Hotjar’s behavior analytics software was designed and built with privacy in mind.
As the leading and most popular platform on the market, used on over 500,000 websites in 180+ countries, we believe we don’t just have a responsibility to give our users and customers the tools they need to create better user experiences—we also have a responsibility to offer tools and methods to safeguard data so that trust between website owners, prospects, and customers can be assured and maintained.
→ read more about our approach to privacy in this piece by our CEO, David Darmanin
Data collected using our service is stored electronically in Ireland, Europe on the Amazon Web Services infrastructure, eu-west-1 datacenter. As the data controller, you are the only one with direct access to your data, which can never be used by any third party for any other purpose other than for that which you give direct consent. You are fully in control of your data, and can delete it at any time. We will also delete all data from our behavior tools after 365 days. We also have a data processing agreement (DPA) that can be signed, giving you full transparency over how your data is stored and maintained.
To protect and guarantee visitor privacy, Hotjar is built on anonymous insights and not on personal data. By default, site visitors are assigned a unique user identifier, so that Hotjar can keep track of returning visitors without relying on any personal information. When collecting data with Recordings, Hotjar also has various automated suppression features in place and data is suppressed client-side, in the visitor’s browser, meaning personally identifiable information never reaches our servers keeping their session private.
With the introduction of User Attributes (November 2019) and the roll-out of the Identify API, Hotjar allows its paying customers to pass along their own internal User IDs and additional user properties and connect them to each unique Hotjar ID. This facilitates more sophisticated and in-depth analysis, but Hotjar customers must agree to the terms of a DPA before being allowed access to the functionality.
Hotjar honors the Do Not Track (DNT) header, and provides an additional layer of privacy through our opt-out option, which sets a third-party cookie that specifically tells the Hotjar script not to track a visitor once they have opted out. To learn more about viewing the data collected by Hotjar's users, visit our Visitor Lookup article.
Hotjar is fully committed to compliance with the GDPR and welcomes its reinforcing elements. Our top priority is ensuring that our users and customers can use Hotjar in a GDPR-compliant manner and the data they collect with Hotjar is processed securely.
Security is key to fulfilling our commitment to our users and protecting their privacy. We have certifications, processes, and audits in place to systematically help ensure the safe and secure use of our service for everyone. Learn more about our security practices here.
At Hotjar, we are constantly working towards building a service that helps you create better experiences without compromising the privacy of your users.
If you think we can do anything to further protect privacy and enhance our service, please get in touch with our team at firstname.lastname@example.org.