Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Heap is a US-based product analytics platform (acquired by Contentsquare) known for its autocapture approach — automatically recording every user interaction without requiring manual event instrumentation. This powerful capability also introduces significant GDPR risk: Heap captures all clicks, inputs, and page views by default, potentially including sensitive form data unless explicitly excluded. Consent is required before Heap loads. Careful data minimisation configuration is essential for GDPR compliance.
Heap is a US product analytics platform founded in San Francisco in 2013 and acquired by the French digital experience company Contentsquare in 2024. Heap is best known for its autocapture engine: instead of asking developers to manually fire events, the heap.js library records every click, form input, page view, submit and tap by default, then lets analysts retroactively define metrics on top of that raw event stream. Heap is used by product, growth and CRO teams to analyse conversion funnels, retention cohorts and feature adoption.
Heap stores a first party user identifier in the cookie _hp2_id.{appId} for 13 months, plus a session identifier in _hp2_ses_props.{appId} and user properties in localStorage keys prefixed with _hp2_. The autocapture mechanism collects: page URL and referrer, click target (DOM selector, text content, attributes), form field interactions (focus, blur, input length, but values can be redacted), viewport size, device and browser fingerprint, IP address (truncated server side for EU residency customers), geolocation derived from IP, and any custom properties pushed via heap.identify or heap.addUserProperties.
Heap reads from and writes to the user terminal, which directly triggers Article 5(3) of the ePrivacy Directive and its national transpositions (Article 82 of the French Loi Informatique et Libertés, section 25 of the German TDDDG, Article 22.2 LSSI in Spain). Heap also processes personal data within the meaning of Article 4(1) GDPR because the persistent identifier combined with behavioural data allows the data subject to be singled out. The CNIL exemption for measurement only analytics does not apply: Heap autocapture sends data to a US controller, allows cross site tracking and is not strictly necessary for the requested service. Consent is mandatory.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block heap.js before any consent is given. The script must not execute, set cookies, write to localStorage or call the network until the user has explicitly opted in. The CMP must capture granular consent for the analytics category, log proof of consent with timestamp and purposes, and propagate the choice via Google Consent Mode v2 (analytics_storage) or Heap native consent gating (heap.startTracking and heap.stopTracking APIs). Refusing or ignoring the banner must result in zero data collection: pre filled, scroll based or continued browsing consent is invalid under EDPB guidelines 05/2020.
By default, Heap ingests data to AWS us-east-1. Following the Schrems II ruling (CJEU C-311/18) and the EU US Data Privacy Framework adopted in July 2023, transfers to the US are permitted only if Heap Inc. is certified under the DPF or if the EU Standard Contractual Clauses 2021/914 are signed and complemented by a Transfer Impact Assessment. Heap publishes a DPA and offers an EU residency option for Enterprise plans. European controllers should: enable EU residency where the plan allows, sign the SCCs (Module 2 controller to processor), document the TIA, restrict access by Heap support staff and turn on IP truncation.
Concrete steps for a compliant Heap deployment: 1) load heap.js only after explicit opt in via your CMP; 2) configure data redaction rules to exclude sensitive form fields (passwords, payment data, health information) using the data-heap-redact-text attribute or the redact_text setting; 3) enable IP truncation; 4) reduce the session and identifier retention where business needs allow; 5) document Heap in your Article 30 record of processing activities; 6) update the privacy notice with the controller name, purposes, retention, recipients (Heap Inc.), legal basis (consent) and data subject rights; 7) link the Heap entry in your cookie policy; 8) test that Heap is fully blocked when consent is refused using a network panel or a CMP audit tool.
Websites using Heap must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment under Article 35 GDPR is strongly recommended. Heap autocapture is, by design, large scale and systematic monitoring of every user interaction, which triggers criterion 7 of the EDPB WP248 guidelines. Special attention must be given to: the risk of inadvertently capturing special category data through form inputs, the absence of true cookieless mode, the international transfer to the United States, the long retention of the user identifier (13 months) and the ability of administrators to replay session data. Document data minimisation rules (selector based redaction, sensitive field blocklists) and the contractual safeguards (DPA + SCCs + EU residency option where available).
Sample consent text
We use Heap, a product analytics service operated by Heap Inc. (United States, a Contentsquare company), to understand how visitors use our website. Heap automatically records clicks, form interactions and navigation, and stores a first party identifier in cookies and localStorage on your device for up to 13 months. Data may be transferred to the United States under the EU Standard Contractual Clauses. Heap will only load if you click Accept.
