text is revealed. You can mask and unmask additional text using selector rules.

The table below details all input types that are masked with Inputs Only and which fields you can unmask using selector rules.

Input type Mapped element Can unmask?
color <input type="color"  /> Yes
date <input type="date"  /> Yes
datetime-local <input type="datetime-local"  /> Yes
email <input type="email"  /> No
month <input type="month"  /> Yes
number <input type="number"  /> Yes
password <input type="password"  /> No
range <input type="range"  /> Yes
search <input type="search"  /> Yes
select <select><select/> Yes
tel <input type="tel"  /> No
text <input type="text"  /> Yes

Here’s an example of what Inputs Only could look like without creating any selector rules:


Inputs Only is recommended for apps that keep all sensitive content contained in inputs or if you plan to create selector rules to mask all sensitive information that isn’t contained in an input.

Minimum Privacy

The Minimum Privacy configuration only replaces text entered into email, telephone, and password inputs with asterisks (*). This means that all other text contained in and out of inputs is revealed. You can mask additional text using selector rules.

The table below details all input types that are masked with Minimum Privacy and which fields you can unmask using selector rules.

Input type Mapped element Can unmask?
email <input type="email"  /> No
password <input type="password"  /> No
tel <input type="tel"  /> No

Here’s an example of what Minimum Privacy could look like without creating any selector rules:


Minimum Privacy is recommended for apps that have little sensitive content or if you plan to create selector rules to mask all sensitive information.

Selector rules

After you select a starting privacy option, you can create selector rules using CSS selectors to meet your needs. With selector rules, you can mask, unmask, or block elements from being captured at all—including interactions within the blocked areas—using the Privacy Configuration section on the Replay Settings page.

The table pre-populates the CSS selectors for password, telephone, and email input types, which you can’t unmask, and any other selectors based on the starting privacy option you selected.

  1. To get started, select Create Selector Rule above the table to open the Create Rule dialog.


  2. For Selector, enter the relevant CSS selector. If you need assistance understanding what value to enter here, Mozilla’s CSS selectors page is a useful resource.
  3. Choose what type of rule you’d like to apply:
    • Unmask Element. Session Replay captures interactions associated with the specified CSS selector and reveals text as it’s shown to the visitor.
    • Mask Element. Session Replay captures interactions associated with the specified CSS selector and replaces texts with asterisks (*).
    • Block Element. Session Replay doesn’t capture any interactions associated with the specified CSS selector and replaces elements with teal placeholder blocks.
  4. Select Save Rule. After you save, the rule populates in the table and applies to all future replays.


  5. Repeat steps 1 to 4 for each new selector rule.

All new selector rules and rule updates take approximately 10 minutes to fully process. If a visitor is using the application at the time a new rule or rule update is processed, the rules might not go into effect until the visitor refreshes their current page or navigates to a new page.

Important: An attacker could potentially modify your app’s Document Object Model (DOM) to load an image with an external URL that’s used to extract a visitor’s IP address. This could pose a security vulnerability.

To prevent this from happening, you can block Session Replay from capturing images by following the steps above, entering img for your CSS selector, and selecting Block Element as the rule type.

Rule prioritization

Pendo uses a specific prioritization method to handle scenarios where multiple rules match elements in the DOM tree. In these cases, the order of precedence is as follows:

  1. Block. The block rule takes the highest precedence. If any rule specifies a block for a specific element, it overrides other conflicting rules, ensuring that the content remains blocked.
  2. Mask. The mask rule takes precedence after block. If multiple rules match the same element and one of them is a mask rule, it is applied, except when a higher-priority block rule exists.
  3. Unmask. The unmask rule has the lowest precedence. If both mask and unmask rules match an element, the mask rule takes precedence, ensuring that the element remains masked, except when a block rule is present.


Before you enable Session Replay for a large audience, we recommend enabling it for a smaller set of users or accounts so that you can monitor performance and ensure your privacy rules align with company policies.

When it comes to segmentation, you have two options for specifying an audience in the Replay capture settings section on the Replay Settings page:

  • Create a custom segment. This is recommended if you don’t want this segment to appear in the list of segments and be editable by non-Admin users in your company.
  • Select an existing segment. This isn’t recommended if you don’t want the segment to show up in the general segments list throughout Pendo.

The default segment is set to all visitors. When you’re ready to update your segment, select Everyone, then select an option from the dropdown menu. If you don’t want your Session Replay segment to show up in the segments list throughout Pendo, create a custom segment by hovering over Custom Segment and selecting the Edit icon. Any audience updates can take up to 10 minutes to fully process.


After you have the appropriate segment applied and confirm your privacy configuration meets your needs, you’re ready to enable Session Replay. For step-by-step guidance on enabling, see Enable Session Replay.

If you have questions about the accuracy of audience capture, see our articles on Missing replays and Unexpected replays.

Existing privacy settings

There are several existing privacy configurations and settings in Pendo that can impact the capture or visibility of replays.

Content Security Policy (CSP) configuration

If your app uses CSP, it's essential to update your configuration with the two directives below so that you can capture all visitor activity and prevent app degradation due to CSP and Session Replay conflicts.

Directive Host Description

If you don't have CNAME configured, use

If you do have CNAME configured, use the "data" part of your CNAME, such as

This entry allows for event communication.
worker-src blob:

This entry allows the Pendo agent to start a worker thread to compress and send replay capturing data, which minimizes performance impact on your application.

Exclude List entries

Session Replay respects existing Exclude List entries defined in your subscription settings. If a visitor or account is in the subscription-level exclusion list, replay data is captured for those visitors or accounts but doesn’t appear in your Pendo application, unless you use a segment that includes excluded accounts and visitors.

Do Not Process setting

Session Replay respects the Do Not Process (GDPR) setting that’s set for specific visitors and accounts in the Details section of a visitor or account's details page. This setting prevents Pendo from collecting events for or displaying guides to a visitor or account. If this is enabled, Pendo doesn’t capture replays for that visitor or account.

Was this article helpful?
2 out of 3 found this helpful