---
title: "Data Collected"
description: "See what data is collected by the Sentry SDK."
url: https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected/
---

# Data Collected | Sentry for Effect

Sentry takes data privacy very seriously and has default settings in place that prioritize data safety, especially when it comes to personally identifiable information (PII) data. When you add the Sentry SDK to your application, you allow it to collect data and send it to Sentry during the runtime and build time of your application.

The category types and amount of data collected vary, depending on the integrations you've enabled in the Sentry SDK. This page lists data categories that the Sentry JavaScript SDK collects.

Options to control data collection

You can control many of the categories listed here with the [`dataCollection` option](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/options.md#dataCollection), which lets you opt in or out of each data category individually. The [`sendDefaultPii` option](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/options.md#sendDefaultPii) is still supported, but deprecated as of version `10.54.0`.

How much data the SDK collects by default depends on which option you use. Without `dataCollection` (and with `sendDefaultPii` unset or `false`), the SDK collects conservatively, and the defaults described on this page apply. As soon as you pass a `dataCollection` object, the categories you don't set explicitly fall back to their `dataCollection` defaults, which are more permissive. For example, cookies, query parameters (with sensitive values scrubbed), and AI message content is then collected unless you opt out. Setting `sendDefaultPii: true` is equivalent to enabling all `dataCollection` categories. If both are set, `sendDefaultPii` is ignored.

Regardless of these options, you can always scrub any data before it's sent to Sentry. See [Scrubbing Sensitive Data](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/sensitive-data.md) for details.

## [HTTP Headers](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#http-headers)

By default, the Sentry SDK sends HTTP request and response headers.

Use the `dataCollection.httpHeaders` option to control this. For example, set `dataCollection: { httpHeaders: false }` to disable it, or use `{ allow: [...] }` or `{ deny: [...] }` to restrict which header values are sent. Values whose keys match Sentry's built-in sensitive denylist (such as `auth`, `token`, or `password`) are automatically scrubbed, while the keys are kept.

## [Cookies](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#cookies)

By default, the Sentry SDK doesn't send cookies. When using `dataCollection`, however, cookies are collected with sensitive values (like `token` or `key`) scrubbed. Opt out by setting `dataCollection: { cookies: false }`.

To collect cookies when not using `dataCollection`, set the deprecated `sendDefaultPii: true` in `Sentry.init()`. To disable cookie collection when using `dataCollection`, set `dataCollection: { cookies: false }`. You can also restrict which cookie values are sent using `{ allow: [...] }` or `{ deny: [...] }`.

## [Information About Logged-in User](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#information-about-logged-in-user)

When using `dataCollection`, the SDK automatically populates user identity fields (`user.id`, `user.email`, `user.username`) from instrumentation. To disable this, set `dataCollection: { userInfo: false }`.

Without `dataCollection` (and with `sendDefaultPii` unset or `false`), user identity fields are not sent automatically. Some integrations (e.g. [User Feedback](https://docs.sentry.io/platforms/javascript/guides/effect/user-feedback.md)) may still send data like the user ID, username, and email address when explicitly configured.

## [Users' IP Address and Location](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#users-ip-address-and-location)

When using `dataCollection`, the SDK sends the user's IP address by default. To disable it, set [`dataCollection: { userInfo: false }`](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/options.md#dataCollection).

Without `dataCollection` (and with `sendDefaultPii` unset or `false`), the user's IP address is not sent. In some integrations such as [`handleRequest`](https://docs.sentry.io/platforms/javascript/guides/effect/guides/astro.md#customize-server-instrumentation) in Astro, the user's IP address can also be sent by enabling `trackClientIp`.

If sending the IP address is enabled we will try to infer the IP address or use the IP address provided by `ip_address` in [`Sentry.setUser()`](https://docs.sentry.io/platforms/javascript/guides/effect/apis.md#setUser). If you set `ip_address: null`, the IP address won't be inferred.

