
To support your app’s privacy requirements and align with your organization’s policies, Statsig provides multiple ways to control replay privacy:

* **Baseline privacy options** - Select from three preset privacy configurations. Each option applies a different level of text masking, helping you protect PII and sensitive data according to your app’s and users’ needs
* **Fine-grained privacy controls** - After choosing a baseline configuration, use CSS selector rules to mask, reveal, or block specific elements
* **Global Targeting Gate** - Use a feature gate to define which users are eligible for replays, ensuring you limit recordings to specific users or cohorts.

In the Statsig Console, you can configure your privacy settings under **Project Settings → Analytics & Session Replay**. You must be a project admin to modify these settings.

### Baseline privacy options

* **Passwords (Default)**: Statsig replaces only password inputs with asterisks (\*). All other text and inputs appear as-is.
* **Inputs**: Statsig replaces all text in inputs with asterisks (\*). All other text appears as-is.
* **Maximum**: Statsig replaces all text and inputs with asterisks (\*).

### Selector rules

Use CSS selectors to precisely control how individual elements are handled during session replay: masked, unmasked, or blocked.

* **Masking** and **unmasking** apply only to text content. Masked text is replaced with asterisks (\*).
* **Blocking** removes the element entirely from the replay and replaces it with a black placeholder of the same size.
* **You can't unmask password inputs**, regardless of selector rules.

Selector rules override the baseline privacy settings. When multiple selector rules apply to the same element, Statsig enforces the following precedence: **Block → Mask → Unmask**

The examples below show how precedence is enforced.

```js
// Everything within the blocked class will
// appear as a single black placeholder
<div class="blocked">
  <div id="masked">I will be part of the black placeholder</div>
  <button id="unmasked">I will be part of the black placeholder</button>
</div>
```

```js
// The closest rule will apply
<div>
  <div id="masked">Masked Text</div>
  <div id="masked">
    <button id="unmasked">Unmasked Text</button>
  </div>
</div>
```

```js
// With conflicting rules applied at the same level,
// the higher precedence will apply
<div>
  <button id="unmasked" className="masked">
    Masked Text
  </button>
</div>
```

```js
// With baseline privacy setting set to Maximum, all text is masked
// by default but this can be overwritten by unmasking
<div>
  <div>Masked Text</div>
  <div>
    <button id="unmasked">Unmasked Text</button>
  </div>
</div>
```

All selectors must be valid CSS selectors. For details on supported selector syntax, refer to MDN’s list of CSS selectors.

{% callout type="warning" %}
Using selector rules or baseline privacy settings besides Passwords will
overwrite the `maskTextFn`, `maskInputFn`, `maskTextSelector`, `maskAllInputs`,
`maskInputOptions`, and `blockSelector` options you passed in during
initialization.
{% /callout %}

### Global targeting gate

The Global Targeting Gate controls who is *eligible* for session recording. If a user doesn't pass this gate, Statsig never records their sessions. By default, this is set to Everyone, meaning there are no restrictions and Statsig can record anyone. This gate defines the upper bound of session recording eligibility.

{% callout type="warning" %}
If you are using bootstrapping, contact the Statsig team to confirm
your server SDK is supported.
{% /callout %}
