Disclaimer: Customers (“you,” or “your”) shall ensure compliance with applicable data privacy laws, regulations and rules. Heap is not responsible for ensuring our customer’s compliance with data privacy legislation while using Heap. However, Heap ensures compliance with any applicable data privacy laws when it collects and stores sensitive personal data.
We recommend consulting with an independent legal counsel to determine if using Heap complies with your local governing laws.
As an analytics provider, Heap is committed to ensuring data privacy for our customers and their end-users. We’ve provided you with the following tools and resources to help you adhere to applicable data privacy legislation.
To ensure we don’t collect any special classes of personal information, it is the customer’s responsibility to not send any sensitive personal data into Heap. In the event that you do send sensitive personal data to us, let us know immediately by sending us an email at firstname.lastname@example.org and we will promptly delete the sensitive personal data from our servers.
We offer the following resources to help you achieve and maintain compliancy with applicable data privacy regulation across web and mobile.
- The Target Text Autocapture toggle will ensure we don’t capture any sensitive information that you might include in elements of your pages. This toggle can be turned on via Manage > Account > Privacy & Security. Note that this setting only applies to web traffic.
- Alternatively, you can implement the disableTextCapture API. Note that you enable the toggle and implement the API, the most privacy-conscious setting will win.
- Heap Redact will prevent any text, attribute, or page title that might be sensitive from being sent to Heap.
- The User Deletion API, which you can use to delete users and their personal data from your Heap account. We also offer an in-app user data deletion request tool, and you can delete user data via Postman.
- A GDPR-compliant DPA (Data Processing Addendum), an agreement entered between the data controller (you) and a data processor (Heap) which confirms that the data processor is complying with relevant requirements under the GDPR. We offer DPAs with Standard and Model Contract Clauses for our customers in the EU, which also covers data exports from the EU to the US. To request a copy of our DPA, contact email@example.com.
- We have appointed a designated Data Protection Officer (DPO). If you have any questions about GDPR or data privacy, please contact our DPO by sending an email to firstname.lastname@example.org.
In addition to the above, we recommend taking the following measures to ensure your compliance with applicable data privacy regulations:
- Selectively exclude the Heap tracking snippet on pages that contain sensitive information if you’d rather ensure specific views or URLs are absolutely not tracked or recorded.
- During implementation, ensure that you are not sending any sensitive personal data into Heap via the Identify API.
For more information relevant to how Heap ensures the security and privacy of your data, please review the following:
If you need to block the capture of IP addresses or geolocation, or have questions about any of the above, please reach out to email@example.com.