Using Fullstory under the GDPR
Is Fullstory GDPR compliant?
Can I still use Fullstory if I have customers in the EU?
If I'm outside of the EU, do I need to be concerned about GDPR?
Where is my data stored?
Explaining GDPR + Fullstory to your end-users
Do you have any resources I can include in my consent flows / Privacy Policy / send to my customers?
Does Fullstory use any first- or third-party cookies?
Complying with Data Subjects Rights with Fullstory
Do I need to obtain consent before I do any session capturing at all with Fullstory?
How do I make sure personal data isn’t being captured by Fullstory?
Can I delete Fullstory data for specific customers when they ask to be forgotten?
Is it possible to delete sessions from Fullstory for multiple customers at one time? (ie: Segment deletion)
When I cancel my account, is my data deleted right away?
Can I turn off the capturing of IP addresses?
What can I provide an EU citizen if they request a copy of data being processed by Fullstory?
Data Processing Agreements (DPA)
Why should I sign your updated DPA? Can I still use Fullstory if I do not sign this DPA?
Our company isn’t in the EU, but we do have customers / prospects in the EU. Do I need to sign a DPA?
Using Fullstory under the GDPR
Is Fullstory GDPR compliant?
We have developed detailed documentation and added many functional enhancements to the Fullstory platform to ensure that you as a controller can feel totally confident that you can use Fullstory and fulfill your obligations under GDPR.
Can I still use Fullstory if I have customers in the EU?
Yes! The main purpose and spirit of the GDPR is to grant data subjects specific rights to their personal data. Understanding these rights and how to comply with them as a Data Controller is paramount to your ability to comply with GDPR. Fullstory will be acting as a Data Processor for your customer’s data and will provide ways to comply with all of your data subject’s rights under the obligations of a data processor. You will need to decide which data you are capturing that may be considered personal, take steps to exclude the data that you do not want Fullstory to process, and understand how you will use consent or other lawful basis when Fullstory will be processing personal data.
If I’m in the UK (or otherwise outside of the EU), do I need to be concerned about GDPR?
Probably. Since the GDPR is concerned with the rights of individuals, it is hard to be sure that you will never process the data of an EU citizen due to the prevalence of international travel, remote work, etc. At Fullstory, we think of our entire customer base as having equal protections, regardless of citizenship.
Where is my data stored? Should I be concerned about the data of my customers in the EU being stored outside of the EU?
Fullstory production data is both processed and stored within Google Cloud Platform’s data centers. All Google data centers that process Fullstory data are located in the US and the EU. Google’s data centers are world-renowned for their state of the art security systems. If you have customers in the EU or are located in the EU, you will need to sign a Data Processing Agreement (DPA) with Fullstory as some personal data may be processed in the US.
Explaining GDPR + Fullstory to your end-users
Do you have any resources I can include in my consent flows / Privacy Policy / send to my customers?
Yes! Please use this link that describes Fullstory’s GDPR data processing to your end users. This link should be helpful in cookie policies or other consent flows. https://www.fullstory.com/resources/fullstory-gdpr-you/
Does Fullstory use any first- or third-party cookies?
Although this is not GDPR specific, it may be helpful to understand and explain to your customers.
Fullstory uses first-party cookies. The Fullstory capturing script sets a single first-party cookie containing your end-user’s fs_uid when capturing their activities on your site. This cookie uses your domain as the host, instead of “fullstory.com,” which is what distinguishes it as a first-party cookie. More information here: First Party Cookies
Complying with Data Subjects Rights with Fullstory
Do I need to obtain consent before I do any session capturing at all with Fullstory?
Not necessarily. The GDPR is primarily concerned with personal data and defining the rights that an EU citizen has to their own data. Unidentified sessions are largely anonymous and may not include personal data, so capturing a session without consent can be OK.
However, it is possible to capture personal or sensitive data passively if you are capturing forms or pages where personal data is inputed or displayed on your website or application. It is important that you audit your own site and ensure all appropriate form fields or elements are excluded before you start capturing (or that you're capturing only after you have consent).
How do I make sure personal data isn’t being captured by Fullstory?
There are two types of personal data you can send to Fullstory. You can actively send things like name, email address, company, etc. to Fullstory using our API or one of our integrations. You can also passively send personal information that your visitors are typing into fields or that might get displayed on pages of your website or app that Fullstory captures simply because we are capturing the page. In the case of passively captured information, you have full control over which fields or elements are excluded and it is important that you exclude the personal data that you do not want Fullstory to capture.
If you wanted to be maximally safe, you may decide to exclude basically everything from capturing using exclusions such as:
input textarea select form // Note: `form` will block the entire form, including labels, usually resulting in a big gray area in playback
References:
Can I delete Fullstory data for specific customers when they ask to be forgotten?
Yes! You can delete individual users with the click of a button in your Fullstory account or using our DeleteIndividual API.
Is it possible to delete sessions from Fullstory for multiple customers at one time? (ie: Segment deletion)
Yes! Fullstory offers a few solutions for data deletion:
- Individual User Deletion API Use this API to programmatically delete a user’s entire data set.
- Segment Deletion If the set of data you need to delete can be contained in a saved Fullstory search, you can request Fullstory to delete that segment by reaching out to support@fullstory.com.
When I cancel my account, is my data deleted right away?
Fullstory data is deleted six months after your account cancellation date. If you reactivate your account at any point during that time, you will still have access to Session Replays and analytics data that within your account's retention periods.
If you wish for all of your data to be deleted at the time of account cancellation or before your retention period ends, please write to support@fullstory.com and we can help to take care of your request.
Right now, I can see IP addresses in Fullstory. Can I turn off the capturing of IP addresses?
In the Settings area of of the Fullstory app, you can choose to discard IP addresses. When this option is checked, Fullstory will receive and use the IP address for session processing and then actively delete the IP address from our data logs. When this option is on, you will not be able to see or search on IP addresses within Fullstory.
What can I provide an EU citizen if they request a copy of data being processed by Fullstory?
EU citizens may request a copy of their personal data. Depending on what information you've chosen to send Fullstory for processing, you may or may not have any data in Fullstory that is considered "personal." Either way, if you'd like to provide an artifact of all personal data to your customer, you can download a file of all the raw events we have captured for any user by clicking on the button on their user card.
Data Processing Agreements (DPA)
You can view and sign our DPA online or send your version to privacy@fullstory.com for review.
Why should I sign your updated DPA? Can I still use Fullstory if I do not sign this DPA?
Our previous DPA has been updated to include the Standard Contractual Clauses adopted by the European Commission to make it compliant with GDPR regulations. We ask that all of our customers doing business with EU citizens sign the updated DPA.
Our company isn’t in the EU, but we do have customers / prospects in the EU. Do I need to sign a DPA?
The data protection principles outlined in the GDPR are specific to the rights of EU citizens or people in the EU. If you have customers in the EU, you are likely processing data for EU citizens. There are restrictions against transferring and processing data outside of the EU. A Data Processing Agreement (DPA) is a lawful data transfer mechanism that allows you to transfer and process data outside of the EU. We ask that all of our customers doing business with EU citizens sign the updated DPA.