Privacy policy, PostHog style
The internet has wrecked our attention span. (Thanks, Buzzfeed!)
Long paragraphs are boring. So we've summarized our privacy policy for you.
Here's the gist in a familiar format you can probably skim while driving. (Or 💩.)
Summary of our privacy policy
Semi-important legal notice from :
Our privacy policy covers it all – from cookies 🍪 to your data protection rights under your country’s law 🌍. Read it carefully as using our site means you agree to it!
🔓 As an open-source project, some info you share might be public for our awesome community’s collaboration. But don't worry, we’re committed to collecting and sharing the minimum amount of personal info. We're the Data Controller for all this!
💻 We collect data like your IP address, device info, and pages/content you view to improve your experience. No third-party cookies here – we don’t do retargeting ads or creepy tracking!
Here's a cat gif to keep you engaged (and to keep the algos intrigued). Please like/RT.
🛠️ We gather usage data to analyze and improve our site, but you can opt out. If you share your info, like name and email, it’s only used for necessary stuff. No sensitive info like genetic data here, and definitely no under-18 data!
🌐 We share your info with service providers to run our site and product, but nothing else. We’re part of the EU-US Data Privacy Framework, ensuring your data is safe. You can opt out if you like!
📬 We may contact you occasionally via email with updates, but you can unsubscribe anytime. We promise not to spam you! Our first-party cookies remember you and improve your experience. Reminder: we don't use any third-party cookies.
🚀 We respect your rights and keep your info as long as your account is active. You can delete it anytime. Contributions to our projects remain public to keep the integrity of our open-source code.
The full (but still easy to understand) privacy policy
For your sanity, we've summarized each paragraph of legalese with plain English.
(This was inspired by 500px who did it first and deserve full credit! We tried to do it better but we couldn't.)
You probably realize this, but the summaries below each section in blockquotes (under the "What it means subheaders)in the right-hand column exist solely to aid your comprehension and alleviate boredom. They're not legally binding.
The actual privacy policy is everything not in blockquotesin the left column.
(Can you believe we actually had to clarify this?)
- Table of contents
Privacy policy
(with handy summaries at the end of each section)
Introduction
What it means
This privacy policy ("Privