Heatmaps and session recordings are the privacy-analytics question that doesn’t have a clean answer. Page-level analytics (where users go) cleanly survives in cookieless form. Behavioural analytics (what users do on a specific page — clicks, scrolls, mouse movements, full session replay) doesn’t, at least not without serious caveats. Hotjar collects more personal data than most teams realise. Microsoft Clarity is “free” with the kind of tracking footprint that a privacy team should be reading carefully. The genuinely privacy-first alternatives exist, but they trade off feature depth.
I’ve spent the last 18 months running heatmap tools across half a dozen sites in the privacy-conscious portfolio. This is the comparison: what each tool actually captures, what it does with the data, and which ones survive a serious privacy review.
What “privacy-first heatmaps” should mean
Before we get to specific tools, the criteria. A privacy-first heatmap tool needs to satisfy at least the following:
- No PII capture by default. Form inputs, password fields, email addresses, anything entered into a text field — should be redacted or excluded server-side, not relying on the developer remembering to add CSS classes.
- No cross-site tracking. The vendor shouldn’t combine data from your site with data from other sites you’ve never integrated with.
- EU-resident option. Data stored on EU servers, processed by an EU-headquartered company or a US company with valid Data Processing Agreement and SCCs.
- Cookieless or first-party-only cookies. No third-party tracking cookies. Session cookies that expire on browser close are fine; persistent identifiers across sessions are not.
- Anonymisation at ingest. IP addresses anonymised or discarded server-side. Device fingerprinting either off or limited to non-personally-identifying attributes.
- Auditable data flow. Documented privacy policy, transparent data retention, ability to demonstrate compliance to a regulator.
None of the major heatmap vendors satisfy all of these out of the box. The privacy-first ones come close. The “free” ones often fail on most.
Hotjar — the default that’s hard to recommend
Hotjar is the market default. Most teams I encounter have it installed. The privacy posture is more complex than the marketing copy implies.
What it captures. Mouse movements, clicks, scroll depth, form interactions, full session recordings. Plus a feedback widget, surveys, and a recent AI-generated insights feature that processes recordings server-side.
The privacy issues.
- Default behaviour records form input values unless you specifically exclude them via CSS classes. Most teams forget this and end up storing user-entered email addresses, search queries, and sometimes credit-card form interactions in Hotjar’s session-recording archive.
- The default cookie policy sets four cookies — including a 1-year persistent visitor identifier (
_hjAbsoluteSessionInProgressand friends). Cookieless mode exists but is opt-in. - Data is hosted in Ireland (EU) but the parent company Contentsquare is French; processing involves both jurisdictions plus US-based AI features. The DPA is reasonable but not minimal.
- The 2024 acquisition by Contentsquare added cross-customer benchmarking that some users have found uncomfortable from a data-handling perspective.
Cost. $39/month for the Plus plan with up to 100 daily sessions. $79+/month for Business with more sessions and integrations.
Who should use it. Teams that already have it, have a working privacy review, and have explicitly opted into cookieless mode plus all the redaction settings. New deployments should evaluate alternatives first.
Microsoft Clarity — free, with footprint
Clarity is genuinely free. No traffic limits. Full session recordings, heatmaps, the works. The honest assessment: the privacy footprint is meaningful and worth scrutiny.
What it captures. Same scope as Hotjar — clicks, scrolls, session replays, form interactions, plus rage-click and dead-click detection.
The privacy issues.
- Microsoft hosts the data on US Azure servers by default. EU-resident option exists but requires explicit configuration.
- The Clarity terms grant Microsoft broad rights to use the data for product improvement, AI training, and “anonymous benchmarking”. The exact scope of “anonymous” is murky.
- Cross-site behavioural data flows into Microsoft’s wider advertising ecosystem in ways the documentation doesn’t fully clarify.
- The free price point makes it ubiquitous, which means a lot of European sites are running it without checking the GDPR implications.
Cost. Free.
Who should use it. Teams that have read the terms carefully, have explicit consent banner coverage, and have decided the data-sharing trade-off is acceptable. Don’t assume “free + Microsoft” means “trustworthy”; the trade-off is your visitors’ behavioural data going to Microsoft’s wider ecosystem.
Mouseflow — middle of the pack
Mouseflow has been around since 2009 and ships a similar feature scope to Hotjar with a slightly more privacy-aware default posture. It’s the safest mainstream choice.
