Legal / Compliance

Hotjar's commitment to GDPR

The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union.

Our commitment: Hotjar has undertaken the required business and technology steps to operate in a manner compliant with GDPR.

How is Hotjar GDPR ready?

At Hotjar, we value our customers (and their customers) rights to privacy. That’s why we took the necessary steps to ensure Hotjar was (and is) GDPR ready.

Here’s a condensed version of the steps we took to become GDPR ready:

Thoroughly research the areas of our product and our business impacted by GDPR - COMPLETE
Appoint a Data Protection Officer - COMPLETE
Rewrite our Data Protection Agreement -COMPLETE
Develop a strategy and requirements for how to address the areas of our product impacted by GDPR - COMPLETE
Perform the necessary changes/improvements to our product based on the requirements:

Suppression Controls - COMPLETE

Visitor Lookup - COMPLETE

Feedback Consent Controls - COMPLETE

Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR - COMPLETE
Finalize and communicate our full compliance - COMPLETE

Hotjar has also engaged with numerous outside attorneys on our approach. We felt this was and will be very important because the legislation is so far-reaching.

What changes did Hotjar make to prepare for the GDPR?

We took many steps across the entire company to ensure our compliance with the GDPR. We improved anonymity within our analytics tools and made changes to allow you to tailor how you request consent within our feedback tools. Hotjar, for example, automatically suppresses all user keystrokes by default.

We also worked on interfaces that allow you to address requests from your customers related to their rights for accessing any personal data that might be stored in your Hotjar account.

These changes addressed the requirements of the GDPR and mean Hotjar and our products are GDPR ready

What do we ask Hotjar Customers to do?

There are two things that future customers might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using Hotjar:

Make sure your Terms of Service or Privacy Policy properly communicate to your users how you are using Hotjar (and any other similar services) on your website or app. The GDPR can heavily penalize you if you’ve not done this clearly. We recommend you ensure your policies are up to date and clear to your readers.
If you are in the European Union you’ll likely want to sign a Data Processing Agreement with Hotjar. We’re happy to do so. Working with outside counsels in Germany and Malta we’ve updated this document to be in compliance with the GDPR and other generally acceptable privacy laws.
You can review and digitally sign a copy of the Data Processing Agreement here. We will countersign it and provide you with a fully executed downloadable copy via email within 2 business days. If you have any questions about its contents simply email

What is GDPR and why is it important?

The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive.

The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.

The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

In summary, here are some of the key changes that came into effect with GDPR:

Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU.

If you have any questions, please don't hesitate to contact us at legal@hotjar.com.

GDPR FAQs

The GDPR grants eight fundamental rights to data subjects. These are:

Right to be informed - Entities must be transparent in how they are using personal data and must inform data subjects of this.
Right of access - Data subjects will have the right to know what personal data is held about them and how it is processed.
Right of rectification - Where reasonably possible, data subjects will be entitled to have personal data rectified/edited if they feel that it is inaccurate or incomplete.
Right to erasure - This is also sometimes referred to as 'the right to be forgotten', Here, data subjects have the right to have their personal data permanently deleted upon their request and they do not have to provide a reason for the request.
Right to restrict processing - Data subjects have the right to block processing of their personal data.
Right to data portability - Where reasonably possible, data subjects have the right to retain and reuse their personal data for their own purpose.
Right to object - In certain circumstances, data subjects are entitled to object to their personal data being used. This includes, if personal data is used for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.

A Data Controller represents the entity that determines the purposes, conditions and means of the processing of personal data. The Data Processor is the entity which processes personal data on behalf of the controller.

In your entity’s relationship with Hotjar, you are the Data Controller of your end user’s personal data (assuming you are capturing some) and Hotjar is the Data Processor. With respect to your entity’s own data, Hotjar is the Data Controller.

If you are an entity based in the EU, or collect data from data subjects in the EU you should sign a Data Processing agreement with Hotjar. You can review and digitally sign a copy of our Data Processing Agreement here. We will countersign it and provide you with a fully executed downloadable copy via email within 2 business days. Always check with your own legal counsel before signing the agreement!

If you have any questions about its contents simply email legal@hotjar.com.

Yes - We have a sample English version and a German translated version of wording you can include in your Privacy Policy. This was developed in conjunction with a German attorney. Please note that it is a very generic statement and might need to be tailored to fit your particular use of our service. We also recommend that you work with your own counsel to make sure that it addresses any concerns your business and customers might have.

Disclaimer: We are here to help - but Hotjar does not provide legal advice. This material has been prepared for informational purposes only, and it is not intended to provide, and should not be relied on for legal or compliance advice. For specific advice on how you are to comply with the GDPR, you should consult your own legal advisor.

Hotjar's commitment to GDPR

How is Hotjar GDPR ready?

What changes did Hotjar make to prepare for the GDPR?

What do we ask Hotjar Customers to do?

What is GDPR and why is it important?

GDPR FAQs

What is the GDPR?

What does the GDPR regulate?

What rights will data subjects have under GDPR?

Who does the GDPR apply to?

We are not based in the EU. Do we still need to comply?

We're based in the UK. Do I still need to comply due to Brexit?

We don’t charge money for the services provided. Do we still need to comply with the GDPR?

What happens if we don’t comply with the GDPR?

Do we need to appoint a Data Protection Officer?

What is the difference between a Data Processor and a Data Controller?

As a Data Controller, do I have to sign a Data Processing Agreement with Hotjar?

We have a number of sites associated with our account. Do we need to sign an agreement per site?

We are an agency and we use your product for a number of our customers. Should it be us or our customers who sign the Data Processing Agreement?

We would like to inform my end users that we use Hotjar on our site. Can you provide any sample wording that we could use in our Privacy Policy?