Depending on the type of sensitive information your users enter on your site, you may want Hotjar to not collect data from certain fields and elements. When doing so, Hotjar does not collect the data and instead sends an asterisk "***" or 1s "111" for each character.
Hotjar does the field/text suppressing before sending the data back to our servers. There is no way to retrieve the actual text used once a Recording has been made.
Suppressing input fields in Recordings
You can suppress all fields on your site by disabling the setting Record visitor keystroke data on this site which can be found by clicking on the edit pencil button next to your site in Sites & Organizations. This setting is site-specific.
Supressing Specific Elements in Recordings
Currently, Hotjar doesn't support image suppressing - only text within the tagged elements will be suppressed.
You can supress individual elements, both input fields, and regular text, by making a small modification to your site code, adding an attribute data-hj-suppress to the elements you wish to suppress.
Suppressing works recursively, so if you want to, for example, suppress an entire form it's enough to apply the attribute to the <form> tag.
This setting will apply to both Recordings and Heatmaps.
<!-- The below will suppress any characters typed in the field--> <input name="company" type="text" data-hj-suppress="" /> <!-- The below will suppress any characters typed in the field--> <textarea name="comments" data-hj-suppress=""></textarea> <!-- The below will suppress any characters displayed in the paragraph--> <p data-hj-suppress="">Suppress me</p> <!-- The below will suppress any characters displayed in any of the elements inside the span element--> <span data-hj-suppress> <p>Suppress this</p> <p>and this</p> </span>
Verifying Hotjar is properly suppressing input fields
Since Hotjar suppresses elements client-side rather than server-side for added privacy & security, you can verify this yourself. Below are the steps to confirm this.
Make sure your Recordings are turned on.
Open a new Google Chrome tab/window with the console panel open
You will need to make sure it is open on the Network tab. At Hotjar we use the Chrome developer tools because it is easier to see this type of data.
Go to a URL on your site where Recordings are enabled.
At least one field needs to be suppressed so you can confirm Hotjar is not sending the keystroke data.
In the Network tab, click on these items - funnel/filter icon > ws.
If Hotjar is recording you, there should be a websocket called ws. This is the websocket we use to stream the data from the visitor's browser to our servers. This includes in it every keystroke, click, page mutation, etc. Click on ws > Frames.
Steps to see data the Hotjar script sends through the websocket to our servers
Once done, a new frame should appear in the right panel in green, however, it is visually seen as a different row.
Copy the content of that frame
Paste it into a notepad
This way you will be able to see the full content of the frame. In it you should see something like this:
Extract from a websocket frame, showing that asterisk symbols are being sent rather than the actual user input.
The image above means that Hotjar tracked keystrokes on the #name field and asterisk symbols were sent to our servers rather than the actual user input as the field is being suppressed. You should see the same thing for your suppressed fields.
Why are my screenshots not being suppressed?
If the text containing sensitive data is not an input field, Hotjar will not be able to suppress it with this method. We do offer on-page text suppression for all email addresses and numbers. You can learn more in our Suppressing On-Page Text article.