Session Recording Privacy

Session replay captures DOM state to enable full playback, but Brie has extensive built-in protections to prevent recording sensitive pages.

Automatic page blocking

Brie automatically disables session recording on sensitive pages. This is a hardcoded baseline denylist that cannot be overridden:

Identity providers:

  • Google (accounts.google.com, myaccount.google.com)
  • Apple (appleid.apple.com)
  • Microsoft (login.microsoftonline.com, account.microsoft.com, login.live.com)

Enterprise auth providers:

  • Okta, OneLogin, Auth0, Duo
  • Any subdomain starting with login, auth, sso, idp, or secure

Auth paths:

  • Any URL containing /login, /signin, /oauth, /authorize, /saml, /mfa, or /2fa

Payment pages:

  • Stripe checkout, PayPal, Square

Password managers:

  • 1Password, LastPass, Bitwarden

Browser pages:

  • chrome://, edge://, about://, extension pages

Per-host controls

You can disable session recording on additional domains:

  • Add domains to the Rewind per-host denylist in settings.
  • Domains are matched by hostname (e.g., example.com, app.example.com).

Data storage

Session replay data is:

  • Stored securely on Brie's servers.
  • Accessible only to members of your organization.
  • Deleted when you delete the associated slice.
  • Deleted when you delete your account.