What it captures. Sessions, heatmaps, scroll maps, funnels, form analytics. Less polished UI than Hotjar but the data is comparable.
Privacy posture. EU servers (Denmark) by default. Form-input redaction is more aggressive out of the box than Hotjar — passwords, emails, credit cards are auto-redacted without configuration. Cookieless mode is available.
Cost. $31/month for the Starter plan with 5,000 recordings/month.
Who should use it. Teams that need full-fat heatmap features but want a more privacy-aware vendor than Hotjar. The Danish base and stricter defaults make it the better starting point if you’re new to the category.
Ribbon — the privacy-first specialist
Ribbon (formerly Behave.ai) is one of the few heatmap tools designed privacy-first from inception. It captures aggregate behavioural data — heatmaps, scroll patterns, click-through rates — without storing individual session replays.
What it captures. Aggregate click heatmaps, scroll depth distributions, attention maps. Notably not individual session replays. The trade-off is you can’t replay a specific user’s session, but you can see patterns across the whole audience.
Privacy posture. No PII captured (the design ensures this rather than relying on configuration). EU-hosted. Cookieless. GDPR by default rather than by configuration.
Cost. Around $30-100/month depending on traffic.
Who should use it. Privacy-first brands. Teams that want behavioural insights but have decided session replay is the wrong tool for their context. Healthcare, fintech, government — anywhere session-replay would create more compliance work than it’s worth.
Smartlook — Czech-based competitor
Smartlook is a Czech company that competes directly with Hotjar on features and undercuts on price. The privacy posture is closer to Mouseflow than to Ribbon.
What it captures. Sessions, heatmaps, funnels, events. Mobile SDKs for iOS and Android, which most competitors lack.
Privacy posture. EU-hosted (Czech Republic). Default form redaction. Cookieless mode optional.
Cost. $55/month for the Pro plan.
Who should use it. Teams with mobile apps that need cross-platform behavioural analytics. The mobile SDK is the differentiator.
FullStory — enterprise-grade with enterprise privacy
FullStory is the high-end. Pricing isn’t published — you talk to a sales team. The product is excellent. The privacy story depends on configuration.
What it captures. Everything. Session replays, click maps, error tracking, custom events, frustration signals, AI-generated insights from session data.
Privacy posture. US-hosted by default. EU residency available on enterprise plans. Configurable data masking with developer SDK. The granular control is impressive but requires effort to set up correctly.
Cost. Enterprise quote, typically $30-100k+/year.
Who should use it. Enterprise teams with the budget and a developer team to configure data masking properly. Not appropriate for small teams who’ll ship the default config.
The session-replay problem
The single biggest privacy question in this category is whether to record full session replays at all.
Session replay captures every mouse movement, scroll, and keystroke a user makes on your site. With proper configuration it redacts form inputs and PII. Without proper configuration — which is most deployments — it stores everything users typed, including search queries, email addresses, and occasionally credit-card numbers in checkout flows.
Even with proper configuration, session replay is a privacy attack surface. A 30-second replay of a user’s behaviour reveals more about their intent, hesitations, and purpose than most analytics tools should. The GDPR concept of “data minimisation” suggests you should only collect what you need, and most teams using session replay collect much more than they ever review.
My honest take: session replay is the wrong tool for most teams. The use cases are real — debugging UX issues, investigating conversion drop-offs — but the data-handling cost is high, and aggregate heatmaps cover 80% of the analytical value at 5% of the privacy cost.
Privacy-first teams should default to aggregate heatmaps (Ribbon, or aggregate-mode in Mouseflow) and only enable session replay for specific time-limited investigations. “Always on” session replay is a compliance liability that most teams don’t recognise until they get a regulator inquiry.
What about Plausible, Fathom, Pirsch, and the cookieless analytics tools?
None of the privacy-first analytics tools we cover on our comparison dashboard ship heatmaps or session replay. The category is intentionally separate. Plausible, Fathom, and the others handle “what pages do people see” analytics; they leave “what do people do on those pages” to specialised tools.
This is actually the right architectural separation. Page-level analytics is cheap, cookieless, and low-risk. Behavioural analytics is expensive, hard to do privately, and high-risk. Combining them in one tool — as GA4 attempts to do — pulls the privacy posture down to the level of the most invasive feature.