Even when this is disabled, IP addresses can still reach Sentry through collected HTTP headers, cookies, or query parameters (for example, the `X-Forwarded-For` header). If you use `dataCollection`, add these terms to the partially-matched deny lists for those categories so their values are filtered:

```JavaScript
Sentry.init({
  dsn: "https://<key>@o<orgId>.ingest.sentry.io/<projectId>",
  dataCollection: {
    httpHeaders: { deny: ["forwarded", "-ip", "remote-", "via", "-user"] },
    cookies: { deny: ["forwarded", "-ip", "remote-", "via", "-user"] },
    queryParams: { deny: ["forwarded", "-ip", "remote-", "via", "-user"] },
  },
});
```

## [Request URL](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#request-url)

The full request URL of outgoing and incoming HTTP requests is **always sent to Sentry**. Depending on your application, this could contain PII data. For example, a URL like `/users/1234/details`, where `1234` is a user id (which may be considered PII).

## [Request Query String](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#request-query-string)

By default, the full request query string of outgoing and incoming HTTP requests is sent to Sentry. Depending on your application, this could contain PII data. For example, a query string like `?user_id=1234`, where `1234` is a user id (which may be considered PII).

Use the `dataCollection.queryParams` option to control this. Set it to `false` to disable collection entirely, or use `{ allow: [...] }` / `{ deny: [...] }` to filter which values are sent. When `dataCollection` is used, values whose keys match the built-in sensitive denylist (terms like `auth`, `token`, `password`, and `secret`) are scrubbed automatically.

Sentry also has some additional [server-side data scrubbing](https://docs.sentry.io/security-legal-pii/scrubbing/server-side-scrubbing.md) in place to remove sensitive data from the query string.

## [Request Body](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#request-body)

When using `dataCollection`, incoming and outgoing request bodies are collected by default. To disable body collection, set `dataCollection: { httpBodies: [] }`. You can also collect only specific body types by providing a subset: `"incomingRequest"`, `"outgoingRequest"`, `"incomingResponse"`, and `"outgoingResponse"`.

```js
Sentry.init({
  dsn: "https://<key>@o<orgId>.ingest.sentry.io/<projectId>",
  dataCollection: {
    httpBodies: ["incomingRequest", "outgoingRequest"],
  },
});
```

Without `dataCollection` (and with `sendDefaultPii` unset or `false`), Sentry only sends the body size inferred from the `content-length` header, not the body content itself.

On the server-side, the incoming request body is captured by default. You can disable sending the incoming request body by configuring `ignoreIncomingRequestBody` in the [HTTP Integration](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/integrations/http.md).

## [Server-Side Request Data](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#server-side-request-data)

On the server-side, the [RequestData Integration](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/integrations/requestdata.md) captures incoming request data including cookies, headers, query strings, request body (`data`), URL, and user information. By default, most of these fields are captured (except IP address).

##### Upcoming Changes in v11

In version 11, the default behavior of the RequestData integration will likely change to be more privacy-conscious. Fields like `cookies`, `data`, `headers`, `query_string`, and `user` will default to `false` instead of `true`. To continue capturing this data after upgrading to v11, you'll need to either explicitly configure the [RequestData Integration](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/integrations/requestdata.md) or set [`sendDefaultPii: true`](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/options.md#sendDefaultPii).

## [Response Body](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#response-body)

When using `dataCollection`, incoming and outgoing response bodies are collected by default. To disable response body collection, set `dataCollection: { httpBodies: [] }` (which disables all body types), or provide a subset that excludes the response types.

Without `dataCollection` (and with `sendDefaultPii` unset or `false`), Sentry only sends the response body size based on the `content-length` header, not the content itself.

## [Source Context](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#source-context)

By default, SDKs set up by the Sentry CLI Wizard (`@sentry/wizard`) will enable uploading source maps to Sentry.

To disable source map upload, see [the Source Maps documentation](https://docs.sentry.io/platforms/javascript/guides/effect/sourcemaps.md).

## [Local Variables In Stack Trace](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#local-variables-in-stack-trace)

The Sentry SDK does not send local variables in the error stack trace in client-side JavaScript SDKs.

