While reviewing outgoing XHR's (AJAX requests), I noticed one sending data to rs.fullstory.com. Since I’ve never heard this service mentioned explicitly, I wanted to ask what it does and what kind of data it collects. I would have appreciated being informed about the involvement of third-party services like this—regardless of whether they collect data or not.
After visiting FullStory’s website, I suspect it’s used for some form of user research, but I’m still uncertain about its exact purpose and unaware that this was in place. To be honest, I’m not sure if I’m entirely comfortable with it. It may give the impression some malicious script was injected in our app - and that's never assuring.
In addition to my concerns regarding data privacy, I could also imagine it having a negative effect on performance. So a topic within a topic, I suppose.
I just asked our Observability team about this to get more details for an official statement.
From what I heard from other support engineers, this is for Retool's fullstory account, we randomly sample all app sessions at a low percentage, with some occasional increased the sampling on some events where needed (e.g. building out a newly released feature).
I believe this is disclosed in our terms and conditions page but I can double check that to confirm as well. We go to the full lengths to respect and protect our users privacy and ensure that sensitive data is encrypted and secured.
I can definitely see how finding this without expecting to see it could give the impression of a malicious script. We can definitely do more to let users know this is going on, such as creating an article on our docs page.
My impression was that the sampling of app events is done randomly on all apps at a very low percentage and gives us helpful data to identify issues and improve our product for our developer and end user experience.
I also asked about the performance aspect of fullstory. From another support engineer they said that the performance should be negligible as these are fairly infrequent and carry the same if not lighter load as the consistent /save requests being made that back up apps.
To share a little more detail, Fullstory is an analytics platform that specializes in session replay, which is a fairly standard feature among analytics tools in this day and age. Datadog has a good write-up on it that I recommend checking out! While we don't explicitly identify Fullstory by name, there is definitely a section of our privacy policy that discloses the collection of usage data.
The performance impact of this integration is largely negligible for the reason that Jack mentions above, but I can certainly appreciate concerns around data privacy. Currently, user sessions on Cloud instances are polled at a rate of less than 2% and, even then, the actual page content is being aggressively masked. You can read more about how this is done over here. As a complete aside, I'll add that we recently announced the ability for customers to build out their own Fullstory integration.
Last but not least, I'll reiterate the message that we take data security seriously, but agree that there was a missed opportunity to be more clear about the existence of this particular integration. Don't hesitate to follow up here or via DM if you have any additional questions, @emozio.
So a topic within a topic, I suppose.