Never send secrets
Do not send:- Passwords or password-reset values
- Session cookies or authorization headers
- Access tokens, refresh tokens, or private API keys
- Payment card or bank-account details
- Private message bodies or document contents
- Full keystrokes or unredacted form submissions
- Raw error objects, request objects, or stack traces
Collect the minimum customer data
Send aclient field only when the event needs it and the visitor’s consent state permits it.
Redact errors before tracking
Map internal failures to a small safe vocabulary.error, error.message, request bodies, or user-generated content.
Respect consent and deletion choices
- Start optional customer-data tracking only after the required consent state is available.
- Stop sending optional fields when consent changes.
- Keep your event catalog and privacy notice consistent.
- Apply your retention and deletion process to the identifiers you send.
- Review new custom properties before releasing them.
Keep browser identity in scope
getBilyTrackingId() returns a browser identifier, not proof of account identity. Never use it for authorization. Use a verified session on your server for protected actions.
Content security policy
init({ nonce }) can copy your server-generated nonce onto the script element. A nonce is a browser policy control, not an event property. Do not send it through track().
Release review
Before shipping a tracking change:- Inspect the exact event payload in a development environment.
- Remove fields that are not required for the stated analysis.
- Confirm no secret can enter through object spreading.
- Test signed-out, signed-in, and consent-denied states.
- Search the built browser assets for private tokens and credentials.
Client data guide
Review the supported customer fields and identity boundaries.
Privacy governance
Add ownership, classification, credential, and production controls.