What to do if sensitive data has been captured

In the process of setting up your Fullstory account, you set up exclusion rules to ensure sensitive customer information isn’t included in Fullstory sessions or data studio. However, if you discover that sensitive data has been captured into your Fullstory account, you’ll want to take the following actions to ensure you are in compliance with Fullstory’s Terms & Conditions and Acceptable Use Policy.

  1. Immediately pause data capture
  2. Exclude sensitive data from future Fullstory sessions
  3. Request assistance for removing sensitive data
  4. Resume data capture

Immediately pause data capture

If you suspect that sensitive data is still being captured, visit Settings > Data Capture & Privacy > Data Capture to immediately pause data capture.

What exactly is “sensitive data”?

Refer to Fullstory’s Terms & Conditions for a definition of sensitive data, which is data that should always be excluded from Fullstory sessions. The steps in this article apply specifically to sensitive data.

You may choose to set up exclusion rules for data that is not considered “sensitive”, per Fullstory’s definition, but which for other reasons you’ve decided should be excluded from Fullstory sessions. If you discover you accidentally captured other customer data of this type, you’ll want to choose which steps to follow, guided by your internal policies and commitments you’ve made to your customers. For data of this type, consider using FS.consent() to selectively capture data based on explicit user consent.

Exclude sensitive data from future Fullstory sessions

You’ll now want to review and update your privacy rules and any excluded elements within your code base to ensure that any sensitive data isn’t being captured moving forward. If you experience any difficulty with this step, we first recommend connecting with your developers on the best element to setup a privacy rule for since they are more familiar with your code base. However, if you’re unable to complete this step for any reason, please make note of this in your email response in the next step.

Request assistance for removing sensitive data

After you’ve updated your privacy rules, an account administrator should reach out to our Support team requesting sensitive data to be deleted from your account. This is a requirement, in line with Fullstory's Terms & Conditions.

The Fullstory Support team will require the following information:

  • Confirmation that your privacy rules have been updated
  • Link to a segment of impacted sessions (copied directly from your browser's address bar), or the time period in which sensitive data was captured if you're a Data Direct customer 
  • An Admin's confirmation to process a deletion. If you're not an Admin, you can find your Fullstory Admins listed under Settings > Account Management > Users.

It's important to note that deleting sessions does not free up your session quota, since this is consumed at time of capture. Additionally, once sessions are deleted, they cannot be recovered. Please double check to ensure that the segment provided only includes the sessions you’d like to delete. If you require any help with drafting your segment, don’t hesitate to reach out to Fullstory Support.

Resume data capture

Once the appropriate exclusion rules are in place, an Admin can visit your data capture settings page to re-enable data capture for your account.

Once data capture has resumed, we recommend reviewing your new sessions for the impacted pages/elements in question, to review that your privacy rules have been effective.


Was this article helpful?

Got Questions?

Get in touch with a Fullstory rep, ask the community or check out our developer documentation.