What is recorded, and what never is
Isotherm runs on your server. The data never reaches ours, because there is no ours. This page is the complete list, including the uncomfortable part.
Never captured. Not configurable.
- Anything a person typed. Input values, textareas, contenteditable fields. Not passwords, not search terms, not a half-written message. The check is on the element type, not on the text — the one place PII could leak is not somewhere to be clever.
- IP addresses. Not stored, not logged, not hashed.
- Cookies. None. The session id lives in
sessionStorageand dies with the tab. It exists only so the backend can tell "one visitor moved a lot" from "many visitors did". - Anything inside
data-hm-mask. Mark an element and its contents never leave the browser. - Full referrer URLs. Truncated to the host — a referrer can carry search terms and tokens, and a heatmap has no use for anything finer than which site sent them.
What is captured
- Click coordinates, and a CSS selector for the element clicked.
- Mouse movement, quantized to a grid in the browser before it is ever sent.
- Scroll depth: one number per page view.
- Rage clicks and dead clicks.
- Viewport and document size, and a device bucket (mobile / tablet / desktop).
The uncomfortable part: page copies
To draw a heatmap on your page, Isotherm needs your page. It stores one copy per layout, captured from a real visitor's browser — not a screenshot, but the page's HTML and CSS.
On an admin panel, that copy can contain real records: customer names, order values, email addresses. We are not going to bury that in a terms page. It is stated in the dashboard, on the screen where you copy the tag.
You have three choices, and they are honestly different:
- Store the page as it looks. The backdrop is readable, so you can see exactly what people were clicking. The default, because a redacted backdrop is close to useless for deciding what to fix.
- Store the layout, mask every word. Same layout, every glyph replaced by a block. You still see where people clicked and how the page was shaped — but not one word of content.
- Store nothing. No copy is requested or kept, and existing copies are deleted. The heat is drawn over a bare grid at the page's true size: accurate, harder to read.
A copy is served back only to you, from your own server, under a Content-Security-Policy that makes it inert — no scripts, no forms, no frames — and it is rendered in a sandboxed iframe. Even a copy forged by someone bypassing the SDK entirely can do nothing but render.
Do Not Track
Honoured by default. A browser sending DNT: 1 is not recorded at all.
Why this matters to you specifically
If you install Isotherm on a panel showing your customers' data, you are the one accountable for what is stored — not us, because we never see it. That is the point of self-hosting, and it is also the responsibility that comes with it. Decide the snapshot mode per site, deliberately, before you paste the tag.