Third-party domains contacted
heapanalytics.comheap.iocdn.heapanalytics.comheapanalytics.comapi.heap.ioheap-api.comheapanalytics-eu.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _hp2_id | persistent | 13 months | Heap Analytics unique user identifier for autocapture event tracking and behavioural analytics |
| _hp2_id.{appId} | HTTP cookie (first party) | 13 months | Stores the persistent Heap user identifier used to stitch sessions, attribute events to a single visitor and build cross session funnels and retention cohorts. |
| _hp2_ses_props | session | Session | Heap session properties cookie for grouping autocaptured events within a user session |
| _hp2_ses_props.{appId} | HTTP cookie (first party) | Session | Stores session level properties such as session start timestamp, referrer and entry page. Reset on each new session. |
| _hp2_props.{appId} | localStorage | Persistent (until cleared) | Stores custom user properties set via heap.identify and heap.addUserProperties so they can be sent with every event. |
| _hp2_lastts.{appId} | localStorage | Persistent (until cleared) | Stores the timestamp of the last activity so Heap can determine whether the current visit is a new session. |
Heap collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Heap stores a user identifier cookie and captures all user interactions. This requires consent under the ePrivacy Directive before Heap can load. Call Heap.stopTracking() when users decline consent.
Heap's autocapture records every click, form interaction, and page view automatically. Without exclusion rules, it may capture form field values including passwords, names, and email addresses. GDPR requires data minimisation — configure input exclusions before deployment.
Use heap.addEventProperties() exclusions, configure element-level redaction in the Heap privacy settings, use CSS selectors to exclude sensitive form fields, and apply the heap-redacted data attribute to specific elements. Test after configuration to verify no sensitive data is sent.
Yes. Heap (now part of Contentsquare) processes data on US infrastructure. SCCs are required for EU personal data. Sign the DPA from Contentsquare/Heap before deploying on EU-facing products.
Recommended. Heap's autocapture of all user interactions constitutes large-scale systematic monitoring. Document all exclusion rules and data minimisation measures in the DPIA to demonstrate compliance.
Consent (Art. 6(1)(a)) for the autocapture tracking and cookie storage. Heap cannot rely on legitimate interest for comprehensive behavioural tracking via client-side cookies.
Use the Heap User Privacy API to delete user data by user ID or email. Heap processes deletion requests and removes associated events and user properties. Document all deletions and respond to data subjects within 30 days.
PostHog (self-hostable with EU cloud option) provides autocapture analytics with EU data residency. Amplitude (EU region) and Mixpanel (EU region) offer manual event tracking with EU data storage. All analytics tools require consent regardless of hosting location.
Heap sets a persistent first party user identifier in _hp2_id.{appId} for 13 months, a session cookie _hp2_ses_props.{appId}, and writes user properties to localStorage keys prefixed with _hp2_. The exact name suffix is your Heap project ID. All values are bound to your domain, but they are read by heap.js scripts loaded from heapanalytics.com, so they qualify as third party tracking technology under CNIL and EDPB guidance.
Yes. Heap reads and writes to the user terminal and processes behavioural data that allows individuals to be singled out, so Article 5(3) of the ePrivacy Directive applies and freely given, specific, informed, unambiguous opt in consent is required under Article 6(1)(a) GDPR. Legitimate interest is not a valid alternative. The script must be blocked until the user clicks Accept and must stop running if consent is withdrawn.
The only valid legal basis for non essential analytics that involves a third country transfer and a persistent identifier is consent (Article 6(1)(a) GDPR). Heap is the processor, the website operator is the controller, and a Data Processing Addendum signed under Article 28 GDPR is mandatory. Contractual necessity, legitimate interest and legal obligation do not apply to product analytics of this nature.
Yes by default. Heap ingests data to AWS us-east-1 in the United States. Heap Inc. is a US company even after the Contentsquare acquisition. Transfers rely on either certification under the EU US Data Privacy Framework or the EU Standard Contractual Clauses 2021/914 with a documented Transfer Impact Assessment. An EU residency tier exists on Enterprise plans and should be activated whenever possible.
A Data Protection Impact Assessment is strongly recommended and, for most B2C and high traffic sites, mandatory. Heap autocapture is systematic, large scale monitoring of user behaviour, which meets criterion 7 of the EDPB WP248 list of high risk processing. Document the purposes, the categories of data, the data subjects, the recipients, the retention, the international transfers, the risk to rights and freedoms and the mitigating measures.
Load heap.js only after explicit opt in. Use a Consent Management Platform to gate the script, propagate the choice through Google Consent Mode v2 or the heap.startTracking and heap.stopTracking APIs, and add data redaction rules to exclude sensitive form fields. Activate the EU residency option, sign the DPA and the SCCs, document the TIA, reduce retention to the minimum required, and verify with a network panel that no Heap requests are sent when the banner is closed or refused.
For autocapture style product analytics, the closest European alternatives are PostHog Cloud EU (self hostable, hosted in Frankfurt), Plausible (privacy first, hosted in Germany), Matomo Cloud EU (hosted in Germany) and Pirsch Analytics (Germany). For session replay and behavioural insights from European vendors, Contentsquare itself (Heap parent) offers an EU only deployment, and Mouseflow (Denmark) provides an EU data residency option.
Add an entry that names the controller (Heap Inc., 225 Bush Street, San Francisco, USA), the purpose (product analytics, autocapture of user interactions), the legal basis (consent), the categories of data (identifier, behavioural data, IP, device data), the recipients (Heap Inc., Contentsquare, AWS sub processor), the retention (up to 13 months), the international transfers (US, SCCs in place), the data subject rights including the right to withdraw consent, and a direct link to the Heap privacy policy.