Heap’s tracking code uses first-party cookies set by your domain, and does not rely on third-party cookies for tracking. For this reason, Heap will continue to collect first-party cookies even if third-party cookies are blocked.
Heap may set the following cookies at any given time.
| Cookie | Description | Persists for |
|---|---|---|
_hp2_id.APP_ID |
User cookie (stores user_id, identity, other IDs) | 13 months minus 1 day |
_hp2_ses_props.APP_ID |
Session properties cookie (stores timestamp and cookie domain/path) | 30 minutes |
_hp2_props.APP_ID |
Event properties cookie for heap.js v4 (stores properties set by the addEventProperties API) | 13 months minus 1 day |
_hp5_meta.APP_ID |
User + session cookie for heap.js v5 (stores user_id, identity, other IDs, timestamp, session properties) | 13 months minus 1 day |
_hp5_event_props.APP_ID |
Event properties cookie for heap.js v5 (stores properties set by the addEventProperties API) | 13 months minus 1 day |
| _hp5_let.ENV_ID | Contains last event time in Heap v5.2.7+ | 13 months minus 1 day |
_hp2_hld. |
Used to determine which domain a cookie can be set on (since public suffix domains block setting cookies on the top level) | Should not persist |
| userty.core.p.app_id_hash* | Contains replay user properties (user ID, user identity, and some user metadata) | 2 years |
| userty.core.s.app_id_hash* | Contains replay session properties (replay session ID, session timestamp, and some session metadata) | Current session |
*Only for accounts that have session replay enabled
To read the fine print, see our Privacy Policy in the Heap Trust Center.