Heap Analytics and Data Protection – Mandatory Disclosures for the Privacy Policy

Heap Analytics is a product analytics tool that uses autocapture to automatically record all user interactions on a website – from clicks to form entries to page views. Website operators that use Heap must transparently disclose this data processing in their privacy policy and provide specific information on data flows, retention periods and legal bases in order to act in compliance with the GDPR.

A. Purpose and Function of Heap Analytics

Heap Analytics is a cloud-based product analytics tool that automatically tracks user behavior. Unlike many competitors, Heap works with the so-called autocapture approach: a JavaScript snippet is embedded in the website which, from the start and without further manual configuration, records all user interactions. The system automatically records which elements are clicked, in which forms data is entered, which pages are visited and how long users spend on certain pages.

What is special about autocapture: Heap initially stores all raw data in the background without website operators having defined events in advance. This enables retrospective analyses – even events defined later can draw on historical data. This continuous, prerequisite-free data collection is a central feature of Heap Analytics and distinguishes it from event-driven tracking systems.

B. Mandatory Disclosures in the Privacy Policy

The GDPR (General Data Protection Regulation) obliges website operators to provide transparent privacy policies. According to Article 13(1) and (2) GDPR, the following information must be documented:

1. Purpose of the processing (Art. 13(1)(c) GDPR): What is the data collected for? With Heap typically: product improvement, user behavior analysis, conversion measurement.

2. Legal basis of the processing (Art. 13(1)(c) GDPR): Which authorization basis does the processing rely on? Most often consent (Art. 6(1)(a) GDPR) or legitimate interests (Art. 6(1)(f) GDPR).

3. Legitimate interests (Art. 13(1)(d) GDPR): If Art. 6(1)(f) is invoked, the specific legitimate interests must be described.

4. Recipients of the data (Art. 13(1)(e) GDPR): Who has access to the data? This includes Heap Inc., possibly sub-processors and other third parties.

5. Third-country transfer (Art. 13(1)(f) GDPR): Is data transferred to countries outside the EU/EEA? Heap stores on US servers – transfer mechanisms (Data Privacy Framework, Standard Contractual Clauses) must be mentioned here.

6. Retention period (Art. 13(2)(a) GDPR): How long is the data stored? Heap erases data depending on the chosen plan (free model: 6 months; paid plans: typically 12 months).

Note on data protection approach: Many privacy policies use the approach of writing a separate, detailed text block for each individual tool. This leads to opaque, very long privacy policies and thus contradicts the transparency requirement of the GDPR (Art. 12 GDPR – "clear and intelligible"). A topic-oriented approach with a central recipient list is more legally compliant: a "Tracking and product analytics" section summarizes all tools in this category, supplemented by a table with provider, purpose, retention period and links.

C. Provider

Heap Inc. is the provider and operator of Heap Analytics. The company is domiciled in the USA.

Address (headquarters):
Heap Inc.
225 Bush Street, Floor 2
San Francisco, California 94104
United States of America

Data Privacy Framework (DPF):
Heap Inc., together with its affiliates Content Square, Inc. and Clicktale Inc., has self-certified under the EU-U.S. Data Privacy Framework, the UK Extension and the Swiss-U.S. Data Privacy Framework. This certification ensures adequate data protection levels for transfers from the EU, the UK and Switzerland to the USA. (As of: 2026 – website operators should verify the status at https://www.dataprivacyframework.gov/s/participant-search.)

Standard Contractual Clauses (SCC):
Heap has signed the necessary Standard Contractual Clauses to make data transfers to third countries lawful, in case the DPF certification should not suffice.

Privacy Policy:
Heap's privacy policy can be viewed at https://www.heap.io/privacy and governs how Heap processes the data of visitors to customer websites. (Website operators should review this policy regularly to stay current.)

Data Processing Agreement (DPA):
Heap provides a pre-signed data processing agreement that implements the GDPR requirements for processing. The DPA incorporates the Standard Contractual Clauses and is a prerequisite for GDPR-compliant use of Heap.

D. Data Processing – Process

E. Data Collected

Through the autocapture system, Heap collects a broad spectrum of data about users and their behavior:

Web server log data:

• IP address: Is collected (according to newer Heap settings, by default not linked together with other identifiers)
• Timestamp: Date and time of every interaction

Interaction data:

• Click paths: Which elements (links, buttons, images) were clicked?
• Visited pages: Which URLs were accessed? (including referrer, i.e. from which page did the user come?)
• Scroll movements: How far does the user scroll down a page?
• Form entries: Which fields were filled in? (Note: observe PII scrubbing)
• Mouse movements: Approximate cursor positions
• Dwell time: How long does the user dwell on a page or in an element?

End-device and browser data:

• Device type: Desktop, tablet, smartphone
• Operating system: Windows, macOS, iOS, Android, etc.
• Browser: Chrome, Firefox, Safari, Edge, version info
• Screen resolution: Viewport size

Location data:

• Coarse location information: Derived from the IP address (typically city/region, not exact)

User profiles and session data:

• Session ID: Unique identifier per browser session
• User ID: Depending on the Heap configuration; if set manually (via Identify API), this can be customer user IDs, email addresses or other identifiers
• Session duration: How long was the user active? (Heap defines sessions with a 30-minute inactivity threshold)

Conversion and event data:

• Defined events: Website operators can set up their own events (e.g. "Purchase completed", "Newsletter signed up")
• Retroactive events: Heap can also apply historically defined events to old data

Technical telemetry data:

• Performance metrics: Loading and execution times of Heap itself
• Error reports: JavaScript errors that occur during user interaction

Caution – sensitive data in forms:
Through automatic capture, sensitive data may also be unintentionally collected – such as passwords, credit card numbers or medical data, if these are entered in open text fields. Website operators must therefore use PII scrubbing functions (see section H) to mask such data before it leaves Heap.

