From 798a9d92b906505b571f126727dc1641189e27f3 Mon Sep 17 00:00:00 2001 From: Roman Zavarnitsyn Date: Mon, 9 Feb 2026 11:30:39 +0100 Subject: [PATCH 1/3] chore(devdocs): Update data handling notes for user objects Clarified that user-defined User objects on the scope are not stripped. --- develop-docs/sdk/expected-features/data-handling.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/develop-docs/sdk/expected-features/data-handling.mdx b/develop-docs/sdk/expected-features/data-handling.mdx index 1cd4b482596c6..e93c77f993596 100644 --- a/develop-docs/sdk/expected-features/data-handling.mdx +++ b/develop-docs/sdk/expected-features/data-handling.mdx @@ -28,6 +28,7 @@ Some examples of data guarded by `send_default_pii: false`: - HTTP Headers: header values, containing information about the user are replaced with `"[Filtered]"` - _Note_ that if a user explicitly sets a request on the scope, nothing is stripped from that request. The above rules only apply to integrations that come with the SDK. - User-specific information (e.g. the current user ID according to the used web-framework) is not collected and therefore not sent at all. + - _Note_ that if a user manually sets a User object on the scope, nothing is stripped from that object. The above rule only applies to integrations that come with the SDK. - On desktop applications - The username logged in the device is not included. This is often a person's name. - The machine name is not included, for example `Bruno's laptop` From 6952f66e2a10e2729c890533889cfb18e6987036 Mon Sep 17 00:00:00 2001 From: Roman Zavarnitsyn Date: Mon, 9 Feb 2026 12:51:39 +0100 Subject: [PATCH 2/3] Update data handling guidelines in SDK documentation Clarified the handling of sensitive data in SDK documentation, including details on PII flags and data filtering rules. --- develop-docs/sdk/expected-features/data-handling.mdx | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/develop-docs/sdk/expected-features/data-handling.mdx b/develop-docs/sdk/expected-features/data-handling.mdx index e93c77f993596..b197060f02393 100644 --- a/develop-docs/sdk/expected-features/data-handling.mdx +++ b/develop-docs/sdk/expected-features/data-handling.mdx @@ -13,6 +13,12 @@ In the event that API returns data considered PII, we guard that behind a flag c This is an option in the SDK called [_send-default-pii_](https://docs.sentry.io/platforms/python/configuration/options/#send-default-pii) and is **disabled by default**. That means that data that is naturally sensitive is not sent by default. + + +When a user manually sets the data on the scope (user, contexts, tags, data, request, response, etc.), this data should not be gated by the _Send Default PII_ flag and should always be attached to all outgoing telemetry. + + + Certain sensitive data must never be sent through SDK instrumentation, regardless of any configuration: - HTTP Headers: The keys of known sensitive headers are added, while their values must be replaced with `"[Filtered]"`. @@ -26,9 +32,7 @@ Some examples of data guarded by `send_default_pii: false`: - When attaching data of HTTP requests and/or responses to events - Request Body: "raw" HTTP bodies (bodies which cannot be parsed as JSON or FormData) are removed - HTTP Headers: header values, containing information about the user are replaced with `"[Filtered]"` - - _Note_ that if a user explicitly sets a request on the scope, nothing is stripped from that request. The above rules only apply to integrations that come with the SDK. - User-specific information (e.g. the current user ID according to the used web-framework) is not collected and therefore not sent at all. - - _Note_ that if a user manually sets a User object on the scope, nothing is stripped from that object. The above rule only applies to integrations that come with the SDK. - On desktop applications - The username logged in the device is not included. This is often a person's name. - The machine name is not included, for example `Bruno's laptop` From fbd363f74d59624bd69102e4d5b21860970c9602 Mon Sep 17 00:00:00 2001 From: Roman Zavarnitsyn Date: Mon, 9 Feb 2026 17:41:09 +0100 Subject: [PATCH 3/3] Apply suggestion from @romtsn --- develop-docs/sdk/expected-features/data-handling.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/develop-docs/sdk/expected-features/data-handling.mdx b/develop-docs/sdk/expected-features/data-handling.mdx index b197060f02393..07344f7b0e80d 100644 --- a/develop-docs/sdk/expected-features/data-handling.mdx +++ b/develop-docs/sdk/expected-features/data-handling.mdx @@ -15,7 +15,7 @@ and is **disabled by default**. That means that data that is naturally sensitive -When a user manually sets the data on the scope (user, contexts, tags, data, request, response, etc.), this data should not be gated by the _Send Default PII_ flag and should always be attached to all outgoing telemetry. +When a user manually sets the data on the scope (user, contexts, tags, data, request, response, etc.), this data should not be gated by the _Send Default PII_ flag and should always be attached to all outgoing telemetry. This also applies to the data that the user manually sets on a span, log, metric and other types of telemetry (directly or, for example, via `BeforeSend`).