Privacy and masking

The widget captures what's on screen. Most of the time that's exactly what you want — context is the whole point. But sometimes parts of the page contain personal data, financial information, or anything else you'd rather not store. Masking and hiding give you per-element control.

Defaults

By default, in screenshots and recordings:

• Text content is visible. Headings, paragraphs, buttons, labels — all captured as-is.
• Form inputs are visible. Whatever the user has typed shows.
• Images are visible. As they appear on screen.
• Password fields are always masked. This is non-negotiable; Conclude masks <input type="password"> regardless of any other configuration.

If those defaults don't fit your app, you opt into stricter behaviour with HTML attributes.

Opting in to masking

Masking replaces an element's content with a solid block in the captured screenshot or recording. The element stays in place — its position and size are preserved — but its text or visual content is hidden.

Add data-conclude-mask (or class conclude-mask) to any element:

<div data-conclude-mask>
  4242 4242 4242 4242
</div>

<input data-conclude-mask value="ssn-123-45-6789" />

<span class="conclude-mask">ada@acme.com</span>

In the captured image, the element is rendered as an opaque rectangle.

When to mask

• Credit card numbers, SSNs, financial data.
• PII you don't want stored even though it's on screen.
• Any input the user is mid-typing into when bugs typically happen.

Opting in to hiding

Hiding removes the element from the screenshot entirely. The space it occupied is left blank — surrounding elements don't reflow, but the element itself isn't rendered into the capture.

Add data-conclude-hide to any element:

<aside data-conclude-hide>
  <!-- internal admin panel that shouldn't appear in customer screenshots -->
</aside>

When to hide vs. mask

• Mask when the element's position is meaningful — you want the developer to see "there was an input here" without seeing the value.
• Hide when the element shouldn't appear at all — internal admin tools, debug panels, sensitive overlays.

Recordings vs. screenshots

These attributes apply to both. The widget honours them at capture time:

• Screenshots (html2canvas) — applied when the screenshot is rendered.
• Recordings (getDisplayMedia) — the React SDK applies these client-side; the script-tag widget cannot mask cross-tab content the user shares.

What gets uploaded vs. what gets stored

• The widget composites the masked/hidden version client-side. The unmasked content never leaves the user's browser.
• The file uploaded to Conclude is the masked version.
• Conclude stores the uploaded file, full stop.

Network and CSP

The widget calls https://www.conclude.fyi to submit. If your app uses a Content Security Policy, you'll need to allow that origin in connect-src.

→ Content Security Policy

Compliance

• All data is stored in Supabase (US region) and accessed via signed URLs.
• Conclude does not sell submitter data.
• For deletion requests or compliance specifics (GDPR, DPAs, sub-processors), contact support.

Next

• Screenshots and recordings
• Identifying users and companies
• Managing incoming feedback