- Payment Card Industry Data Security Standard (PCI-DSS)
- EU-US Privacy Shield
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Other Compliance FAQs
Payment Card Industry Data Security Standard
What is the Payment Card Industry Data Security Standard (PCI-DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) refers to a set of industry-mandated requirements for any business that handles, processes, or stores credit cards – regardless of the business's size or location.
Is Hotjar Payment Card Industry Data Security Standard (PCI-DSS) compliant?
Hotjar has completed a self-assessment process (SAQ-A) that permits us to accept card-not-present payments by fully outsourcing all cardholder data functions to our PCI-DSS compliant third-party vendor, Braintree, with no electronic storage, processing or transmission of any cardholder data on Hotjars infrastructure.
Braintree’s environment meets the highest industry standards and guidelines: Level 1 PCI-DSS Compliance.
Is Hotjar’s PCI-DSS Compliance Certificate publicly available?
Yes - Hotjar holds a Certificate of PCI-DSS Merchant Compliance. You can view our certificate here.
EU-US Privacy Shield
What is the EU-US Privacy Shield Framework?
The Court of Justice of the European Union (CJEU) has struck down the EU-US Privacy Shield Framework. This means that data controllers in the European Union (EU) can no longer rely on certifications of data recipients in the United States (US) under the Privacy Shield to justify the transfer of personal data from the EU to the US.
For more information, read Hotjar’s article on the EU-US Privacy Shield.
General Data Protection Regulation (GDPR)
Does Hotjar need to comply with the EU-US Privacy Shield Framework?
Since Hotjar is a company registered in the EU, it does not need to comply with this framework. For more information about this, please visit our EU-US Privacy Shield Framework article.
What is the General Data Protection Regulation (GDPR)?
The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union (EU). The regulation became effective and enforceable on the 25th May 2018. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on handling data. We have more information about the GDPR on our GDPR commitment page.
What does the GDPR regulate?
The GDPR regulates the processing of a data subject’s personal data in the European Union including its collection, storage, and transfer or use. The GDPR gives data subjects more rights and control over their data by regulating how you should handle and store any personal data they collect.
What is personal data?
In the GDPR, personal data is any data related to an individual or identifiable person. Personal data includes names, email addresses, and government-issued identification numbers. Any data or a combination of data, which can be used to identify you is personal data under the GDPR.
Who does the GDPR apply to?
The provisions of the GDPR apply to any entity that processes personal data of individuals in the European Union (EU), including tracking their online activities, regardless of whether the entity has a physical presence in the EU.
We are not based in the EU. Do we still need to comply?
Yes! If you are an entity outside the EU, you should still be aware of the GDPR and comply with it if you process personal data of individuals in the EU.
What is Hotjar's commitment to compliance with GDPR?
Hotjar has undertaken the required business and technological steps to operate in a manner compliant with GDPR. We have our GDPR commitment documented in full.
Does Hotjar have a Data Protection Officer (DPO)?
Yes - Hotjar has appointed a DPO to ensure that Hotjar processes all personal data it collects in compliance with the GDPR. You may contact Hotjar’s DPO at email@example.com.
What controls has Hotjar put in place to help its customers use its tools and services in a GDPR compliant manner?
Hotjar was designed and built with privacy in mind. Our approach keeps end-user privacy at the center of what we do. At Hotjar we’ve developed a number of compliance controls to help our customers use Hotjar in a GDPR compliant manner.
As a Hotjar customer, what do I need to do to use Hotjar in a GDPR compliant manner?
Depending on your situation and jurisdiction, below are the measures which we can foresee you need to take as a result of using Hotjar:
If you are in the European Union, you’ll likely want to sign a Data Processing Agreement with Hotjar. We’re happy to do so. Working with outside counsels in Germany and Malta we’ve updated this document to be in compliance with the GDPR and other generally acceptable privacy laws. If you have any questions about its contents simply email firstname.lastname@example.org.
Is Hotjar a Data Processor and/or a Data Controller under the GDPR?
A Data Controller is the entity that determines the purposes, conditions, and means of the processing of personal data. A Data Processor is the entity which processes personal data on behalf of the controller.
In your entity's relationship with Hotjar, you are the Data Controller of your end user's personal data (assuming you are capturing some) and Hotjar is the Data Processor.
With respect to your entity's own data, Hotjar is the Data Controller.
Who are Hotjar's Sub-Processors and where are they located?
Hotjar has only one sub-processor, Amazon Web Services, which is located at the eu-west-1 datacenter located in Ireland (European Union).
Do you inform your customers if there is a change in Hotjar’s Sub-Processors?
In case of a change in our sub-processors, we will inform our customers of the new sub-processor and the scope of the planned sub-processing in writing ten (10) days in advance of this change.
California Consumer Privacy Act (CCPA)
What is Hotjar's commitment to compliance with the CCPA?
As a privacy-centric company, Hotjar is excited to see the subject of privacy get more attention. We’ve made a number of enhancements in preparation for the CCPA. Our commitment to CCPA compliance and further information about the efforts undertaken by Hotjar in this respect can be found on our CCPA commitment page.
How do I use Hotjar to be compliant with CCPA?
You can check out how our tools can be used in a manner that supports the requirements of CCPA through the following:
- Personal Information Access and Deletion Requests via Visitor Lookup
- Deleting a Hotjar Data Element
- Suppressing Text and Collected Data
- Data Retention of data collected by Hotjar
Hotjar has made many product and process enhancements in preparation for the CCPA which we’ve documented through our CCPA commitment page.
As a Hotjar customer, do I meet the basic requirements of the CCPA?
The CCPA is a large piece of legislation and covers many topics that have no direct impact or tie with your use of Hotjar. However, there are areas of the CCPA where your customers might have rights that relate to your use of Hotjar. We’ve included a brief explanation of their rights and how Hotjar can be used in a manner that supports you in servicing them below.
Other Compliance FAQs
Where does Hotjar store my data?
All data which is collected by Hotjar is stored electronically within a secure Cloud Service Provider, Amazon Web Services’ infrastructure, eu-west-1 datacenter in Ireland (European Union).
Does Hotjar transfer any of my data outside of the European Union?
No - all data which Hotjar collects is stored with Amazon Web Services’ infrastructure, eu-west-1 datacenter in Ireland (European Union).