FYI! Session Replay Privacy Information – for Legal & Compliance teams

  • 26 October 2022
  • 1 reply

Userlevel 2
Badge +1

👋 Hello from the Heap product team that’s working on session replay!

Do you need permission from your Legal/Compliance team to turn on the Session Replay trial in Heap? We pulled together these data privacy facts for you to share with your colleagues -- simply give them the link to this webpage and they should have all the info they need. If you or they still have concerns after reading this info, feel free to post questions below!

You can set up Heap's Session Replay tool so that it does not capture PII (personable identifiable information), such as passwords and credit card numbers.

If you decide to capture text inputs, by default we provide additional safeguards against capturing PII. 

Passwords are not captured as long as the password fields have been tagged appropriately (as password type inputs) in the DOM (e.g. <input type="password">).

Heap has a set of rules to automatically avoid capturing credit card numbers:

  • Any inputs that have an id or name attribute included in the list below are considered credit card inputs and will not be captured. The matching logic is case insensitive and will ignore ‘-‘ or ‘_’ characters.

    • ‘cc’,’creditcard’, ‘ccnum’, ‘ccname’, ‘ccnumber’, ‘ccexpiry’, ‘ccexp’, ‘ccexpmonth’, ‘ccexpyear’, ‘cccvc’, ‘cccvv’, ‘cctype’, ‘cvc’, ‘cvv’, ‘cccid’, ‘expiration’,’paymentnumberinput’, ‘securitycodeinput’

  • Any input where a user enters 9 or more consecutive digits is considered potential SSN or credit card information and will not be captured.


Heap’s Session Replay tool does not record your user’s screens.

A session replay combines user behavior with a periodically captured copy of your website content (e.g. images, CSS files, fonts, etc.) to create a viewable reconstruction of the user session.

We have highly customizable privacy controls to ensure you don’t capture any sensitive information either from click behavior or website content.


You do not need end user consent to turn on Heap's Session Replay tool.

Your session replay tool is covered by your cookie disclosure and consent policy for analytics. If you have not done so already, make sure you place this privacy disclosure note directly on your website.

Find more Session Replay data privacy information here. 

1 reply


For those who want to learn more about Session Replay and what it does, visit: