FullStory

FullStory

User behavior analytics and website feedback platform that collects quantitative data through heatmaps and session recordings alongside qualitative data through on-site surveys. The FullStory script captures the full DOM state at each moment to enable pixel-perfect session replay.

Back to Vendor Library

Overview

FullStory is a user behavior analytics and digital experience platform that captures detailed session recordings, heatmaps, funnel analytics, and on-site survey responses. It enables product, UX, and engineering teams to replay individual user sessions with pixel-perfect DOM reconstruction, giving teams the ability to understand exactly what a user saw and did during any session. FullStory is widely used at mid-market and enterprise SaaS, e-commerce, and financial services companies.

What This Script Does

The FullStory script loads from edge.fullstory.com/s/fs.js and continuously records the state of the browser during a visitor session:

Session capture

  • Captures every mouse movement, click, scroll, keyboard input, page navigation, and DOM mutation during the session
  • Reconstructs the full visual state of each page at every moment using serialized DOM snapshots and incremental DOM mutations — enabling frame-accurate session replay
  • Records network timing, resource loading, and JavaScript errors as part of the session timeline
  • Data is transmitted continuously or in batches to FullStory's ingestion infrastructure at rs.fullstory.com

User identification and session stitching

  • Sets the fs_uid first-party cookie (persistent, typically 1 year) to identify returning users and stitch sessions across visits
  • When the application calls FS.identify(), the cookie-based anonymous ID is linked to a known user ID, allowing customer success and support teams to look up sessions for specific users
  • Sets fs_lua (last user activity timestamp) and fs_ses (session ID) as supporting first-party cookies

Sensitive data handling

  • FullStory applies automatic exclusion rules for common sensitive form fields (password inputs, credit card fields with autocomplete attributes)
  • Developers must manually mark additional sensitive fields with data-recording-ignore or use FullStory's element exclusion API — keyboard inputs not explicitly excluded are recorded verbatim
  • Text rendering uses DOM snapshot capture, meaning visible text content on the page is included in recordings unless excluded

Device and environment metadata

  • Collects browser, OS, device type, screen dimensions, viewport size, and geolocation (country/region level) for session enrichment

Consent & Compliance

  • Category: Analytics
  • GDPR: FullStory is a high-sensitivity analytics tool. It captures granular user behavior including keystrokes and visible page content, which can constitute processing of personal data — particularly if form inputs or visible user-generated content include names, emails, or other identifiable information. Under GDPR, FullStory requires analytics consent before initialization. Many organizations configure FullStory not to fire until after consent is granted. FullStory itself recommends consent-based initialization for GDPR-regulated deployments.
  • Data transfers: FullStory is a US company headquartered in Atlanta, Georgia. Data is processed in the US by default. FullStory offers EU data residency (data stored within the EU) for customers with data residency requirements. EU-US Data Privacy Framework applies.
  • Cookies set: fs_uid (1st party, 1 year), fs_lua (1st party, session), fs_ses (1st party, session)
  • DPA: FullStory provides a standard Data Processing Agreement covering GDPR obligations.

Should You Block This Without Consent?

Yes — with analytics consent. FullStory captures detailed behavioral data including keystrokes and DOM content. It requires analytics consent before initialization. Do not load the FullStory script for visitors who have not consented. Consider configuring FullStory's privacy controls to exclude sensitive field values even after consent is granted, and document FullStory in your privacy policy as a session recording tool with a link to FullStory's own privacy documentation.

Visit website

Consent Categories

Analytics

Also Known As

FullStorysession replayheatmap analyticsFS.jsFullStory scriptuser session recording

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (3)

fullstory.comAnalytics
rs.fullstory.comAnalytics
edge.fullstory.comAnalytics

Frequently Asked Questions

Does FullStory require analytics consent?

Yes. FullStory captures detailed behavioral data including mouse movements, keystrokes, and full DOM content. Under GDPR, this constitutes personal data processing that requires analytics consent before initialization. FullStory itself recommends consent-based initialization for regulated deployments.

What data does FullStory collect?

FullStory records every mouse movement, click, scroll, keyboard input, and DOM mutation during a session. It sets an fs_uid cookie (1 year) to identify returning users and stitch sessions. Device metadata including browser, OS, and country-level location are collected automatically.

How does ConsentStack block FullStory?

ConsentStack prevents the FullStory script from loading until a visitor grants analytics consent. Visitors who decline will have no session data captured. For visitors who consent, ConsentStack loads FullStory and recommends configuring element exclusions to protect sensitive field inputs.

Related Vendors

Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Microsoft
Microsoft
Runs Clarity (session recording and heatmaps), the Microsoft Advertising UET tag (conversion tracking), and Bing's remarketing pixel. Clarity injects a recording script that captures mouse movements, clicks, and rage clicks. The UET tag fires conversion events to tie ad clicks to on-site actions across Microsoft's ad network.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
LinkedIn Insight Tag
LinkedIn Insight Tag
LinkedIn Insight Tag is a JavaScript tracking pixel for LinkedIn's advertising and analytics platform. The tag fires on every page view to collect URL, referrer, IP address, and device data for conversion tracking, website demographics reporting, and retargeting audience building. Sets cookies to identify LinkedIn members across advertiser websites.

Manage consent for FullStory

ConsentStack automatically detects and manages FullStory trackers so your site stays compliant with global privacy regulations.

Get started