Observing without seeing the user

I need to know what broke. I don’t need to know whose screen it broke on. That distinction defines the whole observability layer.

The context

An app with no observability discovers its bugs through the support channel. An app with wild observability — full session replay, GPS coordinates in errors, user-event tracking — discovers bugs sooner, but loses the trust of a user base that travels precisely to disconnect.

The balance isn’t obvious. First instinct was not to ship it. Second instinct was to ship all of it. Neither is right.

The decision

Sentry SaaS (EU region) with aggressive scrubbing:

• Errors from backend + frontend + service worker, yes.
• PII (email, IP, name) scrubbed in the SDK before it leaves the client.
• GPS coordinates never sent to Sentry — not in error context, not in breadcrumbs.
• Sample rate < 100% on transactions (cost + noise).
• UI breadcrumbs carry action names only, not input values.

Why EU and not US. Most real users will be European (camper culture). Holding the data in EU simplifies the GDPR story — one fewer data processing addendum form, one fewer legitimate interest argument. The latency difference is negligible for error data.

What it’s not

To be explicit:

• Not analytics. I don’t measure retention, funnels or cohorts. If that ever becomes necessary, the tool will be separate and opt-in.
• Not session replay. I don’t record what you click. I have nothing capable of reproducing your session.
• Not always-on on the phone. The SDK doesn’t load before the user accepts the privacy policy; no service-worker tracking starts before then.

What’s next

One piece is missing to close the loop the first post opened. We started with three modes — plan, drive, recall — and I’ve covered two. In the next, and final, post of the series: the recall mode. What happens to the trip when you get home, how the generated blog stops being throwaway text and becomes the artifact you can take with you.