Comparison: Session Replay Tools

GDPR-Compliant Session Replay Tools with PII Masking: Full Comparison 2026

Which session replay tools are genuinely GDPR compliant with proper PII masking? Not all tools that claim compliance actually stop recording when a user rejects analytics, and default masking settings vary wildly across vendors. This guide compares the leading session replay tools on default PII masking behavior, EU data residency, HIPAA BAA coverage, GPC signal handling, consent state behavior, and pricing, so privacy, legal, and engineering teams can make an informed choice.

Audit your deployment See Privacy Edge

Quick summary

What to know before you choose

What it does

Session replay records visitor interactions including mouse movement, clicks, scrolls, form interactions, and network requests so product and UX teams can understand exactly what happened during a session.

What to look for

Evaluate default form masking, EU data residency, HIPAA BAA availability, GPC signal handling, server-side relay options, and whether the tool truly stops recording on a consent reject.

Where Lokker fits

Lokker validates that session replay stops in reject and GPC states, detects every replay vendor across your portfolio regardless of how it was deployed, and enforces blocking on sensitive paths when consent fails.

The tools

Tools included in this comparison

Eight leading tools covering free, mid-market, and enterprise tiers, cloud and self-hosted deployment, and a range of privacy and compliance postures.

Microsoft Clarity

Free, cookieless session recording and heatmaps from Microsoft.

FreeCloud + EU option

Visit site Privacy topics

Hotjar

Session recording, heatmaps, and user feedback surveys in one platform.

From ~$50/moCloud + EU option

Visit site

FullStory

Enterprise digital experience intelligence with high-fidelity session replay and DX Data analytics.

Enterprise pricingCloud + EU option

Visit site Privacy topics

LogRocket

Session replay with JavaScript error monitoring and network request logging for product and engineering teams.

From ~$200/moCloud + EU option

Visit site

Mouseflow

Session recording with funnel analysis, form analytics, and GDPR-focused privacy defaults.

From ~$50/moCloud + EU option

Visit site

Glassbox

Enterprise session analytics with on-premises deployment for financial services and regulated industries.

Enterprise pricingCloud + on-premises

Visit site

PostHog

Open-source product analytics platform with session replay, feature flags, A/B testing, and data warehouse exports.

FreeCloud or self-hosted

Visit site

Smartlook

Session recording and event analytics with native mobile SDKs at a competitive price point.

From ~$50/moCloud + EU option

Visit site

All product names and trademarks are property of their respective owners. Lokker is not affiliated with or endorsed by any of the companies listed. Pricing and feature information is based on publicly available data and may change; verify with each vendor before purchasing.

Feature comparison

Capability comparison matrix

How each tool compares across the dimensions that matter most for product, engineering, and privacy teams.

Focus the matrix

Showing 5 of 8 tools. Add vendors as needed, or show the full table when you want every column.

3 tools are hidden from the focused table. The full text matrix below keeps every capability visible in the page source.

Scroll sideways if you choose more columns than fit your screen. Sticky capability labels stay visible

Capability	Microsoft Clarity	Hotjar	FullStory	LogRocket	Mouseflow
Recording scope	Clicks, scrolls, mouse movement, and page structure; cookieless; all sessions captured	Clicks, scrolls, mouse movement; sampling by percentage or user attribute filters	High-fidelity DOM capture including dynamic content; DX Data analytics layer on top	Full session with JavaScript errors, network requests, Redux state, and console logs	Clicks, scrolls, movement, and form interactions; funnel and conversion path analysis
Heatmaps and click maps	Click maps, scroll maps, and area heatmaps included at no cost	Click maps, scroll maps, and move maps included in all plans	DX Data heatmaps and click maps; segment-filtered heatmaps on higher plans	Heatmaps included on paid plans	Click maps, scroll maps, movement maps, attention maps included
Rage and frustration detection	Rage click and dead click detection; frustration score per session	Rage click detection and frustration signal filtering	Rage click, error click, and thrash detection	Rage click detection and JavaScript error correlation	Rage click, cursor thrash, and frustration score per session
User identification and session tagging	Anonymous sessions only; no user identification API	Identify API for tagging sessions with user ID and custom attributes	FS.identify() with user variables and session search by user attributes	LogRocket.identify() with traits and attribute-based session search	User tagging with custom variables and segment filters
Native mobile app support	Web only; no native mobile SDK	Web only; mobile web recording supported	Native iOS and Android SDKs with mobile-specific session replay	Native iOS and Android SDKs	Web only
Developer and analytics integrations	Google Analytics 4 and Microsoft Advertising UET integration	HubSpot, Segment, Jira, Slack, and over 30 integrations	Segment, Amplitude, Heap, Salesforce, BigQuery, and data warehouse exports	Jira, GitHub, Segment, Amplitude, Sentry, and error monitoring platforms	Google Analytics, Salesforce, and major CMP integrations
Free tier	Fully free with no session or usage limits	Free for up to 35 daily sessions and 300 recordings per month	No free tier; enterprise pricing on request	Free for up to 1,000 sessions per month	Free for up to 500 recordings per month
Default data retention	13 months (fixed; cannot be shortened)	365 days (configurable on paid plans)	90 days default; longer retention available on higher plans	30 days default; longer periods on paid plans	30 to 365 days depending on plan
Session sampling controls	No sampling; all sessions are captured automatically	Percentage sampling and user attribute filtering	Capture rules for URL targeting and attribute-based session sampling	Configurable sampling rate and attribute-based session targeting	Sampling rate controls on all paid plans
API and data export	No public API; GA4 export integration only	Recordings and heatmaps API on paid plans	Data Export API; BigQuery and data warehouse exports on enterprise plans	Data export API; analytics and CDP destination integrations	REST API on paid plans

