Search results for "{{ search.query }}"

No results found for "{{search.query}}". 
View All Results

Data Safety, Privacy & Security

Your site and visitor data is safe with Hotjar. There are a number of steps we take to ensure you are the only person who can access your site data and that your visitors' privacy is respected.

Data storage

All data Hotjar collects is stored electronically in Ireland, Europe on the Amazon Web Services infrastructure (eu-west-1 datacenter). Our application servers and database servers run inside an Amazon VPC (Virtual Private Cloud). The database containing visitor and usage data is only accessible from the application servers and no outside sources are allowed to connect to the database.

Visitor privacy

  • Site visitors are assigned a unique user identifier (UUID) so that Hotjar can keep track of returning visitors without relying on any personal information, such as the IP address.
  • IP addresses of visitors are always anonymized before being stored. We set the last octet of IPv4 addresses (all connections to Hotjar are made via IPv4) to zero (0) to ensure the full IP address is never written to disk. For example, if a visitor's IP address is 1.2.3.4, it will be stored as 1.2.3.0. The first three octets of the IP address are only used to determine the geographic location of the visitor.
  • When recording visitors (in Recordings) Hotjar masks keystrokes for password fields, as well as when we detect a credit card number is being input. You can also choose to manually mask both input fields and any regular text element. Learn more.

Data collection and transmission

  • Firewalls are in place exposing only the necessary ports through the internet and between different servers. IPS software is in place as a second layer of security, which will block access as soon as any suspicious login activity is detected.
  • Hotjar transmits data from the visitor's browser to our systems using HTTPS if the site which is using Hotjar uses HTTPS.
  • The protocols and ciphers suite used to encrypt data in transfer is available at the end of this article.

HTTPS / HTTP

If the site running Hotjar uses HTTP and not HTTPS, the data transmitted to our servers will not be encrypted. We always suggest using HTTPS when using Hotjar so the data transferred is always encrypted.

Data access and authentication

Only Hotjar engineers which require such access to perform their job efficiently are given access. Different engineers are given different access rights on different system components as well depending on what their job requires. Engineers who do have access, have their own credentials and these are only valid when used from specific IPs. SSH Key-Based authentication is used for server access.

Data collected through Hotjar is exclusively reserved for use by our users and customers. Hotjar does not make use of the data collected in any form or way unless consent is officially given from an admin of the Hotjar account, clearly outlining what the data will be used for.

Data access and backup

At Hotjar we use Database replication to keep your data safe in the case of system failure. Full database backups are taken every day, stored on AWS S3, and kept for three days as an electronic copy. In case two or more database nodes would fail concurrently we would have to revert to a backup.
Note: This does not apply for Visitor Recordings - this data is currently not backed up.

Compliance, certifications and audit reports:

Hotjar's Architecture & Security diagram:

Hotjar Architecture & Security

Hotjar Architecture & Security

Data in transfer is encrypted using the following protocols and ciphers:

SSL Protocols
TLSv1
TLSv1.1
TLSv1.2

SSL Ciphers
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
DES-CBC3-SHA

Updating your Privacy Policy for use with Hotjar

As a company based in the European Union, our technology and processes adhere to the strictest legal privacy requirements. In fact we engaged a specialised legal firm to assist us with the process of drafting a policy that is suitable for us, as well as for Hotjar users around the world.

While we always recommend you seek legal advice within your territory, we suggest you review the provisions in our Privacy Policy and ensure your own policy mirrors the same principles we have included at https://www.hotjar.com/privacy.

Need more details or have any questions?

If you are interested in additional details, we can also provide you with a security Q&A document we created ourselves by analysing over a hundred security questionnaires we were sent to fill-in. The document outlines the most common queries these documents typically contain.

To provide you with our in-depth security Q&A document or to answer additional queries you might have, please do not hesitate to contact us.

Data Safety, Privacy & Security