docs(sdks): Add spec for dataCollection option to supersede sendDefaultPii

[s1gr1d]

This PR extends the Data Collection spec so it is the single place for what SDKs collect and how they scrub it. It adds concrete denylist behavior, request-body and cookie rules, and pulls in the relevant scrubbing behavior from the Data Handling doc.

• Data Collection spec (/sdk/foundations/client/data-collection/)
  • https://develop-docs-git-sig-data-collection-options.sentry.dev/sdk/foundations/client/data-collection/

IS YOUR CHANGE URGENT?

Help us prioritize incoming PRs by letting us know when the change needs to go live.

• Urgent deadline (GA date, etc.):
• Other deadline:
• None: Not urgent, can wait up to 1 week+

SLA

• Teamwork makes the dream work, so please add a reviewer to your PRs.
• Please give the docs team up to 1 week to review your PR unless you've added an urgent due date to it.
  Thanks in advance for your help!

PRE-MERGE CHECKLIST

Make sure you've checked the following before merging your changes:

• Checked Vercel preview for correctness, including links
• PR was reviewed and approved by any necessary SMEs (subject matter experts)
• PR was reviewed and approved by a member of the Sentry docs team

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
develop-docs	Ready	Preview, Comment	Mar 9, 2026 9:38am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
sentry-docs	Ignored	Preview	Mar 9, 2026 9:38am

[stephanie-anderson]

This page does not exist anymore - we moved the PII related content to
https://develop.sentry.dev/sdk/foundations/data-scrubbing/

[cleptric]

We should include some more general information, such as how we expect the default snippet too like now, which is very minimal and in-line with the behavior of sendDefualtPii.

sentry.init({
  dsn: '...',
})

// or with user information

sentry.init({
  dsn: '...',
  dataCollection: {
    includeUserInfo: true,     
  }
})

and also mention the reasoning of this change. In particular, we should highlight that we now include more context by default, without a change in our position to be privacy first.

[itaybre]

This make sense, but got some questions here

[itaybre]

m: We have some additional filtered headers on cocoa that may be relevant here (https://github.com/getsentry/sentry-cocoa/blob/main/Sources/Swift/Core/Tools/HTTPHeaderSanitizer.swift#L8): X-REAL-IP and REMOTE-ADDR

[itaybre]

m: Should the same apply for response bodies? This is (or will be, depends on the SDK) being recorded now for Session Replay

[itaybre]

This configuration is set in SessionReplay configuration, it may be worth aligning there

[itaybre]

Thanks for the clarification 👍

[itaybre]

h: What about request paths?
Some requests may be identifiable, like /user/USER_ID
Should we have a denylist/allowlist for url paths?

[s1gr1d]

Good question 🤔
What we currently do in JS: When we either know it's a param route, we use the appropriate parametrized route name (e.g. user/:id) as the transaction name but the full URL (e.g. user/123) is still added in the attributes. @cleptric Any opinions on that?