Replayful
Sign inGet started

Privacy & compliance

A plain-English summary of what Replayful captures, what it doesn't, and how that maps to common compliance regimes.

What we capture

  • DOM snapshots and mutations, the rendered page over time.
  • Mouse movement (sampled), clicks, touches, scrolls, viewport changes.
  • The page URL including query parameters (used for analytics).
  • Device class, browser, OS, language, timezone, screen size, DPR, connection type.
  • Country derived from the request IP at ingest time.
  • Referrer header on the initial page load.
  • HTTP status of the initial page load.

What we never capture

  • The values typed into any input, textarea, or contenteditable element. All inputs are masked at source.
  • Passwords, payment details, credit card fields, same masking applies.
  • The IP address itself (we derive country and drop it).
  • Cookies or localStorage values of your site.
  • Content inside third-party iframes you don't own (chat widgets, payment checkouts).
  • Advertising identifiers. The visitor ID is anonymous and stored in your visitor's localStorage.

GDPR (EU, UK)

Recording session activity is processing under GDPR. Replayful is a Processor; you (our customer) are the Controller. You must:

  • Inform visitors that session recording is active (paste the disclosure from the Privacy tab).
  • Have a lawful basis, usually legitimate interest for product improvement, sometimes consent for marketing purposes.
  • Honour deletion requests by removing affected sessions from the project.

POPIA (South Africa)

The same model as GDPR. Replayful is an Operator; you are the Responsible Party. The disclosure snippet from the Privacy tab meets the notice requirement.

CCPA / CPRA (California)

We don't sell or share recordings with third parties, so the broad "do not sell or share" obligations don't apply. You still need to disclose that you record session activity in your privacy policy.

Data residency

Production data is currently hosted in EU and US regions (Neon's default footprint). Enterprise contracts can pin residency to a single region, contact us.

Sub-processors

  • Neon (Postgres hosting).
  • Vercel (web hosting + edge).
  • Clerk (authentication).
  • Resend (transactional email).