Session Replay
Capture and replay visitor sessions to understand user behavior and optimize your website experience with HIPAA-compliant session replay.
Session Replay
Go beyond events and actually see what your users did on their journey. HIPAA Compliant session replay enables you to capture and replay visitor sessions to understand user behavior and optimize your website experience. You can access replay sessions through recent events and event analytics to see all events from that session for a visitor along with their actual session replay.
Overview
Session Replay provides:
- Complete session replays of visitor interactions on your website
- Event correlation linking captured sessions to specific events and analytics
- HIPAA-compliant session replay designed to support privacy and security for sensitive applications
- Automatic session management with data collection and server flushing handled automatically
- Privacy controls with configurable masking and blocking options
Use Cases
- User behavior analysis to understand how visitors navigate your site
- Conversion optimization by identifying friction points in user journeys
- Support and troubleshooting by replaying specific user sessions
Configuration
Enable Session Replay
Session Replay must be enabled by your account team. Contact your account representative to activate this feature for your account.
Domain Whitelisting
After enabling Session Replay, you need to whitelist the domains where session replay will occur:
- Add your website domain to the allowed domains list
- For optimal performance, use the same custom domain as your CDP or SDK installation
- Custom domains provide first-party trust and can help with compliance requirements
Note: If you have a custom domain configured for your Ours Privacy account, you can load Session Replay from your own first-party custom domain as well.
Installation
You can install Session Replay in two ways:
- Through the Ours Privacy CDP Web SDK (recommended)
- As a standalone SDK (for advanced use cases)
Option 1: Install with Ours Privacy CDP Web SDK
If you're already using the Ours Privacy Web SDK, you can add Session Replay by including your replay token in the initialization:
ours("init", "{cdp_token}", {
session_replay: {
token: "replay_token",
},
});Replace {cdp_token} with your CDP token and replay_token with the Session Replay token provided by your account team.
Option 2: Install with Google Tag Manager
You can also load Session Replay through Google Tag Manager by adding the Session Replay script to your GTM container.
Option 3: Standalone SDK
Note: You do NOT need to use the standalone SDK if you're using the Ours Web SDK or Google Tag Manager. This option is only for advanced use cases where you need direct control over the Session Replay functionality.
For advanced use cases, you can use the standalone Session Replay SDK:
// Initialize the SDK
window.ours_replay.init({
session_id: "your_session_id",
visitor_id: "your_visitor_id",
maxSessionMinutes: 30, // optional
});
// Start capturing session data
window.ours_replay.start();
// Stop capturing session data
window.ours_replay.stop();
// Flush data to server
await window.ours_replay.flush();Standalone SDK Methods
| Method | Description | Parameters |
|---|---|---|
init(options) | Initialize the Session Replay SDK | InitOptions |
start() | Begin capturing the current session | None |
stop(options) | Stop capturing the current session | StopOptions |
flush() | Send captured data to server | None |
setSessionId(sessionId) | Update the session ID | string | null |
getStatus() | Get current capture status | None |
Type Definitions
export type InitOptions = {
maxSessionMinutes?: number;
session_id: string;
visitor_id: string;
};
export type StopOptions = {
discard?: boolean;
};Privacy Settings
Session Replay includes comprehensive privacy controls to protect sensitive information:
Default Privacy Settings
Session Replay comes with these default privacy settings enabled:
- maskAllInputs:
true- Automatically masks all input fields - captureCanvas:
false- Disables canvas capture by default - collectFonts:
true- Collects font information for accurate rendering
Privacy Control Classes
HIGHLY RECOMMENDED: Add these CSS classes to elements throughout your application to control what gets captured and protect user privacy:
<!-- Block element completely from capture -->
<div class="op-session-replay-block">Sensitive content</div>
<!-- Ignore element during capture -->
<div class="op-session-replay-ignore">Non-essential content</div>
<!-- Mask text content -->
<div class="op-session-replay-mask">Sensitive text</div>Important Privacy Controls to Implement:
- Add
op-session-replay-blockto any elements containing sensitive data (PII, PHI, payment info, passwords) - Add
op-session-replay-maskto text elements that may contain personal information - Add
op-session-replay-ignoreto non-essential UI elements to reduce data size - Review all form inputs - they are automatically masked, but consider additional blocking for highly sensitive fields
Data Retention
- Data retention: Session replays are automatically removed after 90 days (default)
- Automatic cleanup: No manual intervention required for data lifecycle management
- Custom retention: Contact your account team to modify the retention period if needed
Accessing Session Replays
Once Session Replay is configured and capturing:
- Navigate to your Ours Privacy dashboard
- View recent events in your event analytics
- Click on any event to see associated session information
- Access the session replay to view the complete visitor session
- Review all events from that session along with the visual replay
Browser Support
Session Replay supports all modern browsers:
- Chrome (latest and previous major version)
- Firefox (latest and previous major version)
- Edge (latest and previous major version)
- Safari (latest and previous major version)
- Mobile browsers (iOS Safari, Chrome Mobile)
FAQs
How long are sessions captured?
Sessions are captured for the duration of the visitor's session, with a default maximum of 30 minutes per session. This can be configured during setup.
What data is captured in session replays?
Session replays capture user interactions, page navigation, form inputs (with privacy controls), and visual changes to the page. Sensitive data can be masked or blocked using privacy classes.
Is Session Replay HIPAA-compliant?
Session Replay is designed to support HIPAA compliance with configurable privacy controls and secure data handling. Ours Privacy offers a Business Associate Agreement (BAA) for healthcare organizations. Work with your team to determine what works for your situation, and make sure your consent management is properly configured. For more details, see the HHS guidance on HIPAA and online tracking.
Can I control what gets captured?
Yes, you can use CSS classes to block, ignore, or mask specific elements and content during capture. You can also use the SDK to start and stop capturing programmatically, which is useful for starting capture after consent is given or stopping when consent is withdrawn.
How do I access captured sessions?
Captured sessions are accessible through your Ours Privacy dashboard by clicking on events in your analytics to view associated session replays.
Is session replay data stored securely?
Yes, all session replay data is encrypted and stored securely with automatic cleanup after 90 days to help support compliance with privacy regulations.
Is Session Replay included in the CDP SLA?
No, Session Replay is not included in the CDP SLA and is provided as a separate service.
How is this guide?