Full text matrix for all tools

Recording scope

Microsoft Clarity: Clicks, scrolls, mouse movement, and page structure; cookieless; all sessions captured
Hotjar: Clicks, scrolls, mouse movement; sampling by percentage or user attribute filters
FullStory: High-fidelity DOM capture including dynamic content; DX Data analytics layer on top
LogRocket: Full session with JavaScript errors, network requests, Redux state, and console logs
Mouseflow: Clicks, scrolls, movement, and form interactions; funnel and conversion path analysis
Glassbox: Full session with struggle detection and augmented journey analytics for enterprise
PostHog: Session recording integrated with product analytics events; self-hosted or EU cloud
Smartlook: Clicks, scrolls, movement; cross-platform web and native mobile recording

Heatmaps and click maps

Microsoft Clarity: Click maps, scroll maps, and area heatmaps included at no cost
Hotjar: Click maps, scroll maps, and move maps included in all plans
FullStory: DX Data heatmaps and click maps; segment-filtered heatmaps on higher plans
LogRocket: Heatmaps included on paid plans
Mouseflow: Click maps, scroll maps, movement maps, attention maps included
Glassbox: Struggle heatmaps and digital experience heatmaps
PostHog: Heatmaps included in the open-source and cloud product
Smartlook: Click maps and heatmaps included

Rage and frustration detection

Microsoft Clarity: Rage click and dead click detection; frustration score per session
Hotjar: Rage click detection and frustration signal filtering
FullStory: Rage click, error click, and thrash detection
LogRocket: Rage click detection and JavaScript error correlation
Mouseflow: Rage click, cursor thrash, and frustration score per session
Glassbox: Struggle score with rage click, form abandonment, and error tracking
PostHog: Rage click and dead click detection
Smartlook: Rage click detection

User identification and session tagging

Microsoft Clarity: Anonymous sessions only; no user identification API
Hotjar: Identify API for tagging sessions with user ID and custom attributes
FullStory: FS.identify() with user variables and session search by user attributes
LogRocket: LogRocket.identify() with traits and attribute-based session search
Mouseflow: User tagging with custom variables and segment filters
Glassbox: Recognized user session linking and attribute tagging
PostHog: posthog.identify() with rich person properties and session filtering
Smartlook: smartlook.identify() with custom properties and filtering

Native mobile app support

Microsoft Clarity: Web only; no native mobile SDK
Hotjar: Web only; mobile web recording supported
FullStory: Native iOS and Android SDKs with mobile-specific session replay
LogRocket: Native iOS and Android SDKs
Mouseflow: Web only
Glassbox: Native iOS and Android SDKs for enterprise mobile deployments
PostHog: Native iOS, Android, React Native, and Flutter SDKs
Smartlook: Native iOS, Android, React Native, and Flutter SDKs

Developer and analytics integrations

Microsoft Clarity: Google Analytics 4 and Microsoft Advertising UET integration
Hotjar: HubSpot, Segment, Jira, Slack, and over 30 integrations
FullStory: Segment, Amplitude, Heap, Salesforce, BigQuery, and data warehouse exports
LogRocket: Jira, GitHub, Segment, Amplitude, Sentry, and error monitoring platforms
Mouseflow: Google Analytics, Salesforce, and major CMP integrations
Glassbox: Enterprise analytics, CRM, and customer service platform integrations
PostHog: Sentry, HubSpot, Segment, dbt, and 50+ data warehouse and CDP destinations
Smartlook: Analytics, product analytics, and customer support tool integrations

