Using FullStory under the GDPR
Is FullStory GDPR compliant?
Can I still use FullStory if I have customers in the EU?
If I'm outside of the EU, do I need to be concerned about GDPR?
Where is my data stored?
Explaining GDPR + FullStory to your end-users
Does FullStory use any first- or third-party cookies?
Complying with Data Subjects Rights with FullStory
Do I need to obtain consent before I do any session recording at all with FullStory?
How do I make sure personal data isn’t being captured by FullStory?
Can I delete FullStory data for specific customers when they ask to be forgotten?
Is it possible to delete sessions from FullStory for multiple customers at one time? (ie: Segment deletion)
When I cancel my account, is my data deleted right away?
Can I turn off the recording of IP addresses?
What can I provide an EU citizen if they request a copy of data being processed by FullStory?
Data Processing Agreements (DPA)
Why should I sign your updated DPA? Can I still use FullStory if I do not sign this DPA?
Our company isn’t in the EU, but we do have customers / prospects in the EU. Do I need to sign a DPA?
At FullStory, we are fully prepared for GDPR enforcement to begin on May 25th. We have developed detailed documentation and added many functional enhancements to the FullStory platform to ensure that you as a controller can feel totally confident that you can use FullStory and fulfill your obligations under GDPR.
That said, GDPR is extremely broad. And because it's a new regulation, no vendor can legitimately claim that they are GDPR compliant as there does not yet appear to be any sort of certification process by which you can be assured that you are in compliance. Each company that wants to serve EU citizens will need to do its best at making a good-faith attempt to be compliant. After that, they have to remain vigilant and pay attention to how it evolves, making changes to accommodate any additional clarifications that appear over time.
Yes! The main purpose and spirit of the GDPR is to grant data subjects specific rights to their personal data. Understanding these rights and how to comply with them as a Data Controller is paramount to your ability to comply with GDPR. FullStory will be acting as a Data Processor for your customer’s data and will provide ways to comply with all of your data subject’s rights under the obligations of a data processor. You will need to decide which data you are recording that may be considered personal, take steps to exclude the data that you do not want FullStory to process, and understand how you will use consent or other lawful basis when FullStory will be processing personal data.
Probably. Since the GDPR is concerned with the rights of individuals, it is hard to be sure that you will never process the data of an EU citizen due to the prevalence of international travel, remote work, etc. At FullStory, we think of our entire customer base as having equal protections, regardless of citizenship.
FullStory production data is both processed and stored within Google Cloud Platform’s data centers. All Google data centers that process FullStory data are located in the US. Google’s data centers are world-renowned for their state of the art security systems. If you have customers in the EU or are located in the EU, you will need to sign a Data Processing Agreement (DPA) with FullStory to allow for the transfer of data to these US data centers.
Yes! Please use this link that describes FullStory’s GDPR data processing to your end users. This link should be helpful in cookie policies or other consent flows. https://www.fullstory.com/resources/fullstory-gdpr-you/
Although this is not GDPR specific, it may be helpful to understand and explain to your customers.
FullStory uses first-party cookies. The FullStory recording script sets a single first-party cookie containing your end-user’s fs_uid when recording their activities on your site. This cookie uses your domain as the host, instead of “fullstory.com,” which is what distinguishes it as a first-party cookie. More information here: https://help.fullstory.com/spp-ref/first-party-cookies
Not necessarily. The GDPR is primarily concerned with personal data and defining the rights that an EU citizen has to their own data. Unidentified sessions are largely anonymous and may not include personal data, so recording a session without consent is OK.
However, it is possible to capture personal or sensitive data passively if you are recording forms or pages where personal data is inputed or displayed on your website or application. It is important that you audit your own site and ensure all appropriate form fields or elements are excluded before you start recording.
There are two types of personal data you can send to FullStory. You can actively send things like name, email address, company, etc. to FullStory using our API or one of our integrations. You can also passively send personal information that your visitors are typing into fields or that might get displayed on pages of your website or app that FullStory captures simply because we are recording the page. In the case of passively captured information, you have full control over which fields or elements are excluded and it is important that you exclude the personal data that you do not want FullStory to capture.
If you wanted to be maximally safe, you may decide to exclude basically everything from recording using exclusions such as:
input textarea select form // Note: `form` will block the entire form, including labels, usually resulting in a big gray area in playback
Yes! FullStory offers a few solutions for data deletion:
FullStory data deletion adheres to your account’s data retention plan even after cancellation. For example, if you have bought 3 months of data history and you cancel your account in the app we will continue to delete your data on a rolling basis until the end of the 3 month period. If you resubscribed at any point during that time, you’d still have access to any user and session data that was within the 3-month window.
If you wish for all of your data to be deleted at the time of account cancellation, please write to email@example.com and we can help to take care of your request.
In the Settings area of of the FullStory app, you can choose to discard IP addresses. When this option is checked, FullStory will receive and use the IP address for session processing and then actively delete the IP address from our data logs. When this option is on, you will not be able to see or search on IP addresses within FullStory.
EU citizens may request a copy of their personal data. Depending on what information you've chosen to send FullStory for processing, you may or may not have any data in FullStory that is considered "personal." Either way, if you'd like to provide an artifact of all personal data to your customer, you can download a file of all the raw events we have recorded for any user by clicking on the button on their user card.
You can view and sign our DPA online or send your version to firstname.lastname@example.org for review.
Our previous DPA has been updated to include the Standard Contractual Clauses adopted by the European Commission to make it compliant with GDPR regulations. We ask that all of our customers doing business with EU citizens sign the updated DPA. You’ll need to check with your legal counsel to determine if your company needs to sign a DPA with FullStory and your other vendors.
The data protection principles outlined in the GDPR are specific to the rights of EU citizens or people in the EU. If you have customers in the EU, you are likely processing data for EU citizens. There are restrictions against transferring and processing data outside of the EU. A Data Processing Agreement (DPA) is a lawful data transfer mechanism that allows you to transfer and process data outside of the EU. You should check with your legal counsel to determine if your company needs to sign a DPA with FullStory.
The FullStory team awaits your every question.Contact Us