← Back to How-To Guides

How to configure rtcstats-server for privacy

Anonymize IP addresses, strip PII, and configure rtcstats-server to comply with your data privacy requirements.

rtcstats-server acts as a privacy gateway between your users and the rtcstats.com analysis platform. By configuring it properly, you ensure that no sensitive data leaves your infrastructure unless you explicitly allow it.

What data contains PII?

WebRTC metrics collected by rtcstats-js may include:

Data type Where it appears PII risk
IP addresses ICE candidates (local, remote, relay) High - can identify users and locations
Device names Media device enumeration Low - but can fingerprint users
User identifiers Passed via rtcstats.js configuration Depends on what you pass
Page URL rtcstats-server gathers the url the websocket is connecting to and the origin

Most getStats() metrics (packet counts, bitrates, jitter, etc.) are purely technical and contain no PII.

IP address anonymization

The most common privacy configuration. rtcstats-server masks IP addresses before storing or forwarding data. It does so by default to all IP addresses it encounters. Since rtcstats-server is installed and maintained by you, this is the safest approach available today on the market.

User identifier handling

If you pass user IDs via rtcstats-js (as userId), you control what that contains.

Don't set user ID to PII. Do not assign a user name or an email address as the user ID. Either hash it first or even better - use a randomly generated UUID that you can associate back to the user.

The same rules apply to conference ID and session ID, though the risk there is lower.

Controlling what gets forwarded to rtcstats.com

rtcstats-server stores the data anonymized per your configuration. When forwarding to rtcstats.com for analysis, the file will be sent "as is".

Verifying your privacy configuration

After configuring, verify that the anonymization is working:

  • Inspect a stored rtcstats file and check for IP addresses and URLs
  • Upload a test session and verify no PII appears in rtcstats.com

GDPR and compliance considerations

For detailed guidance on regulatory compliance, see Data privacy and compliance.

Key points:

  • rtcstats-server runs in your infrastructure - you are the data controller
  • rtcstats.com only receives what you send it - configure accordingly
  • The self-hosted mediation layer is specifically designed to satisfy data residency requirements

See also

Was this page helpful?

Previous Article

How to authenticate clients with rtcstats-server

Secure your rtcstats-server using JWT-based authorization to control which clients can send data.

Next Article

How to integrate and configure geolocation services

Enrich rtcStats sessions with geographic data to understand where quality issues are happening.