Free tier

Microsoft Clarity: Fully free with no session or usage limits
Hotjar: Free for up to 35 daily sessions and 300 recordings per month
FullStory: No free tier; enterprise pricing on request
LogRocket: Free for up to 1,000 sessions per month
Mouseflow: Free for up to 500 recordings per month
Glassbox: No free tier; enterprise pricing on request
PostHog: Free for up to 5,000 sessions per month on cloud; fully free when self-hosted
Smartlook: Free for up to 3,000 sessions per month

Default data retention

Microsoft Clarity: 13 months (fixed; cannot be shortened)
Hotjar: 365 days (configurable on paid plans)
FullStory: 90 days default; longer retention available on higher plans
LogRocket: 30 days default; longer periods on paid plans
Mouseflow: 30 to 365 days depending on plan
Glassbox: Configurable per enterprise SLA
PostHog: 1 year on cloud; unlimited storage when self-hosted
Smartlook: 30 days on free plan; up to 90 days on paid plans

Session sampling controls

Microsoft Clarity: No sampling; all sessions are captured automatically
Hotjar: Percentage sampling and user attribute filtering
FullStory: Capture rules for URL targeting and attribute-based session sampling
LogRocket: Configurable sampling rate and attribute-based session targeting
Mouseflow: Sampling rate controls on all paid plans
Glassbox: Full capture and sampling modes configurable per property
PostHog: Configurable sampling rate in the session recording settings
Smartlook: Sampling controls available on paid plans

API and data export

Microsoft Clarity: No public API; GA4 export integration only
Hotjar: Recordings and heatmaps API on paid plans
FullStory: Data Export API; BigQuery and data warehouse exports on enterprise plans
LogRocket: Data export API; analytics and CDP destination integrations
Mouseflow: REST API on paid plans
Glassbox: Enterprise data export and API access
PostHog: Full REST API; SQL access; data warehouse exports and self-hosted data lake
Smartlook: REST API on paid plans

Does your tool actually stop in reject and GPC states?

Lokker Consent Validator runs automated browser sessions across every consent state and confirms at the network layer whether tools in this category still send requests when they should not.

See Consent Validator Request a demo

Privacy and compliance

Privacy and compliance scorecard

The dimensions Lokker Privacy Edge evaluates when it detects session replay tools on your properties. Use this scorecard alongside the capability matrix when making your vendor decision.

Yes

Partial

Unknown

Privacy dimension	Microsoft Clarity	Hotjar	FullStory	LogRocket	Mouseflow	Glassbox	PostHog	Smartlook
Password fields masked by default
Text inputs masked by default	Clarity records keystroke data in text inputs by default. Manual configuration is required to mask specific elements using CSS selectors or the .clarity-mask class.	Hotjar suppresses some input types by default, but most text fields require explicit configuration in the Privacy settings to be masked.	FullStory uses element-level privacy rules. The default depends on the implementation; some configurations require explicit exclusion rules for text inputs beyond passwords.	LogRocket masks password and credit card patterns automatically but requires explicit configuration to mask general-purpose text inputs such as name and address fields.
GPC (Global Privacy Control) respected	Microsoft Clarity does not natively respond to the GPC browser signal. Organizations with California GPC obligations must gate Clarity through their CMP or enforce blocking via Guardian.	Hotjar does not natively process GPC. The CMP configuration must prevent Hotjar from loading when GPC is active.	FullStory can be initialized conditionally based on a consent signal, but does not natively intercept the GPC header or navigator.globalPrivacyControl directly.		Mouseflow supports consent integration but does not natively handle GPC signals. Consent integration through a CMP is required.	Glassbox supports consent-aware initialization but does not natively intercept GPC signals without CMP integration.	PostHog does not implement native GPC detection. Self-hosted deployments can implement custom handling, but this requires development work.
EU data residency option							PostHog offers an EU Cloud region. Self-hosted deployments can be placed in any EU datacenter, giving complete control over data location.
HIPAA BAA available	Microsoft does not offer a HIPAA BAA for Microsoft Clarity. It should not be deployed on any page that displays or processes protected health information.	Hotjar does not offer a HIPAA BAA and is not suitable for use on healthcare properties that handle PHI or ePHI.		LogRocket offers HIPAA BAA coverage on enterprise plans. Confirm scope with LogRocket directly for your deployment.	Mouseflow does not offer a HIPAA BAA and is not appropriate for healthcare pages displaying patient data.		PostHog offers HIPAA BAA coverage on enterprise cloud plans. Self-hosted deployments shift data handling to the operator.	Smartlook does not offer a HIPAA BAA and should not be used on pages that display patient data.
Block recording on specific URLs
Server-side relay or proxy option	Clarity has no server-side proxy option. All session data travels directly from the visitor browser to Microsoft servers.	Hotjar does not offer a server-side proxy. Recording data is sent directly from visitor browsers to Hotjar infrastructure.	FullStory offers the FS Relay proxy to route recording traffic server-side.		Mouseflow does not offer a server-side relay. All recording data is sent directly from browsers to Mouseflow servers.		PostHog self-hosted eliminates third-party relay entirely; the PostHog cloud reverse proxy can be configured for cloud deployments.	Smartlook does not offer a server-side proxy. Recording data is sent directly from browsers to Smartlook servers.
Cookie-free mode	Microsoft Clarity is cookieless by design; it uses local storage for session continuity.	Hotjar uses cookies in its default configuration. Cookieless operation requires specific consent-mode integration and does not apply to all features.		LogRocket can be configured to minimize cookie use but does not operate fully cookie-free in its standard deployment.	Mouseflow offers a cookieless option on paid plans, but the default configuration uses cookies.			Smartlook supports a limited cookieless configuration on paid plans, but is not cookie-free in its default state.
Configurable retention period	Microsoft Clarity retains sessions for a fixed 13-month period. This cannot be shortened, which creates a data minimization consideration under GDPR Article 5(1)(e).
Published sub-processor list

