Legal / Policies
Date: 3 May 2023
Version number: 7
We will NEVER sell Your Personal Data to Third Parties.
We have also included a section on the processing of Personal Data sent to Hotjar from visitors to a Hotjar Enabled Site.
Information about Hotjar
Hotjar is a company headquartered in the European Union (EU) that provides Software as a Service (SaaS). Hotjar is a digital experience insights platform that provides visual behaviour insights, in-the-moment feedback, and 1:1 interviews, all in one place.
Personal Data Collected by Hotjar
The Personal Data We collect depends on whether the individual is:
A visitor to the Hotjar Site
A Customer or user (the “User”) of the Hotjar Platform
A Tester who signed up on the Hotjar Platform
Personal Data collected from a visitor of the Hotjar Site
This section applies to Personal Data Hotjar collects from visitors to the Hotjar Site (hotjar.com) or any of Our sub-sites or sub-domains (e.g. help.hotjar.com, etc.).
When someone visits the Hotjar Site, We may temporarily store the name of their internet service provider, IP address, the website they visited Us from, the parts of Our Site they visit, the date and duration of the visit, and information from the device (e.g. device type, operating system, screen resolution, language, country you are located in, and web browser type) used during their visit or other similar information that helps Us understand your behaviour on our Site. We process this usage data to facilitate access to Our Site (e.g. to adjust Our Site to the devices that are used). We may use this data to analyze, develop, improve, secure or optimize the use, function and performance of Our Sites, or to make sure We are reaching out to the right audience. Wherever possible, we will use usage data in an aggregated and/or anonymized form. Depending on the context, the legal basis for this data processing is Article 6(1)(a) and Article 6(1)(f) GDPR.
operate Our Site;
provide visitors to Our Site with a better experience by providing Us with insights on how visitors use Our Site; and
for marketing purposes, as detailed below.
For more info about the cookies We make use of, please visit Our Cookie Information page.
Visitors to Our Site have the opportunity to contact Us to ask Us questions, for example via a contact form, where We ask for contact information (e.g. name, email address etc.). We use this data solely in connection with answering the queries We receive.
If a visitor to Our Site receives emails from Us, We may use certain analytics tools, to capture data such as when the email is opened or when any links or banners in the email have been clicked. This data helps Us understand the effectiveness of Our communications and marketing campaigns.
The legal basis for this processing is Article 6(1)(f) GDPR.
Personal Data collected from Hotjar’s Customers, Users and Testers
This section applies to Personal Data Hotjar collects from its Customers, Users and Testers when making use of Hotjar’s Platform.
When someone signs up for an account with Hotjar, contacts Our customer support for assistance, or subscribes to Our content or special offers, We may ask for additional Personal Data such as their name, email address and additional details about them or the organization they represent.
We will solely process this Personal Data to provide Our Platform in accordance with Article 6(1)(b) GDPR. If you are a User of Our Platform on behalf of a Hotjar Customer that has concluded this Agreement with Hotjar, the legal basis for Hotjar to process your Personal Data is Article 6(1)(f) GDPR. Please refer to Our Terms of Service for further details on signing up and using Our Platfor.
We temporarily store IP addresses of Customers, Users and Testers of Our Platform for associated performance metrics (i.e. data related to how well Our Platform performs) and to monitor and track application errors. We will never access these IP addresses without any operational or security need. We automatically delete these IP addresses within thirty (30) calendar days.The legal basis for this data processing is Article 6(1)(f) GDPR. We may use technical data (such as keypresses, timestamps, etc.) collected through the Platform to analyze, develop, improve or optimize the use, function and performance of Our Site, or to make sure we are reaching out to the right audience. Wherever possible, we will use usage data in an aggregated or anonymized form.
A Customer may delete their Hotjar account at any time. Users and Testers may delete their respective accounts through their account settings. After account deletion, We may retain Personal Data (in part or in whole) associated with the Customer, User or Tester to meet any regulatory and reporting requirements for the timeframes stipulated by law and to be able to address customer service issues. Any other Personal Data We were processing relating to Our Customer, Tester and/or Users of that Hotjar account will be deleted permanently within thirty (30) calendar days. This does not apply to any Personal Data collected as part of Customer research within the Engage Product. To maintian the quality of the research data, any research-related Personal Data may need to be kept for a reasonably required time.
We may use Personal Data and other Data about Our Customers, Users and/or Testers (including but not limited to demographic information, location information, information about the computer or device from which they access Our Platform) to create, wherever possible, anonymized and aggregated information and analytics. The legal basis for this data processing is Article 6(1)(f) GDPR.
The information We collect from Our Customers, Users and/or Testers is disclosed only in accordance with the Agreement and the Applicable Law.
Personal Data collected from Engage Product Testers
THIS SECTION APPLIES ONLY TO THE REGISTERED TESTERS OF OUR ENGAGE PRODUCT
When a Tester signs up to the Engage Product, we will ask them to share some Personal Data with Us to create a Tester profile. The Tester profile information will be revealed to Hotjar and Our Customers, who may invite you to usability study interviews ("Interviews"). The Engage Product has been built to connect Testers with the best-matched Customers for their Interviews. Better matches means happier Customers and more payouts for Testers. We analyse the data Testers provide Us with, along with the information about the Tester’s use of Our Platform, to suggest a good Interview match.
We collect and process Tester Personal Data to allow Testers to participate in Customer research, as well as for database management, managing contacts and sending messages, analytics, managing Our hosting and backend infrastructure, paying Testers for their service, Tester registration and authentication and displaying content from external platforms.
The data categories we will ask Testers to provide in order to build the Tester profile may include but are not limited to, name, age, country of residence, educational background, profession, marital status, phone number and other registration information. This information allows us to effectively match Testers with the right Customers. Testers may also optionally upload an avatar or enter their gender, but can remove this at any time. If a Tester deletes their account, their profile data will be removed too. Depending on the context, the legal basis for this data processing is Article 6(1)(b) GDPR and Article 6(1)(f) GDPR.
We will also collect information that relates to how Testers use Our Platform. The categories of Personal Data relating to this include but are not limited to timezone, broad location (town or district), web browser, operating system and the device used, referral sources, email engagement data, data on how you use the Engage Product (including last login date and frequency) and account signup date. This information allows Us to personalize the Engage Product to Testers’ needs and to improve Our Engage Product. We do not collect precise, real-time information about the location of a Tester’s device. We delete (or anonymize) such Tester Personal Data as soon as you cancel your account. The legal basis for this data processing is Article 6(1)(f) GDPR.
On an entirely voluntary basis, Testers may choose to connect their social media account with their Tester profile. This will grant Us read-only access to their social media account and we will store their social media account ID, along with a secure 'access key' that these social media companies provide to Us. If Tester grants Us access, we may also process their email address that is associated with the social media account, name, profile picture, gender and age range, which we may use to enhance Tester profile data on the Engage Product. We use social media account data as a 'quality signal' to confirm that the Engage Product account belongs to a real person and therefore, sharing of social account data may affect the number of Interview invitations a Tester receives. We will never post content to a Tester’s social profile without their permission and we will never request or access their private messages on these accounts. Testers can choose to disconnect their social media accounts at any time, which will prevent Us from being able to access them. Social media account data will also be deleted if you choose to delete your Hotjar account. The legal basis for this data processing is Article 6(1)(a) GDPR.
In order to be able to remunerate Our Testers we will process payment related information that Testers share with Us such as PayPal email address, residential address, etc.. We may also need to keep a history of payments made to Testers. This is needed to comply with accounting and legal rules. This data may be kept up to seven (7) years. The legal basis for this data processing is Article 6(1)(b) GDPR.
Hotjar’s use of Personal Data
Access and Disclosure to Third Parties
We use a select number of trusted external service providers for certain technical data analysis, processing and/or storage offerings (e.g., IT and related services). These Third Party service providers are carefully selected and meet high data protection and security standards. We only share data with them that is required for the services offered and We contractually bind them to keep any information We share with them as confidential and to process Personal Data only according to Our instructions. The legal basis for such processing would be Article 6(1)(f) GDPR.
In addition to services providers, other categories of Third Parties may include:
Vendors/public institutions. To the extent that this is necessary in order to make use of certain services requiring special expertise (such as legal, accounting or auditing services) We may share Personal Data with vendors of such services or public institutions that offer them (e.g. courts). The legal basis of this data processing is Article 6(1)(f) GDPR.
Disclosure in the Event of Merger, Sale, or Other Asset Transfers. If We are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then Data may be sold or transferred as part of such a transaction, as permitted by law and/or contract. The legal basis for such processing would be Article 6(1)(f) GDPR.
Other than the cases mentioned above, We will only transfer Personal Data to Third Parties without express consent in accordance with Article 6(1)(a) GDPR or if We are obliged to do so by statutory law or by instruction from a public authority or court as outlined in Our Terms of Service.
