← Back to Blog

Session Replay and Privacy: How BugZap Stays GDPR Compliant

The Privacy Challenge

Session replay tools record user interactions on web pages — clicks, scrolls, mouse movements, and DOM changes. This is incredibly valuable for debugging, but it also means you might capture sensitive data.

How do you get the debugging benefits without the privacy risks?

BugZap's Privacy-First Approach

1. All Inputs Are Masked

BugZap uses the open-source rrweb library with automatic input masking enabled by default. This means:

  • Password fields show as masked characters
  • Text inputs show masked characters
  • Form data is never captured in plaintext
  • Credit card fields, search boxes, and all other inputs are masked

2. Recording Only When You Choose

Unlike always-on session replay tools, BugZap only records when:

  • A user explicitly starts a bug reporting session
  • The recording is tied to a specific bug report
  • Recording duration is limited (30 seconds to 5 minutes depending on plan)

There is no passive, continuous recording.

3. Data Stays in Your Control

  • Replay data is stored in Supabase with Row-Level Security
  • Only project members can view recordings
  • Data is deleted when the bug report or account is deleted
  • No third parties have access to replay data

GDPR Compliance

BugZap is built with GDPR compliance from the ground up:

  • Lawful basis: Processing is necessary for contract performance (Art. 6(1)(b))
  • Data minimization: Only what's needed for debugging is captured
  • Right to erasure: Delete your account and all data is permanently removed within 30 days
  • Data Processing Agreement: Available for all customers
  • Sub-processor transparency: Full list at bugzap.dev/sub-processors
  • EU data storage: Supabase EU region available

Best Practices for Teams

  1. Inform your users — add session replay to your privacy policy
  2. Use CSS selectors to exclude sensitive page sections from recording
  3. Limit recording duration to what you need
  4. Review recordings promptly and delete bugs you no longer need
  5. Set up a Data Processing Agreement with BugZap if you are in the EU

The Bottom Line

Session replay does not have to be a privacy nightmare. With the right safeguards — input masking, explicit recording triggers, proper data handling, and GDPR-compliant infrastructure — you can get all the debugging benefits without compromising your users' privacy.

Get started with BugZap — privacy-first visual bug reporting for modern teams.

Ready to streamline your QA?

Start reporting bugs visually with BugZap — free for small teams.

Get Started — Free