Data masking in Heatmaps and Session Recordings
Heatmaps and Session Recordings are client-side features that rely on browser-side JavaScript execution. Matomo applies data minimisation techniques to reduce the risk of processing personal data.
While these measures reduce the risk of identifying individuals, the data collected by Heatmaps and Session recordings may not be fully anonymised, but pseudonymised under GDPR. In addition, because Heatmaps and Session Recordings require accessing terminal devices, prior consent is required under ePrivacy Directive implementing laws. This interpretation is confirmed by CNIL that explicitly states Heatmaps and Session Recordings are not included in the scope of consent-exempt analytics.
Data collection for Heatmaps and Session Recordings
A JavaScript script runs in the visitor’s browser to capture user interactions such as mouse movements, clicks, and scroll behaviour. Only structural metadata is collected such as DOM hierarchy, element positions, and interaction coordinates, and content is masked where appropriate.
Matomo is designed to limit the capture of personal data. The Heatmap and Session Recording scripts are injected via matomo.js and executed entirely in the browser. To apply data minimisation before any data is transmitted to the Matomo server, the script will:
- Mask all
<input>,<textarea>, and password fields. - Ignore or mask visible content based on
data-matomo-unmask,data-matomo-mask, or automatic masking rules. - Reduce the DOM to a lightweight, sanitised representation needed for replay (e.g. element position, mouse events, scroll depth).
- Exclude text nodes and element attributes unless explicitly whitelisted.
Matomo applies client-side data minimisation by masking form fields and sensitive elements before any data is sent, and only collects structural metadata such as element positions and interactions. Sensitive fields like passwords and credit card inputs are always masked, and data is transmitted securely over HTTPS to reduce the risk of re-identification.
Keystroke recording
Since version 3.2.0, keystroke recording is disabled by default. If enabled in the Heatmap/Session Recording configuration, any captured keystrokes are masked client-side, e.g., typing an email address will appear as ************ in session replays.
To record keystrokes in plain text for specific fields:
- You need to enable keystroke capture in your Heatmap/Session Recording settings.
- Then use the
data-matomo-unmaskattribute on individual form fields in your HTML. Learn more about unmasking keystrokes.
Even with unmasking enabled, some fields (e.g. password and credit card inputs) are always masked to prevent the recording of sensitive information. Refer to the list of permanently masked fields.
Masking page content
To exclude non-form content (e.g. <div>, <p>) that may contain sensitive data, you can:
- Add
data-matomo-mask="true"to the HTML element. - Use
data-matomo-maskon child elements, even if the parent is whitelisted withdata-matomo-unmask.
This ensures full control over what content appears in replays or Heatmaps.
Transmission protocols
- Data is sent via standard Matomo tracking requests (e.g.
/matomo.php) and stored as structured JSON events. - All data in Matomo Cloud is transmitted over HTTPS with TLS encryption, and Cloud instances are hosted in privacy-compliant regions (e.g. EU for GDPR).
Privacy and data handling
- All sensitive data is masked in the browser before being sent to the Matomo server (Cloud or On-Premise).
- No raw page content or form data is transmitted unless explicitly whitelisted (and even then, sensitive fields are protected).
- The features are fully JavaScript-based and do not apply in server-side analytics environments.
- When using the Matomo Heatmap and Session Recording features with cookie-based tracking, a first-party session cookie named
_pk_hsris set to support accurate tracking of user interactions during a visit.
Read more on privacy for Heatmaps and Session Recordings and consent manager integration.