Anonymous by design.

When the Replayful tracker is embedded on a customer's website, it records:

• Mouse movement, clicks, scrolls, and touch events.
• That a visitor typed in a field — but never what they typed. Every keystroke into every input, textarea, or contenteditable element is replaced with dots at capture time, before the value leaves the browser. There is no setting that disables this. We cannot see, log, or recover the original text. Customers can mask additional rendered content (e.g. a displayed credit-card number, an order total) by adding data-replayful-mask or class="replayful-mask" to any element.
• DOM changes on the page (so we can replay the page exactly as the visitor saw it).
• The visitor's user-agent string and viewport size.
• The page URL of each visit.
• A random anonymous identifier generated and stored in the visitor's browser localStorage — used to group visits by the same device. This identifier is not linked to any other system or identity.

We do not capture: passwords, IP addresses, fingerprinting signals, browser cookies (other than what Clerk uses for authentication on the Replayful dashboard itself), or any personally identifying information unless a visitor types it voluntarily into a field that escapes the masks above.

Session recordings are stored in a PostgreSQL database hosted by Neon in the AWS us-east-1 region (North Virginia, USA). Data is encrypted in transit (TLS 1.2+) and at rest. Backups are managed by Neon and retained per their policy.

A customer's session history is retained according to the customer's plan: 30, 90, 180, or 365 days. Data older than the retention window is automatically deleted.

Replayful is designed to minimize personal data collection. Under the GDPR our role is:

• Data processor when our customers (website owners) embed the tracker. The customer is the data controller and is responsible for obtaining lawful basis (typically legitimate interest or consent) from their visitors.
• Data controller for the personal data of our account holders — your email address and authentication metadata, managed through Clerk.

A Data Processing Agreement (DPA) is available for any customer who needs one — contact nick@odinside.tech to request one.

Visitor rights under the GDPR (access, erasure, portability, objection) can be exercised by emailing the address above. We will respond within 30 days.

Replayful is operated by D3 Vitamin, a South African business. Under the Protection of Personal Information Act (POPIA), our role is the same split as under the GDPR: data processor for tracker data, responsible party for account data.

Our Information Officer is the founder of D3 Vitamin and can be reached at nick@odinside.tech. Requests for access, correction, deletion, or objection are processed within 30 days.

The Replayful tracker does notset any cookies on a customer's website. The anonymous visitor identifier is stored in localStorage, which is technically not a cookie under the ePrivacy Directive (though some jurisdictions treat it equivalently — customers should disclose it in their own privacy notice).

The Replayful dashboard at replayful.co uses cookies set by Clerk for authentication and session management. These are essential cookies and not used for tracking or advertising.

We use the following sub-processors:

• Neon — PostgreSQL database hosting (US).
• Clerk — Authentication for the Replayful dashboard (US).
• Vercel — Application hosting (US).
• Google Analytics — Aggregate visitor counts on our public marketing pages (/, /pricing, /privacy, /terms). Not loaded on the signed-in dashboard or /demo.

Replayful provides the tooling but is not responsible for how each customer chooses to use the service. By embedding the tracker on a website, the customer agrees to:

• Disclose the use of Replayful in their own privacy policy (a copy-pasteable snippet is provided in the next section).
• Use the recordings only for product analytics and visitor- experience research — not for invasive surveillance, harassment, targeting individuals, or any unlawful purpose.
• Take reasonable steps not to circumvent the masking applied by the tracker (e.g. by re-rendering masked field values into the DOM as plain text in order to capture them).

We actively monitor for misuse. If we determine that an account is violating this policy, we will delete all stored data associated with that account and revoke their access to the platform. We may act on credible reports from third parties.

If you embed Replayful on your website, your visitors have a right to know. The block below is a starting point you can copy into your own privacy policy. Adapt the wording to your tone of voice — it is not legal advice.

### Session replay

We use Replayful (replayful.co) to record anonymous sessions on this
website — mouse movement, scrolls, clicks, and DOM changes — so that
we can understand how visitors use the site and improve it.

What is captured:
- Mouse movement, scrolls, clicks.
- DOM changes (so we can replay the page exactly as it was rendered).
- The page URL of each visit.
- Your browser's user-agent string and screen size.
- An anonymous random identifier stored in your browser's localStorage
  so that we can group repeat visits from the same device. This
  identifier is not linked to any other system.

What is NOT captured:
- The values you type into any input. Every keystroke is replaced with
  dots at capture, before it leaves your browser. The recording shows
  that you typed in a field — never what you typed. There is no setting
  that disables this.
- IP addresses, cookies, fingerprinting signals.

You can opt out of recording at any time by enabling Do Not Track in
your browser, or by contacting us at <YOUR-CONTACT-EMAIL>.

Replayful is GDPR and POPIA compliant. See replayful.co/privacy for
their full data-handling disclosure.

Replace <YOUR-CONTACT-EMAIL> with the privacy contact on your site.

Privacy questions or data-subject requests: nick@odinside.tech.

Last updated: 2026-05-22.