All posts
·7 min read·Nevision Team

GDPR-compliant session recording: what to mask and why

Session recording occupies a gray zone in GDPR conversations. Some legal teams reflexively ban it; others approve it without reading the docs. The truth is in the middle: session recording is legal under GDPR when you mask personally identifiable information (PII) properly, configure retention sensibly, and have a Data Processing Agreement (DPA) with your vendor.

What MUST be masked

  • Passwords. Always. Every recorder masks these by default. Verify yours does.
  • Credit card numbers, CVV, expiry. PCI-DSS requires this. Mask the inputs and the rendered display.
  • Email addresses, when entered as form input. GDPR considers email PII.
  • National ID numbers, SSNs, passport numbers, drivers licence numbers.
  • Health data, biometric data, genetic data, sexual orientation. Special category data under GDPR Article 9 — mask aggressively.

What you SHOULD mask

  • Phone numbers (may or may not be PII depending on context).
  • Physical addresses entered into forms.
  • Date of birth.
  • Bank account / IBAN inputs.
  • Anything in a "personal information" or "billing details" form section.

What you DON'T need to mask (usually)

  • Public profile names, usernames, display names.
  • Search queries (unless they could reveal special category data).
  • Page navigation, button clicks, scroll position.
  • Pricing, product views, generic UI text.

Configure retention

GDPR Article 5(1)(e) requires that personal data is kept "for no longer than is necessary." Session recordings are personal data. Default to 30-day retention unless you have a documented reason to keep longer. Nevision retention by plan: Free 30 days, Pro 90 days, Business 365 days.

Get the DPA

Article 28 requires a Data Processing Agreement with any processor that handles personal data on your behalf. Every reputable session recording vendor (Nevision included) signs a DPA on paid plans. Sign it before going to production with EU traffic.

Handle DSARs

Data Subject Access Requests: if a user asks "what data do you have about me," you need to be able to find their session recordings and either export or delete them. This requires attaching a stable user identifier to sessions — nevision.identify(userId) — so you can search by it later.

Cookie consent

ePrivacy Directive (the "cookie law") requires consent for any non-essential storage. Most European data protection authorities now consider session recording cookies non-essential. That means: get consent before initializing the recorder for EU visitors. The Nevision recorder accepts a consent: false option to defer init until your CMP signals consent.

Want to try Nevision on your own site?