How This Briefing Works
This report opens with key findings, then maps the gaps between what Heap discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Compliance Certification Contradiction
Scanner detected 18 pre-consent cookies (44% of total) on heap.io. Session recording and behavioral biometrics capture active before consent. 62.5% pre-consent deployment rate across detection network.
Pre-Consent Data Collection
Scanner detected 18 cookies set before consent interaction including Google Analytics, Facebook Pixel, LinkedIn, 6sense, Marketo, and Reddit tracking cookies. Auto-capture architecture initializes before consent banner interaction.
Pre-Consent Activity
Heap was observed loading and executing before user consent was obtained on 63% of sites where it was detected.
Undisclosed Data Sharing Partners
Scanner detected data flows to 15+ individually identifiable third-party vendors including Clearbit, 6sense, Apollo, Facebook, LinkedIn, Google Ads, Reddit, G2, Marketo, Ramp Metrics — none named in accessible Heap privacy documentation.
Data Sale Disclosure vs Practice
This disclosure is buried in the California-specific section. The main Global Privacy Policy uses softer language about business partners and advertising networks. Scanner confirmed extensive advertising partner integrations including Facebook, LinkedIn, Google, Reddit.
Claims vs. Observed Behavior
Compliance Certification Contradiction
“ISO 27701 privacy information management certified. Claims GDPR compliance with full European Privacy Policy section and Data Privacy Framework participation.”
Scanner detected 18 pre-consent cookies (44% of total) on heap.io. Session recording and behavioral biometrics capture active before consent. 62.5% pre-consent deployment rate across detection network.
Scanner raw_intel: 18 preConsentCookies, sessionRecording=true, fingerprinting.detected=true, behavior.bti_codes includes BTI-C09
Pre-Consent Data Collection
“OneTrust consent banner deployed. Privacy policy states only required cookies deployed before consent.”
Scanner detected 18 cookies set before consent interaction including Google Analytics, Facebook Pixel, LinkedIn, 6sense, Marketo, and Reddit tracking cookies. Auto-capture architecture initializes before consent banner interaction.
Scanner raw_intel: preConsentCookies array with 18 entries including _gcl_au, _ga, _fbp, li_sugr, 6suuid, _mkto_trk, _rdt_uuid
Undisclosed Data Sharing Partners
“Privacy policy discloses sharing with service providers, business partners, online advertising partners, and Contentsquare Group by category only. Subprocessor list redirected to Contentsquare unified list.”
Scanner detected data flows to 15+ individually identifiable third-party vendors including Clearbit, 6sense, Apollo, Facebook, LinkedIn, Google Ads, Reddit, G2, Marketo, Ramp Metrics — none named in accessible Heap privacy documentation.
Scanner raw_intel: thirdPartyDomains array, scripts array showing 15+ third-party vendor scripts loading on heap.io
Data Sale Disclosure vs Practice
“California Privacy Notice explicitly states they sold or shared identifiers, network activity, geolocation, and inferences to advertising, marketing, audience measurement entities and social networks.”
This disclosure is buried in the California-specific section. The main Global Privacy Policy uses softer language about business partners and advertising networks. Scanner confirmed extensive advertising partner integrations including Facebook, LinkedIn, Google, Reddit.
Privacy policy California section verbatim: sold or shared identifiers, demographic information, Internet or other electronic network activity information
SOC2 Scope Limitation
“Security page states: Heap is hosted in a SOC 2 facility with strictly controlled access.”
SOC2 reference applies to the hosting facility, not to Heap own operations or client-side JavaScript code. Trust center redirects to Contentsquare portal requiring registration. No publicly accessible SOC2 report for independent verification.
Security page text, trust center redirect to trust.contentsquare.com requiring signup
Scope Exceeds Analytics Positioning
“Marketed as product analytics platform for understanding how visitors interact with websites.”
Auto-capture architecture performs behavioral biometrics (mouse tracking, scroll depth), session recording (full journey replay), and form interception — capabilities beyond standard analytics that constitute surveillance.
Scanner raw_intel: behavior.sessionRecording=true, behavior.formIntercept=true, behavior.fingerprinting.detected=true, behavior.eventCount=368
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Heap
- →Audit your Heap deployment for pre-consent initialization — scanner data shows 62.5% of deployments fire before consent across the detection network
- →Review session recording settings to ensure sensitive form fields (payment, login, personal data) are excluded from capture
- →Request Heap's SOC2 report directly — the security page references a SOC2 facility, not a Heap-specific SOC2 audit. Verify scope includes client-side JavaScript
- →Verify your DPA with Contentsquare (now Heap's parent) includes the 15+ data sharing partners detected on their own site
- →Implement consent-gate wrapper to prevent Heap SDK initialization before explicit user consent
If You're Evaluating Heap
- →Request a pre-contract runtime compliance audit of Heap's JavaScript SDK on a test deployment before signing
- →Require contract language specifying that Heap SDK will not initialize before consent mechanism completes
- →Compare auto-capture approach against event-based alternatives (Amplitude, Mixpanel) that collect only configured events — reduces data minimization burden
- →Require SOC2 Type II report scope to explicitly include client-side JavaScript and auto-capture data flows
- →Negotiate right-to-audit clause allowing independent verification of consent-gate timing on live deployments
Negotiation Leverage
- →Pre-consent exposure: Scanner data shows 62.5% of Heap deployments initialize before consent. Require contractual guarantee of zero pre-consent activity with liquidated damages, or implement vendor-side consent-gate as a deployment condition.
- →Certification scope clarification: ISO 27001/27701 certifications and SOC2 references cover internal operations and hosting infrastructure. Require written confirmation of whether client-side JavaScript auto-capture code is within audit scope — if not, request independent pen test of SDK behavior.
- →Data sharing transparency: Heap's privacy policy names categories but not specific vendors. Their own site shares data with 15+ identifiable third-party partners. Require complete vendor-specific subprocessor list with 30-day advance notice of additions.
- →Auto-capture data minimization: Default capture-everything architecture conflicts with GDPR Article 5(1)(c). Require Heap to provide documented data minimization configuration that demonstrates only necessary data is collected for your stated purpose.
- →Contentsquare group exposure: Heap is now part of Contentsquare group (includes Hotjar, Clicktale). Require contractual limitation on data sharing within the Contentsquare group and written confirmation that your visitor data is not used to train models or benchmark against competitors.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Auto-capture records mouse movements, scroll depth, click patterns, and interaction timing. Under GDPR Article 9, biometric data processed for identification purposes requires explicit consent. Heap's pre-consent deployment pattern means this data is collected before any consent opportunity on 62.5% of observed sites.
Full session replay
Impact: Full session replay captures user journeys including form interactions, navigation sequences, and visible page content. Scanner confirmed session recording behavior on Heap's own site. May capture sensitive personal data (emails typed into fields, search queries, financial information) without user awareness.
Ignoring CMP signals
Impact: Scanner detected 18 pre-consent cookies on Heap's own site (44% of total). Across the detection network, 62.5% of Heap deployments fire before consent. Auto-capture architecture initializes tracking before consent mechanisms can intervene, creating per-visitor GDPR Article 5(3) ePrivacy violations.
Long-lived identifiers
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
73 detection signatures across scripts, domains, cookies, and network endpoints