Overview

Heap’s capture controls provide a simple user interface for you to control which sites and/or pages that data is collected from, without needing to write code.

You can view the capture controls for your Heap account by navigating to Account > Manage > Privacy & security.

Notes:

• These settings are applied on a per environment basis. This means settings from one Heap environment don’t carry over to another.
• These settings are only applicable to Heap’s autocaptured data collection. For an overview of the privacy settings specific to session replay, see session replay privacy settings. 
• These settings are only applicable to data collected using the Heap web SDK.
• Block and Allow are opposites of each other. Review your data collection strategy to determine which works best for you. 
• Sites and pages requiring data collection must have the Heap web SDK client installed.

Capture user activity

At the top of the panel is the question What user activity should Heap capture? This is where you can modify which sites and/or pages Heap is allowed to capture data from.

Capture all data

By default, Capture will be selected in the capture controls. Heap will autocapture data on any page where the Heap SDK is installed. For an overview of Heap’s data model, see Autocaptured Data.

Block data capture

You can block data from being collected on a site or page by selecting the Block radio option in the panel.

This is useful if there are parts of your app, such as an internal testing subdomain, that you don’t want data collected from. Think of this selection as a blocklist that you can control from the Heap app, without using code.

Once this radio option is selected, a textbox will appear. You can input up to 100 different entries within this textbox. To add an entry, click inside the box, type the domain, subdomain, and/or pages you wish to block, and then press Enter or Comma on your keyboard. 

The entry will then display in the text box. Additional pages can be added by repeating this process. When finished, click the Save button at the bottom of the form.

Allow data capture

You can choose to only allow data collection from specific sites or pages by selecting the Allow radio option in the panel. This option will prevent data from being captured from any location that is not specified.

This is useful if you are concerned about data integrity and want to ensure bad actors have not set up duplicate versions of your app that could possibly send invalid data (such as fake data generated by bots) to your Heap account. Think of this selection as an allowlist that you can control from the Heap app, without using code.

Once this radio option is selected, a textbox will appear. You can input up to 100 different entries within this textbox. To add an entry, click inside the box, type the domain, subdomain, and/or pages you wish to block, and then press Enter or Comma on your keyboard. 

The entry will then display in the text box. Additional pages can be added by repeating this process. When finished, click the Save button at the bottom of the form.

User activity syntax rules

You can specify many different combinations of domains, subdomains, and/or pages within either the Blocklist or Allowlist using flexible syntax rules.

Domains

• Entering a full domain, such as heap.io will target all data on that domain and any subsequent paths and pages. For example, in this scenario, entering heap.io will target the root domain as well as heap.io/page1
• Entering a full domain does not target subdomains. For example, entering heap.io in the blocklist won’t prevent data from being collected on community.heap.io.
• To target a single subdomain, enter it into the textbox. 

Wildcards

• If you wish to target all subdomains, use a wildcard asterisk followed by the root domain. For example, *.heap.io would target all heap.io subdomains including community.heap.io and help.heap.io.
• Wildcard asterisks can also be added within a URL string to target any page which matches a specific url pattern. For example, if you wanted to prevent data from being collected within the admin section of your app, you can enter heap.io/admin/* which would target any url pattern which contains that string. 
• Only one wildcard asterisk can be used within a single entry. For example, heap.io/*/admin/* is not a valid entry.

URLs

• URLs with trailing slashes are stripped and evaluated the same as those without. For example, entering heap.io/ will be updated and evaluated the same as entering heap.io without a trailing slash.
• URLs containing either https or http will have the protocol stripped and evaluated as the same. For example, entering https://heap.io and http://heap.io will result in an entry of heap.io, which will be applied regardless of whether an https or http protocol is being used on your app. 

Capture HTML attributes

The next panel asks ​​Which HTML attributes should Heap redact?

HTML elements can have attributes, which are additional values that allow you to configure the HTML elements or adjust their behavior. To ensure privacy and regulatory compliance, Heap allows customers to configure what HTML attributes are being captured.

Capture all attributes

By default, Heap will autocapture many HTML attributes on any page where the Heap web SDK is installed. These data attributes are often used to define events that are being captured. For an overview of Heap’s data model, see Autocaptured Data.

Redact all attributes

You can prevent Heap from autocapturing all HTML attributes by selecting the Redact all attributes radio selection. Remember to click the Save button once you have made your selection. This option will prevent any HTML attribute, both standard HTML attributes as well as any custom or unique attributes, from being collected in Heap.

Redact specific attributes

A scenario may arise where some HTML attributes are being used to define events in Heap, but other attributes on your site contain sensitive information which you do not want to capture. In these instances, Heap provides the ability to redact specific attributes which may contain sensitive information. 

Select the Redact specific attributes radio selection. A textbox will appear to allow the entry of any attribute. To add an entry, click inside the box, type the attribute you wish to redact, and press Enter or Comma. 

The entry will then display as a pill within the text box. Repeat this process to add more pages. When finished, click the Save button at the bottom of the form.

Target text autocapture

The Target text autocapture toggle on will ensure we don’t capture any sensitive information that you might include in elements of your pages. Note that this setting only applies to web traffic.

JavaScript snapshots

Snapshots give you the ability to capture additional metadata that isn’t autocaptured by Heap out-of-the-box. 

In certain cases, you may want to disable snapshots to prevent users from making unwanted changes to your site. You can disable snapshots by toggling off the JavaScript snapshots toggle. 

If you don’t want to completely disable snapshots, you can manage who can or cannot create snapshots in your Heap account by going to the Roles settings.

IP Autocapture

By default, Heap captures a user’s IP address and uses this information to geolocate a user within a particular country, region, and city. For privacy reasons, you may not want to capture users’ IP addresses. 

To prevent the capture of IP Addresses, switch off the IP Autocapture toggle. A modal will appear asking you to confirm your choice. 

Geolocation Autocapture

By default, Heap uses a user’s IP address to geolocate them within a particular country, region , and city. For privacy reasons, you may not want Heap to identify users’ location from their IP address.

To prevent geolocation autocapture, switch off the Geolocation Autocapture toggle. A modal will appear asking you to confirm your choice. 

To delete information that has already been collected, contact us via the Get support page.