For a complete privacy-first analytics stack, pick a cookieless page-level tool from our dashboard for traffic analytics, then layer Ribbon or Mouseflow on top for behavioural insights when you specifically need them. Don’t run heatmap tools on every page; run them on the pages where you have an open question.
Decision framework
A simplified decision tree:
- Privacy-first brand or regulated industry: Ribbon for aggregate heatmaps, no session replay. Pair with a cookieless analytics tool from our comparison dashboard.
- Standard B2B SaaS or marketing site: Mouseflow with default privacy settings. Cookieless mode on. Session replay enabled for specific debugging only.
- Mobile-first app: Smartlook for the SDK coverage.
- Enterprise with budget and dev team: FullStory with proper data-masking configuration.
- Don’t have privacy review capacity: Skip heatmaps entirely. Use the analytics tool’s pageview data and feature-usage events. The behavioural insights you’d get from heatmaps aren’t worth the privacy compliance overhead if your team can’t manage it properly.
What teams get wrong
Installing Hotjar or Clarity without a privacy review. Both tools have meaningful default footprints. The one-line install isn’t free; you’re trading the developer time saved for compliance risk that surfaces months later.
Recording sessions on every page. Most page sessions are uninteresting. You’re storing huge volumes of recordings nobody will ever watch, and creating a compliance liability for the few that contain sensitive content. Limit session recording to pages where you have an open question.
Skipping the form-redaction config. Default Hotjar and Clarity configs do not redact form input values. The CSS class to add is documented but easy to miss. Run a session-replay audit on a checkout or signup page and see what’s actually being captured.
Treating heatmap data as analytics. Heatmap tools are decision-support, not measurement. The aggregate click data is biased by self-selection (people who behave normally don’t generate interesting heatmap signals). Don’t replace your analytics tool with a heatmap tool.
Forgetting to delete old recordings. Most heatmap tools retain session replays for 30-90 days by default, with longer retention available. Set the shortest retention that supports your investigation needs, and audit it quarterly.
The wider privacy picture
Heatmaps sit at the intersection of analytics and behavioural research. The privacy-conscious teams I work with treat them as a specialist tool — used for specific investigations, retired between investigations — rather than as always-on monitoring.
For a broader frame on what data you actually need to collect, the privacy-friendly analytics guide covers the architecture-level choices. For the cookie-banner UX implications when you do enable behavioural tracking, the cookie-consent UX patterns piece covers the trade-offs.
The honest position: most sites don’t need heatmaps. The ones that do should pick a privacy-first vendor, configure it carefully, and switch it off when the investigation is done.
Frequently asked questions
Is Microsoft Clarity actually free, with no privacy compromise?
It’s free in the dollars sense. The privacy compromise is real and worth reading the terms for: Microsoft retains broad rights to use the data for product improvement, AI training, and benchmarking. Whether that’s an acceptable trade-off depends on your privacy posture. For most privacy-conscious teams, no — the data flow is wider than the marketing implies.
Do I need a cookie banner if I use Hotjar?
Yes, even in cookieless mode, because most jurisdictions consider behavioural session-recording to be processing of personal data regardless of cookie scope. Cookie banner plus consent UI for Hotjar specifically — most consent platforms have this as a checkbox.
Can I use heatmaps on EU traffic without consent?
Aggregate-only heatmaps without session-level data and without persistent identifiers can sometimes qualify as “legitimate interest” under GDPR rather than requiring consent. Tools like Ribbon are designed to fit this profile. Session replay almost never qualifies.
What happens to old session recordings?
Most vendors retain recordings for the duration of the active subscription, with retention periods of 30-365 days depending on the plan. After cancellation, recordings are usually deleted within 30-90 days. Check the specific vendor’s data retention policy.
How do I redact PII from existing recordings?
You generally can’t — once captured, the data is in the vendor’s archive. The fix is forward-looking: enable redaction settings going forward and delete old recordings. Most vendors have a bulk-delete API for this purpose.
Is FullStory worth the enterprise price?
For enterprise teams with developer capacity and budget, yes — the product is genuinely best-in-class. The data masking is configurable to a level the cheaper alternatives don’t match. For mid-market teams, the price is hard to justify.
Should I use Mouseflow’s cookieless mode?
Yes, if you’re EU-targeting. The cookieless mode preserves most of the heatmap value while reducing the consent overhead. Aggregate heatmaps without session replay still work; full session replay capability is reduced.