We may occasionally send notification emails about updates to Our product, legal documents, customer support or for marketing purposes. To the extent required by Applicable Law, We will only send such messages if We have obtained consent in accordance with Article 6(1)(a) GDPR. In all other cases, the legal basis of this data processing is Article 6(1)(f) GDPR.
Except for cases where We are required to do so by law (e.g. notification of a data breach, providing you with important information about your account, updating our legal documents, etc.), recipients of Our communication shall have the opportunity to unsubscribe from receiving these messages free of charge. We process requests to be placed on do-not-contact lists as required by Applicable Law.
We use Personal Data given to Us by Hotjar’s Customers, Users, Testers and/or visitors to Our Site to target advertisements to:
Hotjar’s Customers, Users, Testers and/or visitors to Our Site to keep them informed about Hotjar and any product changes we make; and
Potential new Customers or Testers that appear to have shared interests or similar demographics.
The legal basis of this data processing is Article 6(1)(f) GDPR.
We do this by sharing Personal Data with Third Party marketing platforms that have high privacy and confidentiality standards and which have gone through a legal and security review by Hotjar. This ensures that these Third Parties cannot do anything with the Personal Data We provide them other than use it for the express purpose of providing Us with the marketing services We contract them for.
This Personal Data is only shared with these Third Parties through secure and encrypted means. If you wish to opt out of this processing activity, please contact Us at email@example.com with the subject line “Opt-Out of Marketing”.
Compliance and Protection
We may use Personal Data to (legal basis for the respective processing in parentheses):
protect Our, Our Customers’/Users’, Testers’, visitors’ to Our Site or Third Parties’ rights, privacy, safety or property including by making and defending legal claims (Article 6(1)(b), (c) or (f) GDPR);
audit Our internal processes for compliance with legal and contractual requirements and internal policies (Article 6(1)(f) GDPR);
enforce Our Terms of Service (Article 6(1)(b) or (f) GDPR);
protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft (Article 6(1)(f) GDPR); and
comply with the Applicable Law, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities (Article 6(1)(c) or (f) GDPR).
Hotjar reserves the right to use and retain Data in a de-identified and/or aggregated form to improve Our Site and/or Platform and for statistical and benchmarking purposes, including enabling comparisons within the same industry to enhance the insights collected through Our Site and Platform. Benchmarks look at all collected metrics and compare them to others of the same nature. These de-identified and/or aggregated benchmarks may be published and shared publicly within Our Platform or in the form of other content We publish which may show a summary of results for a certain category or question type.
No Data which can individually identify Our Customers, or their end-users, Our Users or Our Testers will ever be shown in this statistical or benchmark data.
The legal basis for aggregating/anonymizing this Personal Data is Article 6(1)(f) GDPR.
Intra-group sharing of User and visitor Data
Hotjar is part of the Content Square SAS group (“Contentsquare”) which is headquartered in Paris, France. In the course of our normal operations, Hotjar may share Data (e.g. name and contact details, etc.) of Users of Hotjar accounts, Testers, and visitors of Our Site (hotjar.com) with Contentsquare.
The purpose of sharing this Data is to pursue synergies in sales and marketing, which is in both Hotjar’s and Contentsquare’s legitimate commercial interests. The legal basis of this Data processing is Article 6(1)(f) GDPR. No Data which can individually identify end-users of a Hotjar Enabled Site will be shared with Contentsquare.
Other Purposes with Your Consent
In some cases, We may ask you for consent to collect, use or share Personal Data for other purposes. For example, We may ask you for consent to send marketing emails where required by law or to post testimonials or endorsements. In such cases, there will always be the ability to deny or revoke consent if desired. The legal basis for the data processing is under Article 6(1)(a) GDPR.
Duration of Processing
International Transfers of Personal Data
In most cases, Personal Data We collect is stored in the EU. However, in some limited cases, customer information may be accessed from, or other Personal Data (e.g., email, etc.) may be transferred outside of the EU. These countries may have different data protection laws. Hotjar endeavors to ensure appropriate safeguards are in place requiring that Personal Data will remain protected. Hotjar has concluded Standard Contractual Clauses with entities who We share Personal Data with outside of the EU. Further details about this can be found in Our article on Data Storage.
Hotjar’s Platform is not directed to children under 13 (or other age as required by local law), and We do not knowingly collect Personal Data from children. If you learn that your child has provided Us with Personal Data without your consent, you may contact Us at firstname.lastname@example.org. If We learn that We have collected a child’s Personal Data in violation of Applicable Law, We will promptly take steps to investigate this, delete such information and, if applicable, terminate the child’s account. We will also make sure to have preventive measures in place for this not to happen again in the future.
