Privacy & security

Privacy & security by design

Session data is sensitive. Every layer of VisitorLab is built to mask, restrict and account for it — before a single recording leaves your product.

Masking

Field, element and regex-based masking on by default — passwords, payment and PII never reach a recording.

field / element / regex

Access control

Project- and role-based access, SSO/SAML sign-in, and a full audit log of who viewed what.

SSO/SAML — Enterprise

Compliance

GDPR/CCPA compliant with IP anonymization, configurable data residency and retention windows.

GDPR / CCPA

How masking works

Mask by CSS selector, by input type, or by a regex over captured text — applied before data ever leaves the visitor's browser. Masked fields never appear in replay, heatmaps or AI summaries.

Data residency & retention

Choose where session data is stored and how long it's kept. Enterprise plans set custom retention windows and regional storage to meet internal policy.

Need a security questionnaire answered?

Our team responds to DPAs and vendor security reviews directly.

Talk to an expert