Legal / Policies

Back to legal overview

Privacy Policy

Date: 17 January 2024

Version number: 7.1

Language

We will NEVER sell Your Personal Data to Third Parties. 

Hotjar will only share or disclose Personal Data as described in this Privacy Policy. 

This Privacy Policy applies to Personal Data processed by Hotjar Ltd. (“Hotjar”, “We”, “Us” and “Our”) when You visit www.hotjar.com in addition to any sub-pages that are integrated within it (the “Site”); and/or make use of Hotjar’s Platform. 

This Privacy Policy explains what Personal Data We collect through Our Site and Platform, how and why We collect it, how We use and disclose the Personal Data We collect and information on how to exercise privacy rights over this Personal Data.

We have also included a section on the processing of Personal Data sent to Hotjar from visitors to a Hotjar Enabled Site. 

We may revise this Privacy Policy from time to time but We will never do so in a manner that compromises Our commitment to respect the privacy of individuals. The most current version of this Privacy Policy governs Our practices for collecting, processing and disclosing Personal Data. We will provide notice via email to Our Customers and on this page of any material modifications to this Privacy Policy. Continued use of Our Site and/or Platform following the effective date of any modifications will constitute acceptance of the modified Agreement (this includes Our Terms of Service, Data Processing Agreement, Acceptable Use Policy and this Privacy Policy).

All capitalized terms in this Privacy Policy shall have the same meaning as defined in the Terms of Service and in the Applicable Law.

Information about Hotjar 

Hotjar is a company headquartered in the European Union (EU) that provides Software as a Service (SaaS). Hotjar is a digital experience insights platform that provides visual behaviour insights, in-the-moment feedback, and 1:1 interviews, all in one place.

Personal Data Collected by Hotjar

The Personal Data We collect depends on whether the individual is:

  1. A visitor to the Hotjar Site

  2. A Customer or user (the “User”) of the Hotjar Platform  

  3. A Tester who signed up on the Hotjar Platform

Personal Data collected from a visitor of the Hotjar Site 

This section applies to Personal Data Hotjar collects from visitors to the Hotjar Site (hotjar.com) or any of Our sub-sites or sub-domains (e.g. help.hotjar.com, etc.). 

Any Personal Data provided by a visitor to Our Site will be used only as described in this Privacy Policy and Hotjar’s Acceptable Use Policy.

Usage Data

When someone visits the Hotjar Site, We may temporarily store the name of their internet service provider, IP address, the website they visited Us from, the parts of Our Site they visit, the date and duration of the visit, and information from the device (e.g. device type, operating system, screen resolution, language, country you are located in, and web browser type) used during their visit or other similar information that helps Us understand your behaviour on our Site. We process this usage data to facilitate access to Our Site (e.g. to adjust Our Site to the devices that are used). We may use this data to analyze, develop, improve, secure or optimize the use, function and performance of Our Sites, or to make sure We are reaching out to the right audience. Wherever possible, we will use usage data in an aggregated and/or anonymized form. Depending on the context, the legal basis for this data processing is Article 6(1)(a) and Article 6(1)(f) GDPR. 

Cookies

Cookies are small data files transferred onto computers or devices. Hotjar uses cookies to process information including standard internet log information and details of the visitor’s behavioral patterns upon visiting Our Site. This is done to:

  • operate Our Site;

  • provide visitors to Our Site with a better experience by providing Us with insights on how visitors use Our Site; and 

  • for marketing purposes, as detailed below.

For more info about the cookies We make use of, please visit Our Cookie Information page.

Contacting Us

Visitors to Our Site have the opportunity to contact Us to ask Us questions, for example via a contact form, where We ask for contact information (e.g. name, email address etc.). We use this data solely in connection with answering the queries We receive. 

If a visitor to Our Site receives emails from Us, We may use certain analytics tools, to capture data such as when the email is opened or when any links or banners in the email have been clicked. This data helps Us understand the effectiveness of Our communications and marketing campaigns. 

The legal basis for this processing is Article 6(1)(f) GDPR.

Personal Data collected from Hotjar’s Customers, Users and Testers

This section applies to Personal Data Hotjar collects from its Customers, Users and Testers when making use of Hotjar’s Platform. 

When someone signs up for an account with Hotjar, contacts Our customer support for assistance, or subscribes to Our content or special offers, We may ask for additional Personal Data such as their name, email address and additional details about them or the organization they represent. 

We will solely process this Personal Data to provide Our Platform in accordance with Article 6(1)(b) GDPR. If you are a User of Our Platform on behalf of a Hotjar Customer that has concluded this Agreement with Hotjar, the legal basis for Hotjar to process your Personal Data is Article 6(1)(f) GDPR. Please refer to Our Terms of Service for further details on signing up and using Our Platfor.

We temporarily store IP addresses of Customers, Users and Testers of Our Platform for associated performance metrics (i.e. data related to how well Our Platform performs) and to monitor and track application errors. We will never access these IP addresses without any operational or security need. We automatically delete these IP addresses within thirty (30) calendar days.The legal basis for this data processing is Article 6(1)(f) GDPR. We may use technical data (such as keypresses, timestamps, etc.) collected through the Platform to analyze, develop, improve or optimize the use, function and performance of Our Site, or to make sure we are reaching out to the right audience. Wherever possible, we will use usage data in an aggregated or anonymized form.

A Customer may delete their Hotjar account at any time. Users and Testers may delete their respective accounts through their account settings. After account deletion, We may retain Personal Data (in part or in whole) associated with the Customer, User or Tester to meet any regulatory and reporting requirements for the timeframes stipulated by law and to be able to address customer service issues. Any other Personal Data We were processing relating to Our Customer, Tester and/or Users of that Hotjar account will be deleted permanently within thirty (30) calendar days. This does not apply to any Personal Data collected as part of Customer research within the Engage Product. To maintian the quality of the research data, any research-related Personal Data may need to be kept for a reasonably required time. 

We may use Personal Data and other Data about Our Customers, Users and/or Testers (including but not limited to demographic information, location information, information about the computer or device from which they access Our Platform) to create, wherever possible, anonymized and aggregated information and analytics. The legal basis for this data processing is Article 6(1)(f) GDPR.

The information We collect from Our Customers, Users and/or Testers is disclosed only in accordance with the Agreement and the Applicable Law.

Personal Data collected from Engage Product Testers

THIS SECTION APPLIES ONLY TO THE REGISTERED TESTERS OF OUR ENGAGE PRODUCT

When a Tester signs up to the Engage Product, we will ask them to share some Personal Data with Us to create a Tester profile. The Tester profile information will be revealed to Hotjar and Our Customers, who may invite you to usability study interviews ("Interviews"). The Engage Product has been built to connect Testers with the best-matched Customers for their Interviews. Better matches means happier Customers and more payouts for Testers. We analyse the data Testers provide Us with, along with the information about the Tester’s use of Our Platform, to suggest a good Interview match. 

We collect and process Tester Personal Data to allow Testers to participate in Customer research, as well as for database management, managing contacts and sending messages, analytics, managing Our hosting and backend infrastructure, paying Testers for their service, Tester registration and authentication and displaying content from external platforms. 

The data categories we will ask Testers to provide in order to build the Tester profile may include but are not limited to, name, age, country of residence, educational background, profession, marital status, phone number and other registration information. This information allows us to effectively match Testers with the right Customers. Testers may also optionally upload an avatar or enter their gender, but can remove this at any time. If a Tester deletes their account, their profile data will be removed too. Depending on the context, the legal basis for this data processing is Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. 

We will also collect information that relates to how Testers use Our Platform. The categories of Personal Data relating to this include but are not limited to timezone, broad location (town or district), web browser, operating system and the device used, referral sources, email engagement data, data on how you use the Engage Product (including last login date and frequency) and account signup date. This information allows Us to personalize the Engage Product to Testers’ needs and to improve Our Engage Product. We do not collect precise, real-time information about the location of a Tester’s device. We delete (or anonymize) such Tester Personal Data as soon as you cancel your account. The legal basis for this data processing is Article 6(1)(f) GDPR. 

On an entirely voluntary basis, Testers may choose to connect their social media account with their Tester profile. This will grant Us read-only access to their social media account and we will store their social media account ID, along with a secure 'access key' that these social media companies provide to Us. If Tester grants Us access, we may also process their email address that is associated with the social media account, name, profile picture, gender and age range, which we may use to enhance Tester profile data on the Engage Product. We use social media account data as a 'quality signal' to confirm that the Engage Product account belongs to a real person and therefore, sharing of social account data may affect the number of Interview invitations a Tester receives. We will never post content to a Tester’s social profile without their permission and we will never request or access their private messages on these accounts. Testers can choose to disconnect their social media accounts at any time, which will prevent Us from being able to access them. Social media account data will also be deleted if you choose to delete your Hotjar account. The legal basis for this data processing is Article 6(1)(a) GDPR. 

In order to be able to remunerate Our Testers we will process payment related information that Testers share with Us such as PayPal email address, residential address, etc.. We may also need to keep a history of payments made to Testers. This is needed to comply with accounting and legal rules. This data may be kept up to seven (7) years. The legal basis for this data processing is Article 6(1)(b) GDPR. 

Hotjar’s use of Personal Data

Access and Disclosure to Third Parties 

We use a select number of trusted external service providers for certain technical data analysis, processing and/or storage offerings (e.g., IT and related services). These Third Party service providers are carefully selected and meet high data protection and security standards. We only share data with them that is required for the services offered and We contractually bind them to keep any information We share with them as confidential and to process Personal Data only according to Our instructions. The legal basis for such processing would be Article 6(1)(f) GDPR.

In addition to services providers, other categories of Third Parties may include:

  • Vendors/public institutions. To the extent that this is necessary in order to make use of certain services requiring special expertise (such as legal, accounting or auditing services) We may share Personal Data with vendors of such services or public institutions that offer them (e.g. courts). The legal basis of this data processing is Article 6(1)(f) GDPR.

  • Disclosure in the Event of Merger, Sale, or Other Asset Transfers. If We are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then Data may be sold or transferred as part of such a transaction, as permitted by law and/or contract. The legal basis for such processing would be Article 6(1)(f) GDPR.

Other than the cases mentioned above, We will only transfer Personal Data to Third Parties without express consent in accordance with Article 6(1)(a) GDPR or if We are obliged to do so by statutory law or by instruction from a public authority or court as outlined in Our Terms of Service.

Communication Purposes 

We may occasionally send notification emails about updates to Our product, legal documents, customer support or for marketing purposes. To the extent required by Applicable Law, We will only send such messages if We have obtained consent in accordance with Article 6(1)(a) GDPR. In all other cases, the legal basis of this data processing is Article 6(1)(f) GDPR. 

Except for cases where We are required to do so by law (e.g. notification of a data breach, providing you with important information about your account, updating our legal documents, etc.), recipients of Our communication shall have the opportunity to unsubscribe from receiving these messages free of charge. We process requests to be placed on do-not-contact lists as required by Applicable Law.

Marketing Purposes 

We use Personal Data given to Us by Hotjar’s Customers, Users, Testers and/or visitors to Our Site to target advertisements to:

  • Hotjar’s Customers, Users, Testers and/or visitors to Our Site to keep them informed about Hotjar and any product changes we make; and

  • Potential new Customers or Testers that appear to have shared interests or similar demographics. 

The legal basis of this data processing is Article 6(1)(f) GDPR.

We do this by sharing Personal Data with Third Party marketing platforms that have high privacy and confidentiality standards and which have gone through a legal and security review by Hotjar. This ensures that these Third Parties cannot do anything with the Personal Data We provide them other than use it for the express purpose of providing Us with the marketing services We contract them for.

This Personal Data is only shared with these Third Parties through secure and encrypted means. If you wish to opt out of this processing activity, please contact Us at dpo@hotjar.com with the subject line “Opt-Out of Marketing”.

Compliance and Protection

We may use Personal Data to (legal basis for the respective processing in parentheses):

  • protect Our, Our Customers’/Users’, Testers’, visitors’ to Our Site or Third Parties’ rights, privacy, safety or property including by making and defending legal claims (Article 6(1)(b), (c) or (f) GDPR);

  • audit Our internal processes for compliance with legal and contractual requirements and internal policies (Article 6(1)(f) GDPR);

  • enforce Our Terms of Service (Article 6(1)(b) or (f) GDPR);

  • protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft (Article 6(1)(f) GDPR); and

  • comply with the Applicable Law, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities (Article 6(1)(c) or (f) GDPR).

