Privacy Controls

Privacy Is On by Default

We know recording user sessions sounds sensitive. That's why SupaStory has strong privacy protections enabled from the start:

• All text inputs are hidden — Passwords, credit cards, and other form data are masked automatically
• Emails are redacted — Email addresses are detected and hidden
• No personal data stored — We don't keep names, emails, or identifying information

You don't need to configure anything for basic privacy protection. It just works.

What Gets Recorded (And What Doesn't)

Recorded:

• Where users click and scroll
• Which pages they visit
• How long they spend on each page
• Browser errors and failed requests
• General page layout and structure

Not Recorded (automatically hidden):

• Text typed into inputs (replaced with •••)
• Passwords, credit card numbers, SSNs
• Email addresses anywhere on the page
• Content you mark as private

Customizing Privacy Settings

Want more control? You can configure what gets hidden or blocked entirely.

Mask Specific Elements

Add a data attribute to any element you want hidden:

<!-- This input's value will be masked -->
<input data-supastory-mask type="text" name="ssn" />

Or configure it in code:

SupaStory.init({
  projectKey: 'pk_live_...',
  privacy: {
    maskSelectors: [
      '.credit-card-input',
      '[data-sensitive]',
      '#social-security',
    ],
  },
});

Block Elements Completely

If you want an element excluded from recordings entirely (not just masked):

<!-- This whole section won't be recorded at all -->
<div data-supastory-block>
  Private content here
</div>

Or in code:

SupaStory.init({
  projectKey: 'pk_live_...',
  privacy: {
    blockSelectors: [
      '.private-content',
      '#admin-panel',
    ],
  },
});

Filter Network Requests

Control which API calls are captured:

SupaStory.init({
  projectKey: 'pk_live_...',
  network: {
    // Only record requests to these domains
    allowedDomains: ['api.yoursite.com'],

    // Or block specific paths
    blockedPatterns: [
      '/api/auth/*',
      '/api/payments/*',
    ],
  },
});

GDPR and Cookie Consent

If you need user consent before recording (common in Europe), you have two options:

Option 1: Initialize after consent

import { SupaStory } from '@supastory/capture-sdk';

if (userHasConsented()) {
  SupaStory.init({ projectKey: 'pk_live_...' });
}

Option 2: Use autoStart (recommended)

import { SupaStory } from '@supastory/capture-sdk';

// Initialize early but don't record yet
SupaStory.init({
  projectKey: 'pk_live_...',
  autoStart: false,
});

// Start recording after user consents
function onConsentGranted() {
  SupaStory.start();
}

You can also stop recording at any time:

// User revokes consent
SupaStory.stop();

Data Retention

In your dashboard, you can set how long session data is kept. After that period, it's automatically deleted.

Go to Settings > Privacy to configure retention periods.

Deleting User Data

If a user asks you to delete their data (GDPR "right to be forgotten"):

1. Go to Settings > Privacy in your dashboard
2. Use the data deletion tool to remove their sessions
3. Data is deleted within 30 days

You can also use the API for programmatic deletion.

Compliance Summary

SupaStory is designed to help you stay compliant:

Quick Reference

Common Questions

Is SupaStory GDPR compliant? Yes. We provide the tools you need for consent, data access, and deletion requests.

Do I need a cookie banner? Depends on your location and users. If you're unsure, talk to a lawyer—but SupaStory makes it easy to wait for consent before recording.

Can users opt out? Yes. Just don't call SupaStory.init() for users who opt out, or call SupaStory.stop() if they revoke consent.