Session data is sensitive. Every layer of VisitorLab is built to mask, restrict and account for it — before a single recording leaves your product.
Field, element and regex-based masking on by default — passwords, payment and PII never reach a recording.
Project- and role-based access, SSO/SAML sign-in, and a full audit log of who viewed what.
GDPR/CCPA compliant with IP anonymization, configurable data residency and retention windows.
Mask by CSS selector, by input type, or by a regex over captured text — applied before data ever leaves the visitor's browser. Masked fields never appear in replay, heatmaps or AI summaries.
Choose where session data is stored and how long it's kept. Enterprise plans set custom retention windows and regional storage to meet internal policy.
Our team responds to DPAs and vendor security reviews directly.