audit report
Hotjar
Hotjar's privacy policy aligns well with observed third-party tech stack and claims. The site loads analytics (Heap), A/B testing (Optimizely), session replay (Hotjar), and tag management (GTM) tools, all of which are disclosed in the policy under data collection, analytics, and tracking practices. The policy explicitly commits to not selling data, contractually binds processors, and offers user rights (access, deletion, portability, CCPA/LGPD compliance). Cookies are set and disclosed. However, the policy's reliance on vague "trusted external service providers" language obscures which of the five observed third parties (beyond named Contentsquare) are contractually bound, and no specific Cookie Banner consent patterns are documented despite cookies being set.
claim vs. reality
“We may temporarily store the name of their internet service provider, IP address, the website they visited Us from, the parts of Our Site they visit, the date and duration of the visit, and information from the device”
observed · html
Hotjarfindings
- warn
Session replay tools detected
Session replay tools record user interactions. Observed: Hotjar. The policy should clearly disclose this and how recordings are stored.
Hotjar - warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Optimizely, Google Tag Manager, Heap, Hotjar.
Optimizely Google Tag Manager Heap - note
Optimizely loaded (ab_testing)
Observed 2 time(s) on the page.
inline: grations","subtitle":"Connect to Google Analytics, HubSpot, Optimizely, and more.","loop":true,"imagesCollection":{"items":[{"url" script src: https://cdn.optimizely.com/datafiles/HgHVKrf9ZD2dsZYVFb9JnD.json/tag.js - note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
<iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-N4F4J3 - note
Heap loaded (analytics)
Observed 1 time(s) on the page.
inline: window.heapReadyCb || [], window.heap = window.heap || [], heap.load = function (e, t) { window.getDefault - note
Hotjar loaded (session_replay)
Observed 1 time(s) on the page.
inline: (){(hj.q=hj.q||[]).push(arguments)}; window.hj('identify', null, { 'geo_country': 'United States' }); - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Named third parties do not match all observed integrations
The policy names only 'PayPal' and 'Content Square SAS' as specific third parties. However, the site loads Heap (analytics), Optimizely (A/B testing), and GTM (tag manager) in addition to Hotjar's own session replay. While these are likely covered under the generic 'trusted external service providers' clause, the policy does not explicitly name or differentiate between them, leaving unclear which processors have formal data processing agreements or what purposes each serves.
Policy names: PayPal, Content Square SAS Observed loads: heap.io, optimizely.com, googletagmanager.com, hotjar.com, unpkg.com Policy states: 'We use a select number of trusted external service providers for certain technical data analysis, processing and/or storage offerings' but does not enumerate or link to them - note
Cookie consent mechanism not verifiable from observation
The policy claims cookies are used for behavioral tracking and site improvement, and two cookies are set (NEXT_LOCALE, hj_visitor). However, the observation does not indicate whether a consent banner was present, what consent mechanism preceded these cookies, or whether users can control cookie preferences. The policy mentions using cookies but does not describe the consent flow in the excerpts provided.
Cookies set: NEXT_LOCALE, hj_visitor Policy claim: 'Hotjar uses cookies to process information... to operate Our Site; provide visitors to Our Site with a better experience' No evidence of consent banner or opt-out UI in observation - info
IP address deletion claim supported by retention policy
The policy explicitly promises automatic deletion of IP addresses within 30 days, which is transparent and addresses a common privacy concern for analytics platforms. This is a strong privacy-protective stance relative to the broader category.
Policy: 'We automatically delete these IP addresses within thirty (30) calendar days' Aligns with GDPR article 6 proportionality and data minimization principles - info
Content Square relationship disclosed but governance unclear
The policy discloses that Hotjar shares data with Content Square (the parent company group) for 'sales and marketing synergies,' which is transparent about intra-group sharing. However, the policy does not specify whether users can opt out of this sharing or whether it requires separate consent.
Policy: 'In the course of our normal operations, Hotjar may share Data (e.g. name and contact details, etc.) of Users of Hotjar accounts, Testers, and visitors of Our Site (hotjar.com) with Contentsquare' No opt-out mechanism mentioned in the excerpts provided
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
| Heap | heap.io | analytics | 1 | not named |
| Hotjar | hotjar.com | session_replay | 1 | not named |
| Optimizely | optimizely.com | ab_testing | 2 | not named |
| Contentful CDN | ctfassets.net | cdn | 33 | not named |
| HTML5 Data URI | data:image | other | 14 | not named |
| unpkg | unpkg.com | cdn | 1 | not named |
policy claims
source · https://www.hotjar.com/legal/policies/privacy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (2)
PayPal, Content Square SAS
retention
Personal Data is retained as long as necessary for the original purpose or to provide the Platform, resolve disputes, establish legal defenses, and enforce agreements. For payment-related data, retention may extend up to seven years. IP addresses are automatically deleted within 30 days.
user rights
Users have the right to access, rectify, erase, and restrict processing of their personal data. They can withdraw consent at any time and receive data in a structured, portable format. Users can lodge complaints with data protection authorities. California residents have CCPA rights; Brazilian residents have LGPD rights.
response headers
- hsts
- yes
- csp
- no
- server
- —
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://hotjar.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://hotjar.comprovenance
This audit was generated by running
stackpeek
against https://hotjar.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.