Hotjar

Hotjar captures detailed behavioral data (clicks, scrolls, form interactions) that feeds into customer analytics decisions. When this same data is simultaneously shared with undisclosed advertising platforms and B2B enrichment services, it corrupts the measurement chain. Customers believe they are getting first-party behavioral insights, but the data is also flowing to third parties who may use it for competitive intelligence or cross-site tracking.

The presence of Apollo.io (B2B visitor identification) and multiple advertising pixels on Hotjar's own website demonstrates the platform participates in the demand signal leakage ecosystem. Website visitors—including Hotjar's own customers and prospects—have their data captured and potentially enriched for sales outreach by third parties. This same infrastructure may be present on customer sites using Hotjar.

Session recordings and heatmaps capture detailed user interactions that could include sensitive information inadvertently displayed or entered. With 27 third-party vendors loading pre-consent on their own site, the attack surface extends to every undisclosed data recipient. Each advertising pixel and analytics tool represents a potential data breach vector that Hotjar has not disclosed to users.

The gap between Hotjar's compliance marketing (SOC 2, ISO 27001, GDPR-ready, CCPA-ready) and their actual 52.7% pre-consent tracking rate creates direct liability for customers. Organizations using Hotjar while representing GDPR compliance to their own users may be inadvertently making false statements. The undisclosed subprocessors on Hotjar's own website demonstrate they do not practice what they market.