Scores reflect publicly available product documentation as of 2026. Vendor capabilities change; verify current behavior with each vendor and through independent testing. "Partial" indicates the capability exists but requires non-default configuration, an additional plan tier, or has meaningful limitations.

Buyer guidance

How to choose the right tool for your context

Choosing among these session replay tools depends on your industry, infrastructure, privacy posture, and budget. Use these decision guides to narrow your evaluation.

Which tools offer genuine GDPR-compliant session replay with PII masking?

Mouseflow, Glassbox, and PostHog mask all text inputs by default, making them the strongest choices for GDPR-compliant deployments that prioritize PII masking out of the box. FullStory and LogRocket require configuration to mask general text fields beyond passwords. Microsoft Clarity requires explicit CSS selector configuration to mask any input beyond passwords. Default masking is only part of the story: you must also confirm the tool stops recording entirely when a user rejects analytics, which requires network-layer validation rather than dashboard inspection.

Lokker note: For teams that need strong default masking with minimal configuration overhead, Mouseflow or PostHog self-hosted are the most GDPR-aligned starting points. Pair any choice with Lokker Consent Validator to confirm the tool stops recording on reject and GPC states.

Healthcare or HIPAA-regulated properties

Only FullStory, LogRocket (enterprise), Glassbox, and PostHog (enterprise cloud or self-hosted) offer HIPAA BAA coverage. Clarity and Hotjar should not be used on any page that renders PHI or ePHI.

Lokker note: Validate that the tool you choose stops recording in reject and GPC states using Lokker Consent Validator, and confirm that your CMP gates the script correctly.

EU-first or GDPR-strict organizations

All listed vendors offer EU data residency, but residency alone does not satisfy GDPR. Require a DPA, confirm sub-processor lists, and validate that the tool is gated by explicit opt-in consent before any recording occurs.

Lokker note: PostHog self-hosted gives the highest level of data location control. Mouseflow and Hotjar have long-standing EU hosting with straightforward DPA processes.

Price-sensitive or early-stage teams

Microsoft Clarity is fully free with no session limits. PostHog and Smartlook offer generous free tiers. Hotjar and Mouseflow have entry plans under $50 per month.

Lokker note: Even free tools create compliance obligations. Validate consent gating before go-live, regardless of cost tier.

Regulated industries and financial services

Glassbox was designed for financial services with strong default masking, on-premises deployment, and audit trail capabilities. FullStory also serves regulated industries with its enterprise privacy controls.

Lokker note: Prioritize default masking configuration, on-premises or private cloud options, and the ability to block recording on sensitive transactional URLs.

Developer-led or engineering-focused teams

LogRocket combines session replay with JavaScript error monitoring and network request logging in a single tool, making it particularly useful for engineering teams that need to correlate UX issues with code-level errors. PostHog offers an open-source stack with analytics, feature flags, and A/B testing alongside replay.

Lokker note: PostHog self-hosted gives engineering teams full data ownership and eliminates third-party data transfer concerns entirely.

Teams requiring self-hosted deployment

PostHog is the only mainstream session replay tool that is fully open source and self-hostable with complete feature parity. Glassbox offers an on-premises enterprise option. All other tools are cloud-only.

