LogRocket fully supports the privacy rights of our customers and their users and has achieved GDPR and CCPA compliance. Please read below for information on handling GDPR / CCPA data deletion requests, signing our GDPR DPA and CCPA addendum, and other best practices for maintaining compliance with data privacy laws.

Handling data deletion requests

LogRocket offers a self-serve GDPR/CCPA portal in the dashboard and via API that lets you delete all data from a specific user and automatically add the user to a do-not-record list so that no future sessions from them are recorded.

Dashboard

You can find this page in the "Settings" tab.

API Access

You can add or remove GDPR/CCPA requests via user id or email via API access as well.

Request data deletion

POST /v1/orgs/<orgSlug>/apps/<appSlug>/gdpr/exclusion/

You can use this POST endpoint command to request deletion of sessions for a particular user, and to ensure that user is no longer recorded within LogRocket going forward:

curl 'https://api.logrocket.com/v1/orgs/<your-org-slug>/apps/<your-app-slug>/gdpr/exclusion/' -H 'Content-Type: application/json' -H 'Authorization: Token <your-api-key>' -d '{ "email": "[email protected]" }'

Replace your-org-slug, your-app-slug, and your-api-key with the relevant information for your application. This data can be found within the General Settings page in your LogRocket dashboard. The user can be identified by either email or user ID.

If using the user ID, pass the following command instead: - d '{ "user_id": 9387576103484576 }

Request data inclusion

POST /v1/orgs/<orgSlug>/apps/<appSlug>/gdpr/inclusion/

You can use this endpoint to request reversal of an exclusion from a previous deletion request.

curl 'https://api.logrocket.com/v1/orgs/<your-org-slug>/apps/<your-app-slug>/gdpr/inclusion/' -H 'Content-Type: application/json' -H 'Authorization: Token <your-api-key>' -d '{ "email": "[email protected]" }'

Similar to the exclusion request, you can also use a user ID instead of email here.

📘

On-Prem Customers

The examples provided above use the SaaS hostname, api.logrocket.com. The on-premise hostname is determined by the domains.api field in your values.yaml file (e.g. logrocket.example.com)

GDPR DPA

Our GDPR DPA has been revised to reflect both regulatory and operational changes related to GDPR. You can view and sign a copy here.

📘

September, 2021 Update

We have updated our DPA to include the new Standard Contractual Clauses (SCCs) as well as accommodate the UK GDPR (post-Brexit). If you previously signed an older version of our DPA, please sign the new version above.

CCPA Addendum

Our CCPA addendum guarantees LogRocket's obligations with regards to compliance with CCPA. You can view and sign a copy here.

Continuing Compliance Programs

LogRocket's legal and privacy teams continually:

• Consult with internal and external counsel to understand legal interpretations of the GDPR and CCPA requirements
• Work with other leading technology firms to understand the market’s general interpretation and best practices
• Perform Data Protection Impact Assessments as a security reviews to determine compliance with GDPR and CCPA security requirements and industry best standards
• Work with our engineering and product teams to add new security and privacy functionality in LogRocket to maintain compliance with GDPR, CCPA, and other privacy laws.

Recommended Practices for LogRocket Customers

As a customer of LogRocket, you are a data controller and LogRocket is acting as your data processor for your users. In this respect, you’ll want to take the following steps when you implement LogRocket.

• Ensure your Terms of Service and/or Privacy Policy are up to date
• If you have customers in the EU, please sign our updated DPA here.
• If you are a business under the CCPA, consider signing our CCPA addendum
• Perform your own research, modeling, vendor audit, and strategy steps at your company to ensure you understand GDPR and CCPA as they apply to your business.
• Watch for updates from LogRocket related to product functionality or T&C changes.