Benchmarking 

Hotjar reserves the right to use and retain Data in a de-identified and/or aggregated form to improve Our Site and/or Platform and for statistical and benchmarking purposes, including enabling comparisons within the same industry to enhance the insights collected through Our Site and Platform. Benchmarks look at all collected metrics and compare them to others of the same nature. These de-identified and/or aggregated benchmarks may be published and shared publicly within Our Platform or in the form of other content We publish which may show a summary of results for a certain category or question type. 

No Data which can individually identify Our Customers, or their end-users, Our Users or Our Testers will ever be shown in this statistical or benchmark data. 

The legal basis for aggregating/anonymizing this Personal Data is Article 6(1)(f) GDPR.

Intra-group sharing of User and visitor Data

Hotjar is part of the Content Square SAS group (“Contentsquare”) which is headquartered in Paris, France. In the course of our normal operations, Hotjar may share Data (e.g. name and contact details, etc.) of Users of Hotjar accounts, Testers, and visitors of Our Site (hotjar.com) with Contentsquare. 

The purpose of sharing this Data is to pursue synergies in sales and marketing, which is in both Hotjar’s and Contentsquare’s legitimate commercial interests. The legal basis of this Data processing is Article 6(1)(f) GDPR. Hotjar and Contentsquare are jointly responsible for these processing activities (so-called joint controllership). If you would like more information in this regard or would like to exercise your rights as described in this Privacy Policy, please contact Us at dpo@hotjar.com. 

Other Purposes with Your Consent 

In some cases, We may ask you for consent to collect, use or share Personal Data for other purposes. For example, We may ask you for consent to send marketing emails where required by law or to post testimonials or endorsements. In such cases, there will always be the ability to deny or revoke consent if desired. The legal basis for the data processing is under Article 6(1)(a) GDPR. 

Duration of Processing

Unless a different timeframe has been specifically stated in this Privacy Policy or in Our Pricing Page, Personal Data will be retained for as long as is necessary for the purpose(s) for which We originally collected it or to provide Our Platform, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, and enforce Our Agreement. We may also retain information as required by Applicable Law.

International Transfers of Personal Data

In most cases, Personal Data We collect is stored in the EU. However, in some limited cases, customer information may be accessed from, or other Personal Data (e.g., email, etc.) may be transferred outside of the EU. These countries may have different data protection laws. Hotjar endeavors to ensure appropriate safeguards are in place requiring that Personal Data will remain protected. Hotjar has concluded Standard Contractual Clauses with entities who We share Personal Data with outside of the EU. Further details about this can be found in Our article on Data Storage.

Children’s Information

Hotjar’s Platform is not directed to children under 13 (or other age as required by local law), and We do not knowingly collect Personal Data from children. If you learn that your child has provided Us with Personal Data without your consent, you may contact Us at dpo@hotjar.com. If We learn that We have collected a child’s Personal Data in violation of Applicable Law, We will promptly take steps to investigate this, delete such information and, if applicable, terminate the child’s account. We will also make sure to have preventive measures in place for this not to happen again in the future. 

Rights over Personal Data

If you are a visitor to Our Site or a Customer, User and/or Tester of Our Platform and We have collected Personal Data about you, you have a right to access and to be informed about what Personal Data is processed by Hotjar, a right to rectification/correction, erasure/anonymization and restriction of processing (subject to certain exceptions and other requirements prescribed by law). You also have the right to receive from Hotjar a structured, common and machine-readable format of Personal Data you provided Us.

When you have provided consent, you may withdraw it at any time, without affecting the lawfulness of the processing that was carried out prior to withdrawing it. Whenever you withdraw consent, you acknowledge and accept that this may have a negative influence on the quality of Our Site and/or Platform. Please be aware that when you withdraw consent, We may delete the Personal Data previously processed on the basis of your consent and will not be allowed to keep it further which will mean that it cannot be accessed, downloaded or otherwise secured by you.

