Hotjar and Data Protection – What Website Operators Need to Know

If a website operator uses Hotjar, it processes usage data (click paths, scroll movements, session recordings, heatmaps) for the purpose of website optimization and user behavior recognition on the basis of consent (Art. 6(1)(a) GDPR). Hotjar stores this data on servers in the European Union (Ireland) and acts as a processor. This guide explains what information belongs in the privacy policy and what particularities to consider with Hotjar.

A. Purpose and Function of Hotjar

Hotjar is a web analytics and feedback tool that helps website operators understand user behavior. The tool is embedded directly into the HTML source code of the website via a JavaScript snippet (tracking pixel / code snippet). Hotjar provides the following functionalities:

• Heatmaps: Visualization of where users click, scroll and move
• Session recordings: Recording of user sessions (optional, with restrictions for sensitive data)
• Surveys and feedback tools: Direct communication with users
• Form analysis: Recording of form interactions

Data storage is carried out on Amazon Web Services infrastructure in Ireland (EU data center). Tracking is only activated after the user has expressly consented to the use of Hotjar (consent requirement).

B. Mandatory Disclosures in the Privacy Policy regarding Hotjar

Under the GDPR, a website operator must transparently disclose in its privacy policy what data it processes, for which purposes (Art. 13(1)(c) GDPR) and on which legal basis (Art. 13(1)(d) GDPR). The following information is required for Hotjar:

• Purposes: Analysis of user behavior, improvement of website functionality and user experience, detection of usability problems
• Legal basis: Consent (Art. 6(1)(a) in conjunction with § 25(1) TDDDG), as Hotjar is not necessary for the provision of a core function of the website
• Recipients/categories: Hotjar Limited (Malta), if applicable sub-processors
• Third-country transfers: Not required, as storage is in the EU (Ireland)
• Retention period: According to Hotjar: 365 days (default), configurable
• Data categories: See section E (end-device data, click paths, interaction data, etc.)

Important note: Tool-specific text blocks that follow the Hotjar documentation exactly contradict Art. 12(1) GDPR (clear and intelligible language). A topic-oriented approach (e.g. "Analytics tools") is more privacy-friendly and clearer for users. The matterius generator helps you to create such integrated formulations.

C. Provider of Hotjar: Hotjar Limited

Legal name: Hotjar Limited
Address: 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta
Country of registered office: Malta (European Union)
DPF status: Not required (EU company, not US-based)
Privacy policy: https://www.hotjar.com/legal/policies/privacy/de/
DPA: Data Processing Agreement available at https://www.hotjar.com/de/legal/support/dpa/ – has been updated under German and Maltese law
Opt-out: https://www.hotjar.com/legal/compliance/opt-out

For data protection questions, Hotjar can be contacted at legal@hotjar.com.

D. Data Processing by Hotjar – Process

E. Data Collected when Using Hotjar

Hotjar collects various categories of usage data to draw a complete picture of user behavior. The data processed is classified by Hotjar according to the standard data protection model of the German supervisory authorities. This data can be classified into the following standardized data type categories:

• Web server log data: IP address, date/time/time zone, URL, referrer, browser/OS/device, technical metadata
• Click paths: Visited pages incl. referrer, clicked links/buttons with date/time
• End-device data: Device type, operating system, screen resolution/size, orientation, touch support
• Browser information: Browser name, browser version, installed extensions
• Interaction data: Scroll movements, mouse movements, keystrokes, mouse pointer position, touch movements, clicks
• Technical telemetry data: Error messages, loading times, data volume

With session recordings, text entries, uploaded files and form contents may also be recorded. However, Hotjar offers masking functions to automatically redact sensitive fields (e.g. passwords, credit card data).

F. Purposes of Use when Using Hotjar

Hotjar processes data for several purposes that should be clearly stated by the website operator in the privacy policy. This data can be classified into the following purpose categories:

• Functional provision: Error detection/resolution, performance monitoring, display of analytics dashboards
• General product improvement: Optimization based on frequently accessed content, identification of usability problems
• User profile creation: Determination of user segments (e.g. "drop-offs", "power users"), behavior clusters
• User-individual product improvement: A/B tests, heatmap analysis, personalized optimization of page elements
• Communication: Feedback forms, surveys, direct questions to users

G. Legal Bases for Hotjar

The legal basis for the use of Hotjar is generally consent (Art. 6(1)(a) GDPR), as Hotjar is not necessary for the provision of a core function of the website. Consent must be obtained under § 25(1) TDDDG (Telemedia Act) before the Hotjar snippet is activated.

A topic-specific point to examine: could a legitimate interest exist (Art. 6(1)(f) GDPR), e.g. if website optimization represents a real business interest and consent is refused? To be examined on a case-by-case basis – the balance between user interests and company interests is often not unambiguous. However, consent is the safer way and is provided for by law.

H. Special Features and Notes regarding Hotjar

• Opt-out: Users can opt out of Hotjar tracking at https://www.hotjar.com/legal/compliance/opt-out. This information should be linked in the privacy policy.
• Session recordings and sensitivity: The recording of user sessions can fall (especially if audio/video is included) under the scope of § 4(25) TMG. Recommendation: explicitly mask sensitive data and disclose in the privacy policy.
• Standard Contractual Clauses: Although Hotjar is based in the EU, the company has agreed Standard Contractual Clauses for sub-processors.
• DPA available: The Data Processing Agreement is available at https://www.hotjar.com/de/legal/support/dpa/ and should be signed.
• Configuration: The website operator should review and document the retention period, masking rules and the list of collected data in the Hotjar settings.

I. FAQ regarding Hotjar

J. Conclusion and Recommendation regarding Hotjar

Hotjar is a popular analytics tool with EU data storage and good documentation. The following points are essential for GDPR-compliant use: (1) consent before activation, (2) transparent disclosure in the privacy policy, (3) signed Data Processing Agreement, (4) regular review of retention period and masking rules.

Problematic: Tool-specific text blocks that are copied exactly from the Hotjar documentation. They are often too technical, too long and not user-friendly (Art. 12(1) GDPR). Better is a topic-oriented approach that places Hotjar in the context of other analytics tools and uses clear, generally intelligible language. This information is based on provider information and publicly available sources (as of: 2026-04-22). Legal advice may be required on a case-by-case basis.