Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Hotjar is a behaviour analytics and user feedback platform that provides heatmaps, session recordings, surveys, and feedback widgets. It helps teams understand how visitors actually navigate and interact with their website. Unlike advertising trackers, Hotjar stores EU customer data in the EU (AWS Ireland) and has no ad-targeting purpose. Consent is required under the ePrivacy Directive for cookies and session recording.
Hotjar is a behaviour analytics and user feedback platform founded in Malta in 2014 and acquired by Contentsquare in 2021. It provides product teams and UX designers with tools to understand how real visitors interact with their websites: heatmaps (click, move, scroll), session recordings, on-site surveys, feedback widgets, and funnel analysis. Unlike advertising trackers, Hotjar has no ad-targeting purpose, its sole aim is to help operators improve their user experience and conversion rates.
Hotjar's core features include: Heatmaps, visual overlays showing where visitors click, move their mouse, and how far they scroll on each page; Session recordings, anonymised video replays of individual visitor sessions, showing navigation paths, rage clicks, and u-turns; Surveys, in-page and exit-intent surveys to collect qualitative feedback directly from visitors; Feedback widgets, always-on feedback buttons allowing visitors to highlight page elements and leave comments; and Funnels, step-by-step conversion analysis to identify where visitors drop off.
Hotjar stores all EU customer data in the European Union (AWS eu-west-1, Ireland), a deliberate privacy-by-design decision made in 2022 that eliminates cross-border data transfer concerns for most deployments. Hotjar acts as a data processor on behalf of the operator, processing data only according to the operator's instructions. Under the GDPR and the ePrivacy Directive, consent is required before the Hotjar tracking code may fire, since it sets persistent identification cookies. Hotjar also provides an Opt-out page that operators can link to, allowing visitors to exclude themselves from all Hotjar tracking.
Since Hotjar version 3, operators can enable cookieless mode, in which no persistent cookies are set and tracking is based solely on aggregated, non-identifiable session data. This mode reduces privacy risk significantly and may allow use under legitimate interest in some jurisdictions. For session recordings, Hotjar automatically suppresses text input fields (replacing them with asterisks) to prevent accidental capture of passwords or form data. Operators must verify that all sensitive fields, payment details, health data, personal identifiers, are correctly excluded using Hotjar's suppress class or element suppression settings.
Websites using Hotjar must obtain user consent under GDPR regulations.
DPIA considerations
Hotjar collects granular behavioural data including mouse movements, click positions, scroll depth, and full session recordings of visitor interactions. Key DPIA considerations: (1) session recordings may inadvertently capture sensitive data entered into forms, email addresses, names, or in edge cases payment card numbers, if the masking configuration is incomplete; operators must verify that all sensitive input fields are excluded from recordings; (2) Hotjar uses persistent cookies to assign unique visitor IDs (_hjid, _hjSessionUser), enabling individual-level tracking across multiple sessions; (3) unlike advertising trackers, Hotjar does not transfer data to the US for EU customers, data is stored in AWS eu-west-1 (Ireland), significantly reducing cross-border transfer risk; (4) Hotjar processes data as a data processor on behalf of the operator, which is a more favourable arrangement than Meta Pixel's joint-controller model; (5) in cookieless mode (Hotjar v3+), no persistent identifiers are set and data is aggregated, this substantially reduces privacy risk but limits session-level analytics. A DPIA is recommended for large-scale or sensitive deployments; the main risk factor is inadvertent sensitive data capture in recordings.
Sample consent text
We use Hotjar to understand how you use our website. Hotjar may record your mouse movements, clicks, and scrolling behaviour, and may use cookies to identify your browser across visits. This data is stored in the EU and used solely to improve our website experience. No personal data is shared with advertisers. You may withdraw your consent at any time via our cookie settings.
