Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
LiveSession is a Polish session replay and product analytics platform headquartered in Wroclaw. The JavaScript snippet loaded from livesession.io records mouse movements, clicks, scrolls, form interactions and console errors of real visitors and replays them as videos in the LiveSession dashboard. Recordings are processed and stored on AWS Frankfurt, which is a competitive advantage over US session replay vendors. Because session replay is highly invasive, consent is required and the privacy controls of the recorder must be configured carefully.
LiveSession is a session replay and product analytics platform operated by LiveSession sp. z o.o., a Polish company based in Wroclaw. Marketing teams, product managers and UX researchers install the LiveSession JavaScript snippet on their public site or SaaS application to record real user sessions, build heatmaps, configure funnels and segment behaviour by source, persona or conversion outcome. LiveSession competes with Hotjar (US/EU), FullStory (US), Microsoft Clarity (US/EU) and Mouseflow (Denmark).
Its main differentiator in Europe is the EU only hosting on AWS Frankfurt for EU customers, which avoids the US transfer concerns that come with most US session replay vendors.
The LiveSession recorder writes first party cookies (__ls_visitor, __ls_session, __ls_segments) and localStorage entries that link the session to a visitor ID. For each recorded session it captures mouse movements, click events, scrolls, form input events (with optional masking), keyboard activity (not the actual key values when masked), DOM mutations and JavaScript console errors. The recording is streamed to api.livesession.io and stored in AWS Frankfurt. By default, sensitive fields (passwords, credit card inputs) are masked at the SDK level, and additional fields can be excluded with CSS selectors or data attributes.
Session replay is one of the categories most aggressively scrutinised by EU regulators. CNIL, AEPD and the Italian Garante have all clarified that recording user behaviour is not strictly necessary to deliver a website and therefore requires prior consent under Art. 5(3) ePrivacy. The behavioural data captured by LiveSession qualifies as personal data under the GDPR. The legal basis can be consent or, in narrow B2B SaaS contexts, legitimate interest with a documented LIA, masking of sensitive fields and a clear right to object.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU traffic, do not initialise the LiveSession SDK until the analytics or product analytics category has been accepted in your CMP. Inside the dashboard, enable input masking globally, mark sensitive pages as do not record (login, sign up, payment, profile, account settings), restrict access to the LiveSession workspace to a small team and rotate API keys regularly.
For EU customers, LiveSession processes all recordings on AWS Frankfurt (eu central 1). Support and engineering staff in Poland may access recordings under contract. No US data centre is used by default. Customers in other regions can opt into Mumbai or US hosting, in which case standard transfer safeguards apply.
Sign the LiveSession DPA, deploy the SDK behind a CMP toggle, set input masking and excluded pages, list LiveSession in your privacy notice and Article 30 record, run a DPIA covering session replay risks (re identification, sensitive content, mishandled masking), keep recordings for a short retention period and give users a way to opt out of recording at any time.
Websites using LiveSession must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because LiveSession involves systematic recording of user behaviour on the publisher's site, including mouse trajectory, form interactions and free text content. The DPIA should cover the masking of input fields, the exclusion of sensitive pages (login, payment), the retention of recordings, the access controls inside LiveSession and the rights of data subjects to opt out and to erase their recordings.
Sample consent text
We use LiveSession (LiveSession sp. z o.o., Poland) to replay anonymised sessions of how visitors interact with our site. The LiveSession recorder sets a session cookie and streams behavioural data to AWS Frankfurt in the European Union. Sensitive fields are masked automatically. We only start the recording after you have accepted the analytics category.
Third-party domains contacted
livesession.ioapi.livesession.ioapp.livesession.iocdn.livesession.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __ls_visitor | first_party | 1 year | Long lived LiveSession visitor identifier used to stitch together multiple sessions of the same browser for the publisher. |
| __ls_session | first_party | 30 minutes | Session level identifier used by LiveSession to mark which recording the current page view belongs to. |
| __ls_segments | first_party | 1 year | Stores the LiveSession segment membership for the visitor used to filter and group recordings. |
| LiveSession.eventBuffer | first_party | Persistent (localStorage) | localStorage buffer used to batch recorded events when the user is offline. Flushed to api.livesession.io once connectivity returns. |
LiveSession collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The LiveSession SDK writes first party cookies __ls_visitor (long lived visitor identifier), __ls_session (recording session ID) and __ls_segments (segmentation membership), plus localStorage entries used for batching events offline. No third party cookies are set on the publisher domain.
Yes. Session replay is not strictly necessary to deliver the page the visitor requested, and the SDK stores identifiers on the device. Art. 5(3) ePrivacy requires prior consent in the EU. Initialise the SDK only after the analytics or product analytics category has been accepted in your CMP.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for visitor recording. In tightly scoped B2B SaaS contexts, legitimate interest can support replays of authenticated business users after a documented Legitimate Interest Assessment, with field masking and a working opt out.
For EU customers, no. LiveSession processes EU recordings on AWS Frankfurt (eu central 1). Support and engineering staff in Poland can access recordings under contract. The Mumbai and US regions are opt in for non EU customers and trigger standard transfer safeguards.
Yes. Session replay involves systematic monitoring of user behaviour and can capture sensitive content if masking is misconfigured. Art. 35 GDPR triggers the DPIA obligation. The DPIA should cover masking, page exclusions, retention, access controls and opt out mechanisms.
Sign the LiveSession DPA, gate the SDK behind a CMP toggle, enable global input masking, exclude sensitive pages (login, payment, profile), set a short retention period, restrict workspace access to a small team, complete a DPIA and offer an in product opt out for recording.
EU based session replay tools include Mouseflow (Denmark), Smartlook (Czech Republic with EU servers), Contentsquare (France, see our dedicated page), Plerdy (Ukraine and EU), Open Replay (open source, self hosted). US tools with EU residency include FullStory (US with EU regions on enterprise) and Microsoft Clarity (US with EU data centre).
List the LiveSession cookies in your cookie policy under the analytics or product analytics category, with their durations. In your privacy notice describe LiveSession as your session replay processor, the EU hosting on AWS Frankfurt, the masking strategy, the retention period and the user's right to opt out and to request erasure of recordings.