What information does Lucky Orange collect about my visitors?

Lucky gives business and organizations the ability to analyze, evaluate and monitor what visitors do on their website through features such as Session Recordings, Dynamic Heatmaps, Conversion Funnels, Form Analytics and more. 

To do this, Lucky Orange captures the original HTML the visitor was shown. This includes capturing any changes to that HTML, as well as user input like mouse movements, scrolls and touch events. It can work even behind login pages since the data is sent from a particular visitor’s browser. 

But what information is collected (or not collected) on your visitors when you use Lucky Orange? Keep reading to find out. 

What data do we collect from your visitors? 

Data collected on your visitors by Lucky Orange include: 

  • Geographic location for the visitor’s country, state, and city using GeoIP lookup
  • Browser type and version
  • Operating system & version
  • Device information including the device type
  • The number of visits a user has made to the site
  • URLs visited while on your website
  • UTM parameters in the URL
  • Referrer source 
  • Any events triggered by the visitor, including URL-  and interaction-based
  • Custom user data
  • ISP of the IP address or the organization name 
  • IP addresses if the Display and store visitor IP privacy setting is enabled. We’ll go into this more in depth below.

Advantages of dealing with sensitive data 

Because we’re capturing raw HTML and the changes to it rather than capturing graphical pixels, Lucky Orange gains several extra advantages of the transmission of sensitive data.

When Lucky Orange initially prepares the page’s original HTML to transmit to our servers, it first traverses through the entire HTML content (AKA the DOM tree) and is then able to snip out sensitive data or scramble all text on the page before it’s sent to us.

The type of data captured by Lucky Orange in a regular session includes:

  • User metadata, listed above
  • Page data:
    • DOM tree (as it existed when the Lucky Orange tracking code started)
    • DOM mutations
    • Interactions including clicks, moves, scrolls, inputs and more
    • Linked CSS stylesheets and resources within including fonts and images
    • Console logs including errors, warnings and info
    • Images in <img> tags

More about IP address collection

We have safeguards in place to keep your visitor information in compliance with privacy laws and regulations such as the EU’s GDPR. 

  • By default, Lucky Orange uses hashing to reassign values to the visitor's IP address. As a result, the IP address itself isn’t known to or passing into our system. To capture, store and display visitor IP addresses, a privacy setting must first be enabled.  Click here to learn more. 
  • If you’ve enabled IP collection, this information remains only in the backend of Lucky Orange. Even if enabled, visitor IP addresses will never be shown along with other information. However, you can search for specific IP addresses. 

Are keystrokes captured?

Out of the box, all visitor keystrokes are replaced with an asterisk before any data is collected by Lucky Orange.

What this means: Inputs on fields such as forms or search - even if the field is non-sensitive - will be sent as asterisks when captured and  played back in Session Recordings.

In our experience helping hundreds of thousands of websites understand visitor behavior to grow their websites, this information isn’t necessary to help you optimize your website. 

To keep both you and your visitors safe from possibly transmitting sensitive or personal information, this feature can’t be disabled regardless of whether the field is sensitive (e.g., credit card number) or non-sensitive (e.g., search).

What if my HTML contains sensitive data? 

There are some websites that include sensitive information directly within the HTML. 

For example, you may have a pop-up that confirms someone’s social security number or bank account number. 

To further protect your visitors, we suggest:  

  1. Enabling text scrambling. This feature will randomly scramble every letter on the webpage while still retaining the style of the page before being captured by Lucky Orange. This lets you maintain a high level of privacy without having to add any additional code to your site. 
  2. Adding class names to your code to prevent those specific areas from being sent. Though content such as credit card numbers, social security numbers and keystrokes aren’t captured to protect visitor privacy, additional content can also be hidden through the use of special CSS classes. Click here with developer-focused details.