Lokker note: Self-hosted deployments shift data processing entirely to your infrastructure, but you still need to validate consent logic, since the recording script still runs in the visitor browser.

Privacy context

The privacy reality of session replay

Session replay is one of the highest-risk third-party tool categories in web privacy law. Three separate legal theories have produced active litigation: VPPA (Video Privacy Protection Act) claims for recording "video" content, HIPAA tracking technology obligations from HHS OCR guidance, and wiretapping-theory suits under California CIPA. Understanding what session replay actually captures, beyond what the vendor marketing says, is essential before deployment.

"Masking" does not mean the tool is not running

Even fully masked session replay loads the recording script, sets cookies or local storage, and transmits session metadata including URLs, referrers, session durations, and device fingerprints to the vendor. A consent reject must prevent the script from loading entirely, not merely mask inputs. Most CMP configurations block the visual output but leave the script running.

URLs, query strings, and fragments contain sensitive data

Session replay captures the full URL for every page visit, including query parameters and fragments that may encode search terms, filter states, user IDs, product details, or health-related keywords. A URL like /results?condition=diabetes&zip=90210 transmitted to a third party may constitute a disclosure of health data even if all form inputs are masked.

Custom events and identify calls carry user data

Replay tools that support user identification or custom event tracking can receive explicit PII through developer API calls. Attributes like name, email, user ID, and behavioral properties are transmitted to vendor servers. These calls often originate from product analytics code rather than the replay SDK directly, making them easy to miss in a consent audit.

VPPA exposure does not require video content on the page

VPPA class actions in the US have alleged that session replay tools capture "video" of the visitor interacting with video content on the page, creating an unlawful disclosure of viewing history to the replay vendor. Healthcare, streaming, and news sites are common targets. The legal theory does not require a dedicated video player; embedded players in editorial content are sufficient.

Tag manager deployment bypasses CMP gating

Session replay scripts are frequently deployed through Google Tag Manager or similar containers. If the tag manager itself loads before the CMP resolves, or if the replay tag lacks proper consent-mode integration, it may fire in pre-consent or reject states regardless of the CMP configuration. Network-layer validation is the only reliable way to confirm this.

GPC is an opt-out signal most replay tools ignore natively

Global Privacy Control is a browser-level signal for opt-out of sale and sharing of personal data. None of the session replay tools in this comparison natively intercept the GPC signal and stop recording without additional configuration. Organizations with California GPC obligations must gate session replay through a CMP or network-layer enforcement tool.

Where Lokker fits

How Lokker helps with session replay compliance

Deploying a session replay tool is only the first decision. Confirming that it operates within your consent framework, stops on reject and GPC states, and does not fire on sensitive paths requires independent validation. That is what Lokker is built for.

Privacy Edge: detect every replay vendor across your portfolio

Privacy Edge scans your web properties and identifies session replay scripts by network fingerprint, not just domain name. It surfaces obfuscated or tag-manager-delivered replay tools that may not appear in a manual inventory, maps them to the Session Replay risk category, and produces HIPAA and VPPA-mapped reason codes where applicable.

See Privacy Edge

Consent Validator: confirm replay stops on reject and GPC

Consent Validator runs automated browser sessions in pre-consent, reject, accept, and GPC states and captures exactly what the session replay tool does in each. If replay requests fire in a state where they should not, Consent Validator surfaces the finding with network-level evidence for your legal and privacy team.

See Consent Validator

Guardian: enforce blocking when consent fails

Guardian intercepts session replay scripts at the browser network layer before they can load, transmit data, or identify the visitor. Trust rules defined in Privacy Edge are enforced in real time, so a CMP misconfiguration cannot result in an unauthorized replay session reaching the vendor.

See Guardian

Common questions

Session Replay Tools: frequently asked questions

The most common questions from privacy teams, legal counsel, and buyers evaluating session replay tools.

More comparison guides

Compare other MarTech categories

Web Analytics Tools8 tools

Marketing Automation Platforms8 tools

Customer Data Platforms (CDPs)8 tools

Chat and Messaging Widget Platforms8 tools

Consent Management Platforms8 tools

A/B Testing and Experimentation Platforms8 tools

Tag Management Systems7 tools

View all comparison guides

Next step

Validate your session replay tools deployment with Lokker

Lokker confirms that the tool you choose stops collecting data in reject and GPC states, surfaces any gaps in your CMP configuration, and enforces blocking at the network layer so a misconfigured consent banner cannot result in an unauthorized data collection event.

Request a demo See Privacy Edge