Does Lucky Orange collect personally identifiable information?
It's important to know what kind of information Lucky Orange does and does not collect.
Out of the box, all data sent to our servers is anonymous. So, without changing any settings in Lucky Orange, all keystroke data is transmitted to our servers as asterisks. You simply see anonymous recordings of mouse movements, clicks, and scrolls. The only piece of personally identifiable information might be the IP address (according to some countries). Because of this, we also include a feature that anonymizes each visitor's IP address by stripping off its last three digits. If your country's laws prohibit the collection of IP addresses, you should enable this feature.
Lucky Orange also has a feature called Extreme Privacy Mode. Extreme Privacy Mode ensures compliance with the Children's Online Privacy Protection Act, otherwise known as COPPA. This mode must be enabled if Lucky Orange is being used on a website directed at children aged 13 and under. For more information visit the COPPA compliance documentation.
Other than that, the only time Lucky Orange gathers any kind of personally identifiable information is if a site owner enables the following features and performs the necessary steps to make them work properly.
- Keystroke Logging
- Personal information found in the DOM
- Custom User Data
Keystroke Logging
It's possible to enable keystroke logging for specific fields on the site. However, for this to happen, you must do the following:
- Explicitly turn this feature on by unchecking the box labeled Do not record keystrokes in Settings » Privacy
- Next, you have to explicitly mark every field that is not collecting sensitive information as Not Sensitive, or Lucky Orange will continue obfuscating the input data.
So, if the website owner wanted to see what people type in a Quantity field or a color selection box, those would be good examples of fields to mark as Not Sensitive.
Furthermore, password fields will never be transmitted (even if the website owner marks them as Not Sensitive)
All website owners need to place this information in their own privacy policy if they choose to collect this type of data.
Personal Information in the DOM
Lucky Orange can and does record dynamically generated DOM for playback of sessions. This enables us to show you exactly what the visitor saw when the recording was made. For example, member's only pages, shopping cart contents, etc. This means if the HTML on the page a visitor visits has personal or sensitive information it may be transmitted and stored on our servers. It is your responsibility to enable one of our various privacy and sensitive masking features in order to prevent unwanted and sensitive data from being collected.
Custom User Data
If you already have a relationship with users on your system (perhaps they are logged in customers), you can choose to pass any custom data to our system and tie them to recordings or the Live Visitor view. This is no different than passing custom data into any other analytics package like Salesforce or Mixpanel, etc.