Common questions asked regarding privacy and compliance at Hotjar. To learn more about Hotjar’s approach to privacy, take a look at Your Privacy & Hotjar.
- About Hotjar
- About your privacy and Hotjar
- About Hotjar's privacy features
- About security
- About legal matters
- Contacting us
What is/who is Hotjar?
Hotjar is behavior analytics software. It is used by website owners to gain a better understanding of how users interact with their website and to identify issues that their users are running into when browsing their website. Hotjar provides website owners with tools such as Heatmaps, Recordings, and Polls that help them to gain insight into their users’ experience on their website. This insight is used by website owners to make changes that improve the overall experience for their users. Hotjar is used on over 500,000 websites in 180+ countries. Find out more about how Hotjar works here.
Hotjar Ltd. is the name of the software company that provides Hotjar behavior analytics software. Hotjar Ltd. is a European startup headquartered on the island of Malta. Our founding team includes experts in product development, digital marketing, user experience, and conversion rate optimization.
Dr. David Darmanin, a conversion rate expert, brought the multi-disciplinary Hotjar team together in early 2014. We are now a diverse team of 100+ people working fully remotely across 25+ countries. Our vision is to give teams of all sizes the insights they need to create experiences their users love. Read our story here.
What is Hotjar's approach to privacy?
From its very first day in 2014, Hotjar was designed with the privacy of the end user in mind. We chose not to collect user IP addresses and to block our customers from introducing personal data (such as user IDs and emails) into Hotjar. However, in 2019 we decided to shift the responsibility back to where it belongs, and give our customers the ability to responsibly collect the data they need to improve their users’ experience.
In November 2019, we started rolling out Hotjar’s Identify API, which allows customers who enable it to pass information they already have about their users (such as spend, signup date, user ID, etc.) into their Hotjar account. Since safeguarding privacy is a moral and ethical priority for our team, and will always remain so, we limit usage to customers who agree to a Data Processing Agreement (DPA) before being allowed to use the Identify API. You can read more about this in our technical documentation on User Attributes.
We also have clear guidelines in place in our Acceptable Use Policy and Hotjar remains committed to maintaining the same level of user anonymization by default, honoring Do Not Track (DNT) headers, and allowing users to block Hotjar from collecting their data. You can read more about your privacy and Hotjar here.
What Personal Information has Hotjar collected about me?
This will depend on how a website owner who has installed Hotjar uses our product and its features. Each scenario is unique.
For example, a website owner using Hotjar Polls may set up a new poll and ask for Personally Identifiable Information, such as email or name, to be collected.
Hotjar is the processor of data that a website may collect about you. We store this data for the website owner to access through Hotjar’s behavior analytics software. We do not access it for our own needs and will never harvest or sell this data, ever.
As a user of a website that is using Hotjar you have the right to view and delete information collected about you. More information about our Visitor Lookup feature can be found here.
What types of Cookies does Hotjar use? What do they do?
In order to process data about your visit to a website, Hotjar stores first-party cookies on your browser. Cookies are either set by the Hotjar script, or by visiting the Hotjar website. These cookies have different purposes and also have different lifespans. More details about Hotjar and Cookies can be found here.
If you have Cookies disabled, you won’t be tracked by any website using Hotjar. Most web browsers allow some control of most cookies through the browser settings. To find out what cookies have been set and how to manage and delete them, we recommend visiting All About Cookies.
I have enabled the Do-Not-Track setting in my browser. Will this stop Hotjar processing data about me?
Yes. Hotjar respects the Do-Not-Track (DNT) headers in browsers. As a website user browsing websites that have Hotjar installed, you are able to use the Do Not Track setting in your browser to avoid Hotjar tracking any data about your visit.
Do-Not-Track is implemented through your browser, so you’ll need to check if the setting is enabled or disabled within your own browser.
We’ve created an how to enable Do-Not-Track page, providing instructions on how to check. This is currently available in English and German.
Does Hotjar harvest/sell data?
Hotjar does not sell, has not sold, and will never sell personal data to anyone at any time.
Hotjar considers data protection and privacy to be of paramount importance. We never sell personal data and we carry out all processing operations in strict compliance with the EU General Data Protection Regulation (“GDPR”) (specifically but not limited to Article 6(1)(b) to (f) and Article 28) as well as the Laws of Malta, where Hotjar is incorporated, and other applicable global privacy and data protection laws such as the California Consumer Privacy Act (“CCPA”) (collectively, the “Applicable Law”).
Do you mine or access my data for profiling or advertising?
Absolutely not. This isn't our business, it's not our data and we have no right to do any of these activities.
Website owners use our software to process data about your visit and we as Hotjar store this data for them to access. We will never access this data or use it for any reason.
My users are requesting access to data processed about them. How can I get them this data? Can it be deleted?