Rights over Personal Data
If you are a visitor to Our Site or a Customer, User and/or Tester of Our Platform and We have collected Personal Data about you, you have a right to access and to be informed about what Personal Data is processed by Hotjar, a right to rectification/correction, erasure/anonymization and restriction of processing (subject to certain exceptions and other requirements prescribed by law). You also have the right to receive from Hotjar a structured, common and machine-readable format of Personal Data you provided Us.
When you have provided consent, you may withdraw it at any time, without affecting the lawfulness of the processing that was carried out prior to withdrawing it. Whenever you withdraw consent, you acknowledge and accept that this may have a negative influence on the quality of Our Site and/or Platform. Please be aware that when you withdraw consent, We may delete the Personal Data previously processed on the basis of your consent and will not be allowed to keep it further which will mean that it cannot be accessed, downloaded or otherwise secured by you.
In addition, you have the right to lodge a complaint with your respective data protection authority.
To protect your privacy, We take steps to verify your identity before fulfilling your request. We can only identify you via your email address and we can only adhere to your request and provide information if We have Personal Data about you through you having made contact with Us directly and/or you are using Our Site and/or Platform.
To protect your privacy, We will take steps to verify your identity before fulfilling any consumer request under the Applicable Law. When you make a request, We will ask you to provide sufficient information that allows Us to reasonably verify you are the person We collected Personal Data about or an authorized representative, which may include your email address.
If You are located in California…
This section only applies to Our processing of Personal Data as a “business” under the California Consumer Privacy Act (CCPA).
The CCPA provides California residents with the right to know what Categories of Personal Data Hotjar has collected about them and whether Hotjar disclosed that Personal Data for a business purpose (e.g. to a service provider) in the preceding twelve (12) months.
If you are a California resident and would like to exercise any of your rights under the CCPA, please contact Us at email@example.com. We will process your request in accordance with the Applicable Laws.
Sales of Personal Information Under the CCPA. For purposes of the CCPA, Hotjar does not “sell” Personal Data, nor do We have actual knowledge of any “sale” of Personal Data of minors under 16 years of age.
Non-Discrimination. California residents will have the right to exercise the rights conferred to them by the CCPA.
Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request under the CCPA. If applicable, you may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact Us at firstname.lastname@example.org.
If You are located in Brazil…
This section only applies to Our processing of Personal Data under the Brazilian Lei Geral de Proteção de Dados (LGPD).
In addition to the rights described above, you also have the right to:
access your Personal Data processed by Hotjar;
unless restricted by law, request information about the public and private entities with which We have shared your Personal Data;
oppose to the processing carried out; and/or
receive information about the possibility of not providing your consent and the consequences of such denial.
If you are a Brazilian resident or were in Brazil when your Personal Data was collected and would like to exercise any of your rights under the LGPD, please contact Us at email@example.com. We will process your request in accordance with the Applicable Laws.
Personal Data collected from a visitor of a Hotjar Enabled Site
This section applies to Personal Data sent to Hotjar from Our Customers about visitors to their site using Our Platform (i.e. a Hotjar Enabled Site).
If you are a visitor to a Hotjar Enabled Site, Hotjar may temporarily process your IP address so that We can ensure Our service is running smoothly and improve the quality of Our Platform. Any IP addresses We process are used exclusively for associated performance metrics (i.e. data related to how well Our Platform performs on the Hotjar Enable Site) and to monitor and track application errors. For this purpose, We may temporarily store your IP address with Hotjar’s Sub-Processors which are subject to strict obligations of confidentiality and will process it only according to Our instructions. We will never access these IP addresses without any operational or security need. We automatically delete any IP addresses We process or store within thirty (30) calendar days. The legal basis for this data processing is Article 6(1)(f) GDPR.
Some Hotjar Customers may have the ability to integrate Data they have collected through Our Platform with other end-user data they have in their possession (e.g. their customer information).
Depending on the web browser you use, it might be possible for you to disallow Hotjar from collecting Data when visiting a Hotjar Enabled Site. To discover if your web browser offers this functionality visit Our Do Not Track page.
Please note that We cannot respond to any requests from end-users of Hotjar Enabled Sites related to their Personal Data, including requests to provide, rectify or delete any end-user Personal Data. Any requests from end users of Hotjar Enabled Sites related to Customer Personal Data should be sent to the relevant Hotjar Customer.
Version 6.2 (compare markup changes between version 6.2 and 7)