Does your website use third-party services? Get GDPR compliant in minutes.

PostHog

What does PostHog do?

PostHog is an open source product analytics, session replay and feature flag platform. European customers can pick the EU Cloud (Frankfurt) or self host to keep data inside the EU.

What PostHog is

PostHog is an open source product analytics and experimentation platform operated by PostHog Inc. with headquarters in San Francisco. It combines event tracking, session replay, feature flags, surveys and experiments in a single tool. European publishers can pick EU Cloud (AWS Frankfurt) or self host to keep data inside the EU.

Data and cookies set

PostHog sets first party cookies ph_phc_*_posthog that identify the user across sessions, plus a distinct identifier (distinct_id). Session replay captures DOM mutations and user interactions, including text in form fields unless masked.

GDPR and ePrivacy implications

Product analytics and session replay are usually treated as non essential by the CNIL, the German DPAs and the AEPD: consent is required before activation. Anonymous, server side measurement with no persistent identifier can fall under legitimate interest in narrow cases.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent requirements

You must obtain prior, free, specific and informed consent for tracking, session replay and feature flag personalisation. Use the opt_out_capturing_by_default option and call posthog.opt_in_capturing() only after consent is granted.

Data transfers outside the EEA

The default US Cloud transfers data to the United States. EU Cloud keeps data in AWS Frankfurt. PostHog Inc. signs SCCs and a DPA. Run a transfer impact assessment if you select US Cloud, or switch to EU Cloud or self hosting to avoid it.

Practical compliance steps

Choose EU Cloud or self host, mask sensitive elements in session replay, disable autocapture for forms with personal data, gate tracking behind a CMP, document the DPA and SCCs, and run a DPIA for session replay.

GDPR consent category

Analytics

Websites using PostHog must obtain user consent under GDPR regulations.

Legal basisConsent (Article 6(1)(a) GDPR and Article 5(3) ePrivacy) for product analytics, session recordings and feature flags. Legitimate interest may apply if all analytics are anonymous, properly truncated and not used for advertising.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive 2002/58/EC, French CNIL guidelines, German TDDDG, Spanish LSSI

DPIA considerations

A DPIA is recommended because PostHog can record session replays and link them to user identifiers. Mask sensitive fields, restrict replays to authenticated areas and choose the EU Cloud to limit transfers.

Sample consent text

Our website uses PostHog, a product analytics platform that may record your interactions and session replays. PostHog Inc. is established in the United States. Choose EU Cloud or activate analytics only with your prior consent to remain GDPR compliant.

Technical details

Tracking methodjavascript_tag

Server locationUnited States or European Union (Frankfurt) depending on plan

Cookieless tracking availableYes

Data transferred outside the EUPostHog Inc. is a US company, but customers can choose between US Cloud and EU Cloud (Frankfurt). Self hosting in the EU is also supported. SCCs and the EU US Data Privacy Framework apply when US Cloud is used.

Third-party domains contacted

us.i.posthog.comapp.posthog.comeu.i.posthog.comeu.posthog.comus.i.posthog.comapp.posthog.comeu.posthog.com

Cookies placed

Name	Type	Duration	Purpose
ph_<project_id>_posthog	first-party	1 year	Stores the pseudonymous distinct_id, session id and feature flag overrides used by the PostHog SDK to stitch events together.
ph_{token}_posthog	first_party	12 months	Stores the visitor distinct_id and feature flag values for product analytics and personalisation.

PostHog collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Which cookies does PostHog set?

PostHog sets a first party cookie named ph_<project_id>_posthog with a pseudonymous distinct_id used to stitch events together. It can also use localStorage and sessionStorage to keep configuration and the replay buffer. No third party cookie is set by default.

Which cookies does PostHog set?

PostHog sets a first party cookie ph_<your_project_token>_posthog that stores the distinct_id and feature flag values. Without cookies, the SDK can also use localStorage.

Is consent required to use PostHog?

Yes, in the default configuration. The PostHog SDK stores and reads identifiers on the visitor terminal and processes IPs and behavioural data, which triggers article 5(3) of the ePrivacy Directive and article 6(1)(a) GDPR. Use PostHog opt out APIs to delay loading until the user accepts your analytics consent.

Do I need consent for PostHog?

Yes for product analytics, session replay and personalised feature flags. Anonymous, server side measurement with no persistent identifier may rely on legitimate interest in narrow cases.

What is the legal basis for processing data through PostHog?

The standard legal basis is article 6(1)(a) GDPR (consent). Legitimate interest under article 6(1)(f) GDPR can be considered only when the SDK is configured for minimal anonymous event counting, with IPs masked, no replay and no fingerprinting, and after a documented balancing test.

What is the legal basis?

Consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy. Legitimate interest can apply only for strictly anonymous analytics without persistent identifiers.

Does PostHog transfer data to the United States?

PostHog Cloud US is hosted in the United States, so the answer is yes for that region. PostHog Cloud EU is hosted on AWS in Frankfurt, with no systematic US transfer. Self hosted PostHog stays within the operator infrastructure; pick the EU region or self host to keep data inside the EEA.