F. Purposes of Use

Heap processes this data for various purposes:

• General product improvement and UX optimization: Heap uses aggregated data to optimize the user-friendliness of customer websites (e.g. through funnel analyses, heatmaps, session replays).

• General marketing and campaign measurement: Website operators can use Heap data for campaign evaluation and general marketing analytics.

• User profile creation and segmentation: Heap creates user profiles based on the recorded behavior in order to perform user segmentation (e.g. "frequent visitors", "drop-offs in funnel X").

• User-individual product improvement and personalization: Individual user experiences can be personalized (e.g. different website versions for different user groups).

• User-individual marketing and remarketing: Based on the Heap data, targeted advertising campaigns can be carried out (e.g. retargeting for users who abandoned a particular funnel).

These purposes are typically not necessary for the provision of the Heap software itself, but are added depending on the configuration and business logic of the website operator.

G. Legal Bases

Heap Analytics falls into the category of tracking and statistics tools. The legal bases for use are:

1. Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG):
This is the most common legal basis for tracking tools. In Germany, the Telecommunications Telemedia Data Protection Act (TDDDG, formerly ePrivacy Directive) explicitly stipulates that prior active consent is required before non-essential cookies and similar tracking technologies (such as JavaScript snippets) are set. Consent must:

• Be obtained in advance (before tracking)
• Be granular (separate consent for analytics, marketing, etc., not blanket)
• Be withdrawable at any time

This is typically done via a cookie consent banner in which users must explicitly accept Heap Analytics.

2. Legitimate interests (Art. 6(1)(f) GDPR – with restrictions):
In rare cases, website operators can argue that a balancing of interests under Art. 6(1)(f) GDPR legitimizes the processing. This requires:

• A clear documentation of the legitimate interests (e.g. business optimization, security)
• An overriding of these interests over the interests of the users
• An explicit balancing of interests in the data protection document

This legal basis is rarely sufficient in practice for Heap, especially in the EU, where there is a tendency towards stricter interpretation.

Conclusion: Most website operators will rely on consent (Art. 6(1)(a)). In addition, the consent mechanisms (cookie banners) must be designed to comply with the TDDDG.

H. Special Features and Notes

PII scrubbing and data masking:
Heap offers several tools to protect sensitive data:

• Target Text Autocapture Toggle: Can be deactivated via account settings to prevent visible text from elements being captured.
• data-heap-redact-text: Attribute for HTML elements that instructs Heap to mask certain text content before storage (displayed as ****).
• data-heap-redact-attributes: Attribute for masking HTML attributes (e.g. value attributes of input fields).

Website operators should use these functions consistently, in particular for password fields, credit card entries and other sensitive form areas.

Opt-out options:

• Heap allows users to opt out of data collection, typically via a consent banner or Heap-specific opt-out mechanisms.
• For CCPA compliance: users can refuse consent to "sale or sharing" of data in banners (CCPA requirement).

Third-country transfer and legal mechanisms:

• Data Privacy Framework (DPF): Heap has certified itself and uses this as the primary transfer mechanism.
• Standard Contractual Clauses (SCC): Function as a fallback and are anchored in the DPA.
• Data Processing Agreement (DPA): Website operators must have signed a DPA with Heap. Heap provides a pre-signed DPA that covers all GDPR requirements.

Data responsibility:

• Website operator = controller
• Heap Inc. = processor

Website operators are primarily responsible for the lawfulness of the processing, must provide privacy notices and can be held accountable for violations.

Identity tracking and user IDs:

• Heap can assign manual IDs to users via the Identify API (e.g. customer numbers, email addresses). This enables user tracking across multiple sessions.
• Website operators must ensure that no sensitive data (passwords, credit card numbers) is sent to Heap via the Identify API.

ISO certifications:
Heap is ISO 27001, 27701, 27017 and 27018 certified, which covers information security, data protection and cloud security.

I. Frequently Asked Questions about Heap Analytics and Data Protection

J. Conclusion

Heap Analytics is a powerful but data-protection-intensive tool. The autocapture principle enables comprehensive user behavior data, but also brings significant transparency and security requirements. Website operators must:

1. Ensure a lawful legal basis: Typically via consent (Art. 6(1)(a)) with a TDDDG-compliant consent banner.

2. Provide a complete and intelligible privacy policy: Not via isolated tool blocks, but via a topic-oriented approach with a central recipient list.

3. Sign a Data Processing Agreement (DPA): Heap provides a pre-signed DPA that meets GDPR requirements.

4. Protect sensitive data: Actively use PII scrubbing functions to prevent unintentional collection of passwords, credit card data or similar.

5. Document third-country transfer: Data goes to the USA; the Data Privacy Framework or Standard Contractual Clauses must be appropriately documented.

A data-protection-compliant privacy policy concept replaces the classic "text block per tool" method with logical grouping by processing purposes (statistics, marketing, security, etc.) and an overview table. This creates clarity for users, avoids redundancy and better fulfills the GDPR transparency requirement.