diff --git a/backend/server.js b/backend/server.js
index 6be7b7d..1bf59ff 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -161,13 +161,18 @@ app.use('/api/audit-logs', createAuditLogRouter());
 app.get('/api/recent-activity', requireAuth(), async (req, res) => {
     try {
         const limit = Math.min(15, Math.max(1, parseInt(req.query.limit) || 10));
+        // Hide impersonation events from non-Admin users
+        const excludedActions = ['login', 'logout', 'login_failed'];
+        if (req.user.group !== 'Admin') {
+            excludedActions.push('impersonate_start', 'impersonate_stop');
+        }
         const { rows } = await pool.query(
             `SELECT username, action, entity_type, entity_id, details, created_at
              FROM audit_logs
-             WHERE action NOT IN ('login', 'logout', 'login_failed')
+             WHERE action NOT IN (${excludedActions.map((_, i) => `$${i + 1}`).join(', ')})
              ORDER BY created_at DESC
-             LIMIT $1`,
-            [limit]
+             LIMIT $${excludedActions.length + 1}`,
+            [...excludedActions, limit]
         );
         res.json({ activities: rows });
     } catch (err) {