Common questions asked regarding compliance at Hotjar:
What is the Payment Card Industry Data Security Standard (PCI-DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) refers to a set of industry-mandated requirements for any business that handles, processes, or stores credit cards – regardless of the business's size or location.
Is Hotjar Payment Card Industry Data Security Standard (PCI-DSS) compliant?
Hotjar has completed a self-assessment process (SAQ-A) that permits us to accept card-not-present payments by fully outsourcing all cardholder data functions to our PCI-DSS compliant third-party payment service provider, with no electronic storage, processing or transmission of any cardholder data on Hotjar's infrastructure.
Is Hotjar’s PCI-DSS Compliance Certificate publicly available?
Yes - Hotjar holds a Certificate of PCI-DSS Merchant Compliance. You can view our certificate here.
What is the EU-US Privacy Shield Framework?
The Court of Justice of the European Union (CJEU) has struck down the EU-US Privacy Shield Framework. This means that data controllers in the European Union (EU) can no longer rely on certifications of data recipients in the United States (US) under the Privacy Shield to justify the transfer of personal data from the EU to the US.
For more information, read Hotjar’s article on the EU-US Privacy Shield.
Does Hotjar need to comply with the EU-US Privacy Shield Framework?
Since Hotjar is a company registered in the EU, it does not need to comply with this framework. For more information about this, please visit our EU-US Privacy Shield Framework article.
What is the General Data Protection Regulation (GDPR)?
The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union (EU). The regulation became effective and enforceable on the 25th May 2018. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on handling data. We have more information about the GDPR on our GDPR commitment page.
What does the GDPR regulate?
The GDPR regulates the processing of a data subject’s personal data in the European Union including its collection, storage, and transfer or use. The GDPR gives data subjects more rights and control over their data by regulating how you should handle and store any personal data they collect.
What is personal data?
In the GDPR, personal data is any data related to an individual or identifiable person. Personal data includes names, email addresses, and government-issued identification numbers. Any data or a combination of data, which can be used to identify you is personal data under the GDPR.
Who does the GDPR apply to?
The provisions of the GDPR apply to any entity that processes personal data of individuals in the European Union (EU), including tracking their online activities, regardless of whether the entity has a physical presence in the EU.
We are not based in the EU. Do we still need to comply?
Yes! If you are an entity outside the EU, you should still be aware of the GDPR and comply with it if you process personal data of individuals in the EU.
What is Hotjar's commitment to compliance with GDPR?
Hotjar has undertaken the required business and technological steps to operate in a manner compliant with GDPR. We have our GDPR commitment documented in full.
Does Hotjar have a Data Protection Officer (DPO)?
Yes - Hotjar has appointed a DPO to ensure that Hotjar processes all personal data it collects in compliance with the GDPR. You may contact Hotjar’s DPO at dpo@hotjar.com.
What controls has Hotjar put in place to help its customers use its tools and services in a GDPR compliant manner?
Hotjar was designed and built with privacy in mind. Our approach keeps end-user privacy at the center of what we do. At Hotjar we’ve developed a number of compliance controls to help our customers use Hotjar in a GDPR compliant manner.
As a Hotjar customer, what do I need to do to use Hotjar in a GDPR compliant manner?
Depending on your situation and jurisdiction, below are the measures which we can foresee you need to take as a result of using Hotjar:
Make sure your Terms of Service or Privacy Policy properly communicate to your users how you are using Hotjar (and any other similar services) on your website or app. This requirement has always been part of Hotjar’s Terms of Service, but the GDPR can heavily penalize you if you’ve not done this clearly. We recommend you ensure your policies are up to date and clear to your readers. We have a sample version of the wording which you can include in your Privacy Policy. Please note that this is a very generic statement and might need to be tailored to fit your particular use of our services
If you are in the European Union, you’ll likely want to sign a Data Processing Agreement with Hotjar. We’re happy to do so. Working with outside counsels in Germany and Malta we’ve updated this document to be in compliance with the GDPR and other generally acceptable privacy laws. If you have any questions about its contents simply email legal@hotjar.com.
Is Hotjar a Data Processor and/or a Data Controller under the GDPR?
A Data Controller is the entity that determines the purposes, conditions, and means of the processing of personal data. A Data Processor is the entity which processes personal data on behalf of the controller.
In your entity's relationship with Hotjar, you are the Data Controller of your end user's personal data (assuming you are capturing some) and Hotjar is the Data Processor.
With respect to your entity's own data, Hotjar is the Data Controller.
Who are Hotjar's Sub-Processors and where are they located?
We have a list of all sub-processors appointed by Hotjar.
Do you inform your customers if there is a change in Hotjar’s Sub-Processors?
In case of a change in our sub-processors, we will inform our customers of the new sub-processor and the scope of the planned sub-processing in writing ten (10) days in advance of this change.
What is Hotjar's commitment to compliance with the CCPA?
As a privacy-centric company, Hotjar is excited to see the subject of privacy get more attention. We’ve made a number of enhancements in preparation for the CCPA. Our commitment to CCPA compliance and further information about the efforts undertaken by Hotjar in this respect can be found on our CCPA commitment page.
How do I use Hotjar to be compliant with CCPA?
You can check out how our tools can be used in a manner that supports the requirements of CCPA through the following:
- Personal Information Access and Deletion Requests via Visitor Lookup
- Deleting a Hotjar Data Element
- Suppressing Text and Collected Data
- Data Retention of data collected by Hotjar
Hotjar has made many product and process enhancements in preparation for the CCPA which we’ve documented through our CCPA commitment page.
As a Hotjar customer, do I meet the basic requirements of the CCPA?
The CCPA is a large piece of legislation and covers many topics that have no direct impact or tie with your use of Hotjar. However, there are areas of the CCPA where your customers might have rights that relate to your use of Hotjar. We’ve included a brief explanation of their rights and how Hotjar can be used in a manner that supports you in servicing them below.
Where does Hotjar store my data?
You can learn more about this by looking at our Data Storage page.
Does Hotjar transfer any of my data outside of the European Union?
You can learn more about this by looking at our Data Storage page.