Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Heap is a US-based product analytics platform (acquired by Contentsquare) known for its autocapture approach — automatically recording every user interaction without requiring manual event instrumentation. This powerful capability also introduces significant GDPR risk: Heap captures all clicks, inputs, and page views by default, potentially including sensitive form data unless explicitly excluded. Consent is required before Heap loads. Careful data minimisation configuration is essential for GDPR compliance.
Heap is a product analytics platform that pioneered the autocapture approach to event tracking. Instead of requiring engineers to manually instrument every user action, Heap automatically captures every click, form submission, page view, and interaction from the moment the SDK is installed. Data scientists and product managers can then retroactively define events and funnels without needing new code deployments. Heap was acquired by Contentsquare in 2023 and is now part of the broader Contentsquare digital experience analytics portfolio.
Heap''s autocapture approach is powerful but introduces significant GDPR data minimisation concerns. By capturing everything by default, Heap may capture form field values, search queries, and other sensitive inputs that users type into the application. GDPR''s data minimisation principle (Art. 5(1)(c)) requires collecting only what is necessary. Before deploying Heap, configure comprehensive exclusion rules to prevent capture of sensitive inputs. Test with a privacy proxy to verify what data is actually sent.
Heap stores a user identifier in the browser via cookies. This requires consent under the ePrivacy Directive before Heap can track the user. Integrate Heap loading with your CMP. Use Heap.stopTracking() when users decline consent. Implement Heap.identify() and Heap.addUserProperties() only after consent for identified analytics.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Heap processes all data on US infrastructure. As part of Contentsquare, the DPA and transfer mechanisms should be obtained from Contentsquare/Heap directly. SCCs are required for EU personal data. Sign the DPA before deploying on EU-facing products.
Configure comprehensive input exclusions before go-live. Test with a network proxy to verify no sensitive data is captured. Conduct a DPIA documenting autocapture scope and exclusions. Integrate with CMP for consent-conditional loading. Sign DPA and SCCs. Implement user deletion API for erasure requests. Add Heap to your privacy policy and cookie notice.
Websites using Heap must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Heap deployments due to the autocapture feature which captures all user interactions by default. This constitutes large-scale systematic monitoring. Document all exclusion rules applied to prevent capture of sensitive data in the DPIA.
Sample consent text
We use Heap Analytics to understand how you interact with our product. Heap automatically records your actions including clicks and page views. You can opt out of this analytics tracking via our cookie preferences.
Third-party domains contacted
heap.ioheapanalytics.comapi.heap.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _hp2_id | persistent | 13 months | Heap Analytics unique user identifier for autocapture event tracking and behavioural analytics |
| _hp2_ses_props | session | Session | Heap session properties cookie for grouping autocaptured events within a user session |
Heap collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Heap stores a user identifier cookie and captures all user interactions. This requires consent under the ePrivacy Directive before Heap can load. Call Heap.stopTracking() when users decline consent.
Heap's autocapture records every click, form interaction, and page view automatically. Without exclusion rules, it may capture form field values including passwords, names, and email addresses. GDPR requires data minimisation — configure input exclusions before deployment.
Use heap.addEventProperties() exclusions, configure element-level redaction in the Heap privacy settings, use CSS selectors to exclude sensitive form fields, and apply the heap-redacted data attribute to specific elements. Test after configuration to verify no sensitive data is sent.
Yes. Heap (now part of Contentsquare) processes data on US infrastructure. SCCs are required for EU personal data. Sign the DPA from Contentsquare/Heap before deploying on EU-facing products.
Recommended. Heap's autocapture of all user interactions constitutes large-scale systematic monitoring. Document all exclusion rules and data minimisation measures in the DPIA to demonstrate compliance.
Consent (Art. 6(1)(a)) for the autocapture tracking and cookie storage. Heap cannot rely on legitimate interest for comprehensive behavioural tracking via client-side cookies.
Use the Heap User Privacy API to delete user data by user ID or email. Heap processes deletion requests and removes associated events and user properties. Document all deletions and respond to data subjects within 30 days.
PostHog (self-hostable with EU cloud option) provides autocapture analytics with EU data residency. Amplitude (EU region) and Mixpanel (EU region) offer manual event tracking with EU data storage. All analytics tools require consent regardless of hosting location.