Third-party domains contacted
script.hotjar.comstatic.hotjar.cominsights.hotjar.comvc.hotjar.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _hjid | Analytics | 365 days | Assigns a unique visitor ID to identify and track the same user across multiple sessions. Persisted on the operator domain as a first-party cookie. |
| _hjSessionUser_<site_id> | Analytics | 365 days | Stores the unique session user identifier across pages within a visit. Used to link session recordings to a specific user profile in the Hotjar dashboard. |
| _hjSession_<site_id> | Analytics | 30 minutes | Stores current session data including session number and start timestamp. Expires after 30 minutes of inactivity. |
| _hjAbsoluteSessionInProgress | Analytics | 30 minutes | Detects the first pageview of a new session to prevent duplicate session counts in heatmap and recording data. |
Hotjar collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Get started freeHotjar is a behaviour analytics and user feedback platform. It provides heatmaps (showing where visitors click, move, and scroll), session recordings (anonymised video replays of individual visits), surveys, and on-page feedback widgets. It is used by product and UX teams to understand how real visitors interact with a website, not to track behaviour for advertising purposes. Hotjar has no ad-targeting functionality and does not share data with any advertising network.
Hotjar is designed with GDPR compliance in mind. EU customer data is stored in the EU (AWS Ireland), Hotjar acts as a data processor under a Data Processing Agreement, and it provides tools to mask sensitive data in recordings. However, compliance depends on the operator's configuration: you must obtain valid consent before loading the Hotjar script (since it sets persistent cookies), correctly suppress all sensitive form fields from recordings, and maintain an up-to-date DPA with Hotjar.
Yes, in its default configuration. Hotjar sets persistent identification cookies (_hjid, _hjSessionUser) that are used to track individual visitors across sessions. Under the ePrivacy Directive and GDPR, these require prior informed consent via a compliant Consent Management Platform (CMP). However, Hotjar v3+ offers a cookieless mode in which no persistent cookies are set, in this mode, consent requirements are significantly reduced and legitimate interest may be a valid legal basis in some jurisdictions.
For EU customers, Hotjar stores all behavioural data (heatmaps, session recordings, survey responses) in the European Union on AWS eu-west-1 (Ireland). This migration was completed in 2022 as a deliberate privacy-by-design decision to eliminate EU-to-US data transfer concerns. This is a key compliance advantage over tools like Google Analytics or Meta Pixel, which transfer data to the United States. Some operational sub-processors (e.g. for billing or support) may be US-based, but these do not process session or heatmap data.
Hotjar sets four main cookies: _hjid (365-day lifetime), assigns a unique visitor ID persisted across sessions to identify returning users; _hjSessionUser_<site_id> (365-day lifetime), stores the unique session user identifier; _hjSession_<site_id> (30-minute lifetime), stores current session data including session number and timestamps; _hjAbsoluteSessionInProgress (30-minute lifetime), detects the first pageview of a session. All cookies are first-party (set on the operator domain) and stored in the EU.
By default, Hotjar automatically suppresses all HTML input fields in session recordings, replacing their content with asterisks. However, this suppression relies on correct HTML markup, non-standard input implementations or dynamically rendered fields may not be caught automatically. Operators must review their recordings and use Hotjar's suppress class (data-hj-suppress) or element-level suppression settings to explicitly exclude any sensitive fields. Particular attention is required on checkout pages, account registration forms, and any page handling health, financial, or identity data.
Hotjar v3+ introduced a cookieless tracking mode in which no persistent cookies are set in the visitor browser. In this mode, Hotjar collects only aggregated, non-identifiable session data, it cannot link multiple visits to the same individual. This significantly reduces privacy risk and may allow use under legitimate interest (Art. 6(1)(f) GDPR) rather than consent, depending on the specific processing and applicable DPA guidance. Note that session recordings are still available in cookieless mode, but without cross-session user identification.
Google Analytics and Hotjar serve complementary but different purposes. Google Analytics focuses on quantitative metrics: how many visitors, from where, which pages, conversion rates. It transfers data to Google servers in the United States and requires consent. Hotjar focuses on qualitative behaviour: why visitors behave as they do, visualised through heatmaps and session recordings. Hotjar stores EU data in the EU, has no advertising use, and acts purely as a processor. Many teams use both tools together, Google Analytics for traffic reporting, Hotjar for UX optimisation.