In addition, you have the right to lodge a complaint with your respective data protection authority.

To protect your privacy, We take steps to verify your identity before fulfilling your request. We can only identify you via your email address and we can only adhere to your request and provide information if We have Personal Data about you through you having made contact with Us directly and/or you are using Our Site and/or Platform. 

To protect your privacy, We will take steps to verify your identity before fulfilling any consumer request under the Applicable Law. When you make a request, We will ask you to provide sufficient information that allows Us to reasonably verify you are the person We collected Personal Data about or an authorized representative, which may include your email address.

If You are located in California…

This section only applies to Our processing of Personal Data as a “business” under the California Consumer Privacy Act (CCPA). 

The CCPA provides California residents with the right to know what Categories of Personal Data Hotjar has collected about them and whether Hotjar disclosed that Personal Data for a business purpose (e.g. to a service provider) in the preceding twelve (12) months. 

If you are a California resident and would like to exercise any of your rights under the CCPA, please contact Us at dpo@hotjar.com. We will process your request in accordance with the Applicable Laws.

Sales of Personal Information Under the CCPA. For purposes of the CCPA, Hotjar does not “sell” Personal Data, nor do We have actual knowledge of any “sale” of Personal Data of minors under 16 years of age.

Non-Discrimination. California residents will have the right to exercise the rights conferred to them by the CCPA.

Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request under the CCPA. If applicable, you may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please contact Us at dpo@hotjar.com.

If You are located in Brazil…

This section only applies to Our processing of Personal Data under the Brazilian Lei Geral de Proteção de Dados (LGPD). 

In addition to the rights described above, you also have the right to: 

  • access your Personal Data processed by Hotjar; 

  • unless restricted by law, request information about the public and private entities with which We have shared your Personal Data; 

  • oppose to the processing carried out; and/or 

  • receive information about the possibility of not providing your consent and the consequences of such denial.

If you are a Brazilian resident or were in Brazil when your Personal Data was collected and would like to exercise any of your rights under the LGPD, please contact Us at dpo@hotjar.com. We will process your request in accordance with the Applicable Laws.

Personal Data collected from a visitor of a Hotjar Enabled Site 

This section applies to Personal Data sent to Hotjar from Our Customers about visitors to their site using Our Platform (i.e. a Hotjar Enabled Site).

When an end-user visits a Hotjar Enabled Site, the Hotjar Enabled Site’s privacy policy will apply to the Personal Data collected and not this Privacy Policy. 

This section should always be read in conjunction with the specific privacy policy of the Hotjar Enabled Site which will contain further details regarding the processing of your Personal Data by the Hotjar Enabled Site. 

When making use of Our Platform, Our Customers are bound by Our Privacy Policy, Our Terms of Service, and Our Acceptable Use Policy. You can get more information about Hotjar by visiting Our Site

If you are a visitor to a Hotjar Enabled Site, Hotjar may temporarily process your IP address so that We can ensure Our service is running smoothly and improve the quality of Our Platform. Any IP addresses We process are used exclusively for associated performance metrics (i.e. data related to how well Our Platform performs on the Hotjar Enable Site) and to monitor and track application errors. For this purpose, We may temporarily store your IP address with Hotjar’s Sub-Processors which are subject to strict obligations of confidentiality and will process it only according to Our instructions. We will never access these IP addresses without any operational or security need. We automatically delete any IP addresses We process or store within thirty (30) calendar days. The legal basis for this data processing is Article 6(1)(f) GDPR. 

Some Hotjar Customers may have the ability to integrate Data they have collected through Our Platform with other end-user data they have in their possession (e.g. their customer information). 

Depending on the web browser you use, it might be possible for you to disallow Hotjar from collecting Data when visiting a Hotjar Enabled Site. To discover if your web browser offers this functionality visit Our Do Not Track page.

Please note that We cannot respond to any requests from end-users of Hotjar Enabled Sites related to their Personal Data, including requests to provide, rectify or delete any end-user Personal Data. Any requests from end users of Hotjar Enabled Sites related to Customer Personal Data should be sent to the relevant Hotjar Customer. 

Previous Versions of this Privacy Policy 

Version 7.1 (compare markup changes between version 7 and 7.1)