Using the Visitor Lookup tool you can look up and delete users that have had their data collected. Once the user’s email is submitted, a report will be generated of all the data you have collected on them. More information on this report can be found in Understanding Visitor Lookup Results.
By default, Hotjar works with anonymized user IDs when tracking your website visitors. It’s therefore important to keep in mind that the user will only have results shown in the Visitor Lookup tool if they have previously included their email to a Feedback response.
How long does Hotjar retain data?
Recordings, Funnels, and Forms data in Hotjar is kept from date of capture for 365 days. Heatmap data is retained for 365 days from date of creation. Responses gathered from Feedback tools are stored indefinitely until the account owner decides to delete them.
How do I process sensitive data safely with Hotjar?
At Hotjar, we believe in our customers’ (and their customers’) rights to privacy. We include features on every plan level that allow you to process sensitive data without putting your customer data at risk. Features range from text and image suppression, to easily being able to look up the data you collected on a user to delete information that is requested to be removed.
For more detail, see our full guide to Processing Personal Data in Hotjar.
How do I prevent sensitive data from being processed in Hotjar?
Hotjar has four types of suppression: on-page text, specific element, location, or all content suppression.
On-Page text suppression converts text, email addresses, or numbers present within the HTML of a page to a random number of asterisks (***) or 1s (111111). It can be enabled by clicking a checkbox in site settings in the Hotjar dashboard. By default, Hotjar will suppress a sequence of numbers, like a credit card number or phone number, without turning on numeric text suppression.
Specific element suppression requires additional HTML to be pasted to your site’s code in order to “hide” information from Hotjar. A step by step guide can be found in How to Suppress Specific Elements.
Location suppression hides any information about the user’s country/location in collected Hotjar data when enabled.
Hiding all on-page content is an option as well, easily enabled from within your site settings. This will not only suppress on-page text, but will also hide images.
For a full guide on suppressing collected data, head to How to Suppress Information from Data.
How do I make sure I am compliant with Hotjar’s Acceptable Use Policy?
Hotjar is designed to empower you and your team to build a better experience for your site users and customers, while ensuring their rights to privacy are respected.
Because of this, all data collected and processed with Hotjar must solely be used by the site or app owner and not shared with third parties, unless explicit consent has been received from all data parties. This includes but is not limited to:
- Selling or sharing the data with third parties
- Marketing automation
- Re-targeted advertising
For more detail, have a read of our full Acceptable Use Policy here.
Where does Hotjar store my end-user data?
End-user data is stored with Amazon Web Services, which is located at the eu-west-1 datacenter located in Ireland (European Union). Your data will not leave the European Union.
More detail on this can be found over in Security.
How does Hotjar protect my data?
Hotjar has implemented a number of technical and organizational controls that help protect the confidentiality, integrity, and availability of customer data.
More detail on this can be found over in Security.
Does Hotjar support Content Security Policies?
In order for Hotjar to function with your current Content Security Policy, you’ll need to add additional directives to your policy. Details of this can be found on our Content Security Policy help page. We have outlined our minimum requirements, and have also suggested some additional steps that can be taken to provide greater security granularity.
Does Hotjar own my data?
Short answer: no.
Hotjar Ltd is the processor of data that is collected through Hotjar. We are not the owners of this data. The data collected is owned by you as a Hotjar customer who manages the website where it was gathered. The data collected is hosted in datacenters by a third party, Amazon Web Services (AWS). They do not access or use the content for any purpose other than as legally required and for maintaining the AWS services.
What steps do I need to take to use Hotjar in a legally compliant manner?
Depending on your situation and jurisdiction, below are the measures which we can foresee you needing to take as a result of using Hotjar:
If you are in the European Union, you’ll likely want to sign a Data Processing Agreement with Hotjar. We’re happy to do so. Working with outside counsels in Germany and Malta we’ve updated this document to be in compliance with the GDPR and other generally acceptable privacy laws. If you have any questions about its contents email firstname.lastname@example.org.
What is Hotjar's commitment to compliance with GDPR?
Hotjar has undertaken the required business and technological steps to operate in a manner compliant with GDPR. For more information take a look at our documentation on our GDPR commitment page.
What is Hotjar's commitment to compliance with the CCPA?
As a privacy-centric company, at Hotjar we’re excited to see the subject of privacy get more attention. We’ve made a number of enhancements in preparation for the CCPA. Our commitment to CCPA compliance and further information about the efforts undertaken by Hotjar in this respect can be found on our CCPA commitment page.
I have a question that you haven’t answered here. How do I get in touch?
We’re here to help! Reach out to us here.
My organization has compliance requirements - how can I best reach you to discuss these?
If you’d like to make a request relating to your specific or custom compliance requirements, reach out to us here.