Privacy / GDPR compliance

GDPR compliance made easy

Build trust and transparency around your data by using Hotjar in a GDPR-compliant manner.

Privacy / GDPR compliance

GDPR compliance made easy

Build trust and transparency around your data by using Hotjar in a GDPR-compliant manner.

On May 25, 2018, a data privacy law called the General Data Protection Regulation (GDPR) came into force, impacting how businesses collect and process data from individuals in the European Union.

This meant new rules to follow when it comes to collecting, tracking, or handling EU-based prospects’ and customers’ personal data.

If you have or plan to have website/app visitors who are in the EU, or you process any form of EU data, this one’s for you.

Privacy by design

Hotjar was designed and built with privacy in mind. Our approach keeps end-user privacy at the center of what we do.

As the leading and most popular platform on the market, used on over 500,000 websites in 180+ countries, we believe we have a responsibility to offer tools and methods to safeguard data so that trust between website owners, prospects, and customers can be assured and maintained.

In 2018, we were excited to welcome the reinforcing elements of the GDPR. Our top priority is ensuring that our users and customers can use Hotjar in a GDPR-compliant manner and the data they collect with Hotjar is processed securely.

Compliance controls

Right of access/Right of erasure

Our Visitor Lookup feature lets you quickly look up what data your site has collected for an individual visitor (the "data subject") through their email address and/or User ID, and allows you to give them access to view and delete all or part of their data.


Automatic suppression* can be set on all numeric-digits and email addresses in Session Recordings, Heatmaps, and Incoming Feedback screenshots, by activating on-page suppression.  Suppression tags can be used to suppress specific elements including images on pages that contain personally identifiable information (PII), and all Form fields have automatic suppression set up for you.

*PII data is automatically anonymized on your end-user’s side so that data containing PII never reaches Hotjar’s servers for Heatmaps, Recordings, and Incoming Feedback.

Data portability

All of our feedback tools have the ability to export data and download a file in either a csv or xlsx format.

Data retention

An automatic 365-day data retention period is enforced to ensure all analytics data older than 365 days collected through Hotjar is systematically deleted.

User consent

Our feedback tools give you the option to clearly ask for consent whenever personally identifiable information is shared through a Poll or Incoming Feedback widget. This helps link feedback responses with their associated session recordings, consent to which can also easily be withdrawn through our Visitor Lookup feature. A direct link to your privacy policy can also be added to all consent widgets.

Further reading

Acceptable use policy

Review our dos and don'ts

GDPR commitment

Take a look at our commitment to GDPR

Legal overview

Review all our legal docs

Data processing agreement

Review and/or sign our DPA

At Hotjar, we are constantly working towards building a service that helps you create better experiences without compromising the privacy of your users.

Sign up or ask question

Sign up or ask a question if you still have concerns. Our team is here to help you.