For the data you capture using FullStory on your site, FullStory will be the Data Processor. Before allowing FullStory to process any personal data, you must ensure you have proper legal basis as the Data Controller.
What is considered “personal data?”
According to the GDPR, personal data is any information relating to an identified or identifiable individual, which could mean any information that could be used either on it’s own or in conjunction with other data, to identify an individual.
Sensitive personal data, such as social security numbers, passwords, health information, or information that suggests a person’s racial or ethnic origin will require even greater protection under the GDPR. This kind of sensitive personal data should never be captured by FullStory (it’s against our Acceptable Use Policy) and we have provided some easy-to-use tools that allow you to exclude sensitive data from ever being captured by FullStory.
How might you capture personal data with FullStory?
There are two types of personal data you can send to FullStory.
- You can actively send things like name, email address, company, etc. to FullStory using our API or one of our integrations.
- You can also passively send personal information that your visitors are typing into fields or that might get displayed on pages of your website or app that FullStory captures simply because we are capturing the page. In the case of passively captured information, you have full control over which fields or elements are excluded and it is important that you exclude the personal data that you do not want FullStory to capture.
What does it mean to allow FullStory to process personal data?
FullStory hosts data as part of the service it provides to its customers, but doesn’t make any claim to said data, similar to the way a bank provides safe deposit boxes. Websites using FullStory have sole ownership of and access to captured data.
How can I know what data I have on any specific user?
Use the data download option for a user when / if you are asked to provide personal that FullStory may have processed for your users.