Are any data transferred to the United States?

Yes by default on US Cloud. EU Cloud (Frankfurt) keeps data in the EU. Self hosting in the EU removes the transfer entirely.

Do I need a DPIA before using PostHog?

A DPIA is recommended when session replay or heatmaps are enabled, when PostHog Cloud US is selected for EU users, when PostHog tracks sensitive verticals such as health and finance, or when used for large scale behavioural profiling. Plain anonymous event counting on PostHog Cloud EU is usually below the DPIA threshold.

Is a DPIA needed?

Recommended, especially for session replay and personalised feature flags that can profile users.

How do I implement PostHog in a GDPR compliant way?

Pick PostHog Cloud EU or self host, sign the PostHog DPA, integrate the SDK behind your CMP, mask sensitive elements in session replay, set a short retention, route the SDK through a reverse proxy on your domain to limit cross site cookies and document everything in the record of processing.

How do I implement compliance correctly?

Pick EU Cloud, set opt_out_capturing_by_default, gate posthog.opt_in_capturing() behind your CMP, mask sensitive fields in replay and sign the DPA.

What are the alternatives?

Matomo, Plausible, Fathom, Mixpanel, Amplitude, Heap, Snowplow. EU based options simplify compliance.

Are there alternatives to PostHog?

Comparable analytics and product analytics tools include Plausible, Matomo, Pirsch, Snowplow, Amplitude, Mixpanel, Heap and Statsig. EU based or self hosted options (Matomo, Plausible, Pirsch, Snowplow Self Hosted, PostHog Self Hosted) are best for an EU centric audience.

How should I update the cookie policy for PostHog?

List the PostHog cookie name, the pseudonymous identifier, the retention and the purpose. State whether you use PostHog Cloud US, Cloud EU or self hosted, the transfer mechanism if applicable, and whether session replay is enabled. Link to the PostHog privacy notice and to your CMP preference centre.

How do I update the cookie policy?

Document the ph_*_posthog cookie, its purpose and duration, plus localStorage usage if active.

Get compliant — Try FlowConsent free

Free plan · 10-min setup

What does PostHog do?

PostHog is an open source product analytics, session replay and feature flag platform. European customers can pick the EU Cloud (Frankfurt) or self host to keep data inside the EU.

What PostHog is

Data and cookies set

GDPR and ePrivacy implications

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent requirements

Data transfers outside the EEA

Practical compliance steps

GDPR consent category

Analytics

Websites using PostHog must obtain user consent under GDPR regulations.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive 2002/58/EC, French CNIL guidelines, German TDDDG, Spanish LSSI

DPIA considerations

Sample consent text

Our website uses PostHog, a product analytics platform that may record your interactions and session replays. PostHog Inc. is established in the United States. Choose EU Cloud or activate analytics only with your prior consent to remain GDPR compliant.

Technical details

Tracking methodjavascript_tag

Server locationUnited States or European Union (Frankfurt) depending on plan

Cookieless tracking availableYes

Third-party domains contacted

us.i.posthog.comapp.posthog.comeu.i.posthog.comeu.posthog.comus.i.posthog.comapp.posthog.comeu.posthog.com

Cookies placed

Name	Type	Duration	Purpose
ph_<project_id>_posthog	first-party	1 year	Stores the pseudonymous distinct_id, session id and feature flag overrides used by the PostHog SDK to stitch events together.
ph_{token}_posthog	first_party	12 months	Stores the visitor distinct_id and feature flag values for product analytics and personalisation.

PostHog collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Which cookies does PostHog set?

PostHog sets a first party cookie ph_<your_project_token>_posthog that stores the distinct_id and feature flag values. Without cookies, the SDK can also use localStorage.

Is consent required to use PostHog?

Do I need consent for PostHog?

Yes for product analytics, session replay and personalised feature flags. Anonymous, server side measurement with no persistent identifier may rely on legitimate interest in narrow cases.

What is the legal basis for processing data through PostHog?

What is the legal basis?

Consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy. Legitimate interest can apply only for strictly anonymous analytics without persistent identifiers.

Does PostHog transfer data to the United States?

Are any data transferred to the United States?

Yes by default on US Cloud. EU Cloud (Frankfurt) keeps data in the EU. Self hosting in the EU removes the transfer entirely.

Do I need a DPIA before using PostHog?

Is a DPIA needed?

Recommended, especially for session replay and personalised feature flags that can profile users.

How do I implement PostHog in a GDPR compliant way?

How do I implement compliance correctly?

Pick EU Cloud, set opt_out_capturing_by_default, gate posthog.opt_in_capturing() behind your CMP, mask sensitive fields in replay and sign the DPA.

What are the alternatives?

Matomo, Plausible, Fathom, Mixpanel, Amplitude, Heap, Snowplow. EU based options simplify compliance.

Are there alternatives to PostHog?

How should I update the cookie policy for PostHog?

How do I update the cookie policy?

Document the ph_*_posthog cookie, its purpose and duration, plus localStorage usage if active.