Disclaimer: Customers (“you,” or “your”) shall ensure compliance with applicable data privacy laws, regulations and rules. Heap is not responsible for ensuring our customer’s compliance with data privacy legislation while using Heap. However, Heap ensures compliance with any applicable data privacy laws when it collects and stores sensitive personal data.
We recommend consulting with an independent legal counsel to determine if using Heap complies with your local governing laws.
As an analytics provider, Heap is committed to ensuring data privacy for our customers and their end-users. We’ve provided you with the following tools and resources to help you adhere to applicable data privacy legislation.
To ensure we don’t collect any special classes of personal information, it is the customer’s responsibility to not send any sensitive personal data into Heap. In the event that you do send sensitive personal data to us, let us know immediately by sending us an email at email@example.com and we will promptly delete the sensitive personal data from our servers.
We offer the following resources to help you achieve and maintain compliancy with applicable data privacy regulation across web and mobile.
- The disableTextCapture API, which should be installed as part of the implementation process. This API will ensure we don’t capture any sensitive information that you might include in elements of your pages.
- Heap Redact will prevent any text, attribute, or page title that might be sensitive from being sent to Heap.
- The User Deletion API, which you can use to delete users and their personal data from your Heap account.
- A GDPR-compliant DPA (Data Processing Addendum), an agreement entered between the data controller (you) and a data processor (Heap) which confirms that the data processor is complying with relevant requirements under the GDPR. We offer DPAs with Standard and Model Contract Clauses for our customers in the EU, which also covers data exports from the EU to the US. To request a copy of our DPA, contact firstname.lastname@example.org.
- We have appointed a designated Data Protection Officer (DPO). If you have any questions about GDPR or data privacy, please contact our DPO by sending an email to email@example.com.
In addition to the above, we recommend taking the following measures to ensure your compliance with applicable data privacy regulations:
- Selectively exclude the Heap tracking snippet on pages that contain sensitive information if you’d rather ensure specific views or URLs are absolutely not tracked or recorded.
- During implementation, ensure that you are not sending any sensitive personal data into Heap via the Identify API.
For more information relevant to how Heap ensures the security and privacy of your data, please review the following: