Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Glassbox is an enterprise digital experience analytics platform that captures every user interaction on web and mobile apps, replays full sessions, and surfaces friction and conversion issues. It is widely used by banks, insurers, telcos and airlines for customer experience optimisation and complaint forensics. Because Glassbox systematically records sensitive customer journeys, deploying it in the EU requires explicit user consent under the GDPR and the ePrivacy Directive, plus a Data Protection Impact Assessment and strict input masking.
Glassbox is an enterprise grade digital experience analytics platform. Founded in 2010 and headquartered in Petach Tikva, Israel, with offices in London, New York and Singapore, it captures every interaction on web and mobile apps for replay, friction analysis, and complaint investigation. Glassbox is heavily used in regulated sectors: banks, insurers, telcos, healthcare providers, and airlines.
Tracking is implemented through a JavaScript SDK on the web and through native SDKs on iOS and Android. The SDK captures the full DOM, every mouse and keyboard interaction, network requests, and JavaScript errors, then streams them to a Glassbox cloud tenant.
By default, Glassbox captures everything visible and interactive on a page: visitor IP, device characteristics, geolocation, page URL, referrer, scroll depth, click positions, keystrokes (when configured), form input, file uploads metadata, and network call metadata. Special category data such as health information, financial details, or government identifiers can flow into recordings unless explicitly masked.
Glassbox provides three masking layers: automatic masking of all input fields, manual masking via CSS attributes (gb mask, data gb sensitive), and server side redaction after capture. All three must be combined to meet GDPR data minimisation requirements.
Glassbox acts as a processor under Art. 28 GDPR. EU customers should select the Ireland region during onboarding. Israel benefits from a renewed adequacy decision (2024), but US sub processors (AWS US, support tooling) can still appear in the chain and require SCCs plus a Transfer Impact Assessment.
Because the cookies and SDK collect identifying personal data far beyond what is needed to deliver the website, they are not strictly necessary. Art. 5(3) ePrivacy and §25 TTDSG require prior informed consent, and legitimate interest is not a defensible basis for full session replay on EU users.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
A Data Protection Impact Assessment under Art. 35 GDPR is effectively mandatory for any Glassbox deployment on EU traffic. The DPIA must address the masking strategy, retention, sub processors, residency, employee monitoring side effects, and Art. 22 risks when friction scoring or fraud detection use cases feed automated decisions.
Financial services deployments also bring DORA (digital operational resilience), PSD2, and PCI DSS considerations. Recordings of authentication flows must mask credentials, OTP codes, and card numbers, and the entire Glassbox tenant should be reviewed as part of operational resilience testing.
Defer the Glassbox SDK until the visitor has accepted the Analytics or Marketing category in your consent management platform. The CMP banner must explicitly name Glassbox, describe the session replay purpose, and link the Glassbox privacy notice. If your CMP supports TCF v2.2 vendor consent, register Glassbox under the appropriate IAB purpose.
For B2B customer portals where the operator can argue legitimate interest with strict masking, the user must still be informed clearly and offered an opt out. Document the balancing test and the protective measures in the DPIA.
Select Ireland tenant for EU traffic. Sign the DPA and review the SCCs for Israel and US sub processors. Configure automatic input masking globally, then add gb mask attributes to all elements that may contain personal data (account numbers, health questions, identification documents). Set retention to the minimum useful period (often 30 days for replay, longer for aggregated metrics).
Run a DPIA, document it in your RoPA, train product and engineering teams to use the masking helpers, and review consent uptake quarterly. For multi country brands, document each regional deployment and align with works council obligations where customer support agents may be monitored.
Websites using Glassbox must obtain user consent under GDPR regulations.
DPIA considerations
Glassbox is a high impact processor. Key DPIA considerations: (1) it captures the entire DOM, mouse and keyboard interactions, and form input; unless masking is enabled at every level, special category data (Art. 9 GDPR) such as health, financial and identification data will be recorded; (2) financial services use cases bring DORA, PSD2 strong customer authentication, and PCI DSS scope concerns that go beyond pure GDPR; (3) Glassbox is headquartered in Israel and has support staff worldwide, transfers must be analysed against EU adequacy for Israel and SCCs for non adequate jurisdictions; (4) the platform is designed for cross device user journey reconstruction, building rich behavioural profiles that must be assessed for Art. 22 GDPR (automated decisions) when used for friction scoring or fraud detection; (5) retention defaults of 90 days or more must be reviewed; (6) employee monitoring is a side effect when used on customer support portals, triggering works council obligations in Germany, France and Italy.
Sample consent text
We use Glassbox to record and replay anonymised sessions on our website so we can detect technical issues and improve the user experience. With your consent, Glassbox sets cookies and captures your interactions with the page (clicks, scrolling, page transitions, form interactions with sensitive fields automatically masked). Recordings are stored on Glassbox servers in the European Union under a Data Processing Agreement. You can refuse this recording at any time.
Third-party domains contacted
glassbox.comglassboxdigital.iocdn.glassboxdigital.ioapi.glassboxdigital.iosdk.glassbox.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _gbsession | Analytics | Session | Identifies the current Glassbox session and links subsequent events to the same replay sequence. |
| _gbvisitor | Analytics | 1 year | Persistent visitor identifier. Used to stitch sessions to the same Glassbox profile across visits. |
| _gbconfig | Functional | 1 year | Stores the SDK configuration (sampling rate, masking flags) so it can be applied consistently across page views. |
| _gbts | Functional | Session | Timestamp helper used to synchronise client and server clocks for event ordering in replays. |
Glassbox collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Glassbox sets first party cookies on your domain, primarily _gbsession (session identifier, session lifetime), _gbvisitor (persistent visitor ID, typically 1 year), and several configuration cookies. The SDK also writes to localStorage and IndexedDB to queue captured events. None of these are strictly necessary for the website itself, so they all require consent.
Yes, in any EU deployment. The SDK and cookies are not strictly necessary under Art. 5(3) ePrivacy and §25 TTDSG, so prior informed consent is required. Because Glassbox captures detailed personal data, including potential special categories, consent is also the safest Art. 6 GDPR basis. Legitimate interest is not defensible for full session replay on EU consumer traffic.
Consent (Art. 6(1)(a) GDPR) is the default safe basis. For employee facing portals or B2B applications, legitimate interest (Art. 6(1)(f)) can be considered if masking is comprehensive, retention is limited, and a documented balancing test is performed. The chosen basis must appear in the privacy notice and the DPIA.
EU customers can choose Ireland for data storage. However, Glassbox is headquartered in Israel and has support staff worldwide; Israel benefits from a renewed EU adequacy decision (2024) but US sub processors may still appear in the chain (AWS US, support tooling). SCCs plus a Transfer Impact Assessment are required for any non adequate destinations.
Yes, in practice always. Glassbox performs systematic large scale monitoring of individuals on regulated services, often financial or health related, which meets the EDPB Article 35 criteria. The DPIA must document the masking configuration, retention, sub processors, residency choice, employee monitoring effects, and any automated decisions fed by Glassbox data.
Select the EU (Ireland) tenant. Sign the DPA and review SCCs. Enable automatic field masking, then add gb mask and data gb sensitive attributes to every element with personal or financial data. Defer the SDK until consent. Document retention (often 30 days for raw replay). Train product teams to test masking before each release.
Enterprise alternatives: Contentsquare (France), Quantum Metric (US, with EU regions), FullStory (US, with EU residency), Dynatrace Real User Monitoring. Open source / self hosted: OpenReplay, PostHog. Glassbox main differentiator is the depth of capture suited to regulated financial and insurance use cases, with strong forensic and complaint investigation features.
List the Glassbox cookies (_gbsession, _gbvisitor) with provider (Glassbox Digital Ltd, Israel and Glassbox Digital UK Ltd), purpose (session capture for digital experience analytics), lifetime, and category (Analytics). Disclose the session replay feature, the masking configuration, the retention period, and the data residency. Include a link to the Glassbox privacy policy and offer a clear opt out.