GDPR FAQs


Using FullStory under the GDPR

Is FullStory GDPR compliant?

At FullStory, we are fully prepared for GDPR enforcement to begin on May 25th. We have developed detailed documentation and added many functional enhancements to the FullStory platform to ensure that you as a controller can feel totally confident that you can use FullStory and fulfill your obligations under GDPR.

That said, GDPR is extremely broad. And because it's a new regulation, no vendor can legitimately claim that they are GDPR compliant as there does not yet appear to be any sort of certification process by which you can be assured that you are in compliance. Each company that wants to serve EU citizens will need to do its best at making a good-faith attempt to be compliant. After that, they have to remain vigilant and pay attention to how it evolves, making changes to accommodate any additional clarifications that appear over time.

Can I still use FullStory if I have customers in the EU?

Yes! The main purpose and spirit of the GDPR is to grant data subjects specific rights to their personal data. Understanding these rights and how to comply with them as a Data Controller is paramount to your ability to comply with GDPR. FullStory will be acting as a Data Processor for your customer’s data and will provide ways to comply with all of your data subject’s rights under the obligations of a data processor. You will need to decide which data you are recording that may be considered personal, take steps to exclude the data that you do not want FullStory to process, and understand how you will use consent or other lawful basis when FullStory will be processing personal data.

If I’m in the UK (or otherwise outside of the EU), do I need to be concerned about GDPR?

Probably. Since the GDPR is concerned with the rights of individuals, it is hard to be sure that you will never process the data of an EU citizen due to the prevalence of international travel, remote work, etc. At FullStory, we think of our entire customer base as having equal protections, regardless of citizenship.

Where is my data stored? Should I be concerned about the data of my customers in the EU being stored outside of the EU? 

FullStory production data is both processed and stored within Google Cloud Platform’s data centers. All Google data centers that process FullStory data are located in the US. Google’s data centers are world-renowned for their state of the art security systems. If you have customers in the EU or are located in the EU, you will need to sign a Data Processing Agreement (DPA) with FullStory to allow for the transfer of data to these US data centers. 



Explaining GDPR + FullStory to your end-users

Do you have any resources I can include in my consent flows / Privacy Policy / send to my customers?

Yes! Please use this link that describes FullStory’s GDPR data processing to your end users. This link should be helpful in cookie policies or other consent flows. https://www.fullstory.com/resources/fullstory-gdpr-you/

Does FullStory use any first- or third-party cookies?

Although this is not GDPR specific, it may be helpful to understand and explain to your customers. 

FullStory uses first-party cookies. The FullStory recording script sets a single first-party cookie containing your end-user’s fs_uid when recording their activities on your site. This cookie uses your domain as the host, instead of “fullstory.com,” which is what distinguishes it as a first-party cookie. More information here: https://help.fullstory.com/spp-ref/first-party-cookies



Complying with Data Subjects Rights with FullStory

Do I need to obtain consent before I do any session recording at all with FullStory?

Not necessarily. The GDPR is primarily concerned with personal data and defining the rights that an EU citizen has to their own data. Unidentified sessions are largely anonymous and may not include personal data, so recording a session without consent is OK. 

However, it is possible to capture personal or sensitive data passively if you are recording forms or pages where personal data is inputed or displayed on your website or application. It is important that you audit your own site and ensure all appropriate form fields or elements are excluded before you start recording.

How do I make sure personal data isn’t being captured by FullStory? 

There are two types of personal data you can send to FullStory. You can actively send things like name, email address, company, etc. to FullStory using our API or one of our integrations. You can also passively send personal information that your visitors are typing into fields or that might get displayed on pages of your website or app that FullStory captures simply because we are recording the page. In the case of passively captured information, you have full control over which fields or elements are excluded and it is important that you exclude the personal data that you do not want FullStory to capture.

If you wanted to be maximally safe, you may decide to exclude basically everything from recording using exclusions such as:

input
textarea
select
form // Note: `form` will block the entire form, including labels, usually resulting in a big gray area in playback

References:

Can I delete FullStory data for specific customers when they ask to be forgotten? 

Yes! You can delete individual users with the click of a button in your FullStory account or using our DeleteIndividual API.

Is it possible to delete sessions from FullStory for multiple customers at one time? (ie: Segment deletion)

Yes! FullStory offers a few solutions for data deletion:

  1. Individual User Deletion API Use this API to programmatically delete a user’s entire data set.
  2. Segment Deletion If the set of data you need to delete can be contained in a saved FullStory search, you can request FullStory to delete that segment by reaching out to support@fullstory.com.

When I cancel my account, is my data deleted right away?

FullStory data deletion adheres to your account’s data retention plan even after cancellation. For example, if you have bought 3 months of data history and you cancel your account in the app we will continue to delete your data on a rolling basis until the end of the 3 month period. If you resubscribed at any point during that time, you’d still have access to any user and session data that was within the 3-month window.

If you wish for all of your data to be deleted at the time of account cancellation, please write to support@fullstory.com and we can help to take care of your request.

Right now, I can see IP addresses in FullStory. Can I turn off the recording of IP addresses? 

In the Settings area of of the FullStory app, you can choose to discard IP addresses. When this option is checked, FullStory will receive and use the IP address for session processing and then actively delete the IP address from our data logs. When this option is on, you will not be able to see or search on IP addresses within FullStory. 

What can I provide an EU citizen if they request a copy of data being processed by FullStory?

Coming soon! EU citizens may request a copy of their personal data. Depending on what information you've chosen to send FullStory for processing, you may or may not have any data in FullStory that is considered "personal." Either way, if you'd like to provide an artifact of all personal data to your customer, you can download a file of all the raw events we have recorded for any user by clicking on the button on their user card. 



Data Processing Agreements (DPA)

You can view and sign our DPA online or send your version to privacy@fullstory.com for review.

Why should I sign your updated DPA? Can I still use FullStory if I do not sign this DPA?

Our previous DPA has been updated to include the Standard Contractual Clauses adopted by the European Commission to make it compliant with GDPR regulations. We ask that all of our customers doing business with EU citizens sign the updated DPA. You’ll need to check with your legal counsel to determine if your company needs to sign a DPA with FullStory and your other vendors.

Our company isn’t in the EU, but we do have customers / prospects in the EU. Do I need to sign a DPA? 

The data protection principles outlined in the GDPR are specific to the rights of EU citizens or people in the EU. If you have customers in the EU, you are likely processing data for EU citizens. There are restrictions against transferring and processing data outside of the EU. A Data Processing Agreement (DPA) is a lawful data transfer mechanism that allows you to transfer and process data outside of the EU. You should check with your legal counsel to determine if your company needs to sign a DPA with FullStory.

Can’t find what you’re looking for?

The FullStory team awaits your every question.

Contact Us