End User Data
How Request Metrics treats data about end users and things to consider when including custom data in your analytics.
By default, Request Metrics does not capture any personal data from your users, and cannot identify an individual based on our limited data. This makes Request Metrics ideal for analytics and monitoring for data-sensitive organizations that are concerned with GDPR, CCPA, HIPAA, or FERPA.
Request Metrics is extensible by allowing you to identify your users, send custom events, and include additional metadata. This data could be considered personal data, or make an individual identifiable. If so, you are responsible to disclose Request Metrics as a Data Processor and get appropriate user consent.
TIP: Concerned about sending personal data to us? We offer options for dedicated instances or on premise installations so you can hold all the data yourself. Contact Us to learn more.
How It Works
The Request Metrics browser agent creates a session timestamp for the visiting user and places it in the browser’s Local Storage. Local Storage is isolated to website origin, so there is no correlation to any other browsing history.
FACT: No Cookies. Ever. The browser agent doesn’t read or write cookies, so there is no mechanism for cross domain tracking.
When data is sent to Request Metrics, it includes the session timestamp so that we can group together all the activity that belongs to this visitor.
We roughly fingerprint the user so that we know if the same visitor returns later. That fingerprint is a one-way hash of the Website Token, IP Address, and Browser User Agent. After this fingerprint is made, the IP Address is discarded. The fingerprint cannot be used to follow a user across websites or accounts because it is salted with the current website’s token.
FACT: Request Metrics does not store IP Addresses for any visitors.
When recording user activity, such as a click or input, the browser agent is careful to exclude any data about the activity that could be personally identifiable. We only record generic attributes about the element that was clicked, such as it’s
class properties. When a user is interacting with a form, we only capture the shape of data entered, such as
13 numeric characters, never the input itself.
FACT: Request Metrics does not keep video sessions, which are impossible to keep sensitive data from being included in.