In the process of setting up your FullStory account, you set up exclusion rules to ensure sensitive customer information isn’t included in FullStory sessions. However, if you discover that sensitive data has been captured into your FullStory account, you’ll want to take the following actions to ensure you are in compliance with FullStory’s Terms & Conditions and Acceptable Use Policy.
- Immediately pause data capture
- Exclude sensitive data from future FullStory sessions
- Request assistance for removing sensitive data
- Resume data capture
Immediately pause data capture
If you suspect that sensitive data is still being captured, visit Settings > Data Capture & Privacy > Data Capture to immediately pause data capture.
What exactly is “sensitive data”?
Refer to FullStory’s Terms & Conditions for a definition of sensitive data, which is data that should always be excluded from FullStory sessions. The steps in this article apply specifically to sensitive data.
You may choose to set up exclusion rules for data that is not considered “sensitive”, per FullStory’s definition, but which for other reasons you’ve decided should be excluded from FullStory sessions. If you discover you accidentally captured other customer data of this type, you’ll want to choose which steps to follow, guided by your internal policies and commitments you’ve made to your customers. For data of this type, consider using FS.consent() to selectively capture data based on explicit user consent.
Exclude sensitive data from future FullStory sessions
You’ll now want to review and update your and any excluded elements within your code base to ensure that any sensitive data isn’t being captured moving forward. If you experience any difficulty with this step, we first recommend connecting with your developers on the best element to setup a privacy rule for since they are more familiar with your code base. However, if you’re unable to complete this step for any reason, please make note of this in your email response in the next step.
Request assistance for removing sensitive data
After you’ve updated your privacy rules, an account administrator should reach out to our Support team requesting sensitive data to be deleted from your account. This is a requirement, in line with FullStory's Terms & Conditions.
The FullStory Support team will require the following information:
- Confirmation that your privacy rules have been updated
- Link to a segment of impacted sessions (copied directly from your browser's address bar)
- An Admin's confirmation to process a deletion. If you're not an Admin, you can find your FullStory Admins listed under Settings > Account Management > Users.
It's important to note that deleting sessions does not free up your session quota, since this is consumed at time of capture. Additionally, once sessions are deleted, they cannot be recovered. Please double check to ensure that the segment provided only includes the sessions you’d like to delete. If you require any help with drafting your segment, don’t hesitate to reach out to FullStory Support.
Resume data capture
Once the appropriate exclusion rules are in place, an Admin can visit your data capture settings page to re-enable data capture for your account.
Once data capture has resumed, we recommend reviewing your new sessions for the impacted pages/elements in question, to review that your privacy rules have been effective.