Skip to content
UI Zap UI Zap Documentation

PII Controls & Redaction

UI Zap captures helpful context to make issues reproducible while protecting sensitive information. This page explains what we redact by default and how redaction applies across captured data types.

Default redaction rules

  • Inputs and forms
    • Password fields and credit‑card inputs are redacted by default in screenshots, recordings, and session replay.
    • For replay and repro steps, we capture interaction events (e.g., input/change) without storing sensitive plaintext values.
  • Network
    • Request authorization headers are redacted.
    • Response bodies are redacted to avoid collecting sensitive payloads.

How redaction applies

  • Console logs
    • We record console messages and errors to aid debugging. When common secret patterns are detected in known fields, we redact those values.
    • As a best practice, avoid logging secrets (tokens, credentials) in app code.
  • Network requests
    • Method, URL, status, and timing are retained for debugging.
    • Authorization headers and response bodies are redacted by default.
  • Environment
    • Non‑PII page context (URL, title), viewport, browser/OS, locale, and time zone are captured to reproduce issues. These do not include sensitive user content.
  • Reproduction cues
    • We record high‑level interactions (clicks, navigation, form events) and element references to help locate issues.
    • For inputs, we avoid storing sensitive plaintext values and focus on event timing and element targeting.

Storage & transfer

  • Local first
    • No data is sent to our servers until you choose to create a ticket.
    • Data is stored locally while you work, and older data is periodically purged to limit storage usage.
  • When you submit
    • UI Zap includes your capture (screenshot/video/replay) plus context (logs, network metadata, environment) with defaults above applied.

Manual redaction tools

  • Use Blur/Pixelate in the annotation toolbar on the review page to hide specific regions.
  • If you see a sensitive value in a console message or note, you can remove or obfuscate it before creating the ticket.

Roadmap & requests

  • We plan to add configurable rules (e.g., CSS selectors, field names, or domain scopes) based on demand.
  • If you need a specific control or exemption, please contact [email protected].