Disclaimer: Customers (“you,” or “your”) shall ensure compliance with applicable data privacy laws, regulations, and rules. Heap is not responsible for ensuring our customer’s compliance with data privacy legislation while using Heap. However, Heap ensures compliance with any applicable data privacy laws when it collects and stores sensitive personal data.
We recommend consulting with an independent legal counsel to determine if using Heap complies with your local governing laws.
As an analytics provider, Heap is committed to ensuring data privacy for our customers and their end-users. We’ve provided you with the following tools and resources to help you adhere to applicable data privacy legislation.
To ensure we don’t collect any special classes of personal information, it is the customer’s responsibility to not send any sensitive personal data into Heap.
In the event that you do send sensitive personal data to us, contact us immediately via the Get support page and we will promptly delete the sensitive personal data from our servers.
We offer the following resources to help you achieve and maintain compliancy with applicable data privacy regulation across web and mobile.
- The Target Text Autocapture toggle will ensure we don’t capture any sensitive information that you might include in elements of your pages. This toggle can be turned on via Manage > Account > Privacy & Security. Note that this setting only applies to web traffic.
- Alternatively, you can implement the disableTextCapture API. Note that if you enable the toggle and implement the API, the most privacy-conscious setting will win.
- Heap Redact will prevent any text, attribute, or page title that might be sensitive from being sent to Heap.
- The User Deletion API, which you can use to delete users and their personal data from your Heap account. We also offer an in-app user data deletion request tool, and you can delete user data via Postman.
- A DPA (Data Processing Addendum), which incorporates the requirements of GDPR into the contractual agreement between Heap and our Customers. Our DPA also includes the Standard Contractual Clauses to facilitate legal transfer of data from the EU/EEA to the US.
- We have appointed a designated Data Protection Officer (DPO). If you have any questions about GDPR or data privacy, please contact our DPO by sending an email to firstname.lastname@example.org.
In addition to the above, we recommend taking the following measures to ensure your compliance with applicable data privacy regulations:
- Selectively exclude the Heap tracking snippet on pages that contain sensitive information if you’d rather ensure specific views or URLs are absolutely not tracked or recorded.
- During implementation, ensure that you are not sending any sensitive personal data into Heap via the Identify API.
For more information relevant to how Heap ensures the security and privacy of your data, please review the following:
If you need to block the capture of IP addresses or geolocation, or have questions about any of the above, please reach out via the Get support page.