You can enable sending local variables by setting `includeLocalVariables: true` in the `Sentry.init()` call. This activates the [Local Variables Integration](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/integrations/localvariables.md). The integration is added by default in Node.js-based runtimes.

## [Device, Browser, OS and Runtime Information](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#device-browser-os-and-runtime-information)

By default, the Sentry SDK sends information about the device and runtime to Sentry.

In browser environments, this information is obtained by the User Agent string. The User Agent string contains information about the browser, operating system, and device type.

In server-side environments, the Sentry SDK uses the `os` module to get information about the operating system and architecture.

## [Session Replay](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#session-replay)

By default, our Session Replay SDK masks all text content, images, web views, and user input. This helps ensure that no sensitive data is exposed. You can find [more details in the Session Replay documentation](https://docs.sentry.io/platforms/javascript/guides/effect/session-replay/privacy.md).

Session Replay also captures basic information about all outgoing fetch and XHR requests in your application. This includes the URL, request and response body size, method, and status code. If [`networkDetailAllowUrls`](https://docs.sentry.io/platforms/javascript/guides/effect/session-replay/configuration.md#network-details) are defined, the request and response body will be sent to Sentry as well. This can include PII data if the request or response body contains PII information.

Console messages are also captured by default in Session Replay. To scrub console messages, you can use the [`beforeAddRecordingEvent`](https://docs.sentry.io/platforms/javascript/guides/effect/session-replay/privacy.md#custom-scrubbing) option to filter console messages before they are sent to Sentry.

## [Console Logs](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#console-logs)

By default, the Sentry SDK sends JS console logs to Sentry as breadcrumbs which may contain PII data.

To disable sending console messages, set `console: false` in your `Sentry.breadcrumbsIntegration` config, see [the Breadcrumbs documentation](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/integrations/breadcrumbs.md).

## [Referrer URL](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#referrer-url)

By default, the Sentry SDK sends the referrer URL to Sentry. This is the URL of the page that linked to the current page.

## [Stack Trace Context Lines](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#stack-trace-context-lines)

By default, the [Context Lines Integration](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/integrations/contextlines.md) is enabled. This integration sends the surrounding lines of code for each frame in the stack trace. This can include PII data if the code contains PII information.

## [Database Queries](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#database-queries)

By default, the Sentry SDK sends SQL queries to Sentry. The SQL queries can include PII information if the statement is not parametrized.

MongoDB queries are sent as well, but the Sentry SDK will not send the full MongoDB query. Instead, it will send a parameterized version of the query.

## [tRPC Context](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#trpc-context)

When using `dataCollection`, tRPC input is collected by default because `httpBodies` includes `"incomingRequest"` by default. To disable it, set `dataCollection: { httpBodies: [] }` or use a list that excludes `"incomingRequest"`.

Without `dataCollection` (and with `sendDefaultPii` unset or `false`), tRPC input is not collected. You can still opt in per-middleware by setting `attachRpcInput: true` in the [`Sentry.trpcMiddleware()`](https://docs.sentry.io/platforms/javascript/guides/effect/configuration/integrations/trpc.md) options, regardless of the global `dataCollection` setting.

## [LLM Inputs And Responses](https://docs.sentry.io/platforms/javascript/guides/effect/data-management/data-collected.md#llm-inputs-and-responses)

When using AI integrations, metadata like model ID and used tokens is sent to Sentry.

The content of generative AI inputs (such as prompts and tool arguments) and outputs (such as completions) might carry personal data. Whether it's recorded depends on your configuration: it's not recorded by default with `sendDefaultPii`, but when you use `dataCollection`, the `genAI` category records both inputs and outputs unless you opt out. Metadata like model ID and token counts is always collected.

Use the `dataCollection.genAI` option to control this. For example, opt out of recording AI message content while keeping the metadata:

```JavaScript
Sentry.init({
  dsn: "https://<key>@o<orgId>.ingest.sentry.io/<projectId>",
  dataCollection: {
    genAI: {
      inputs: false,
      outputs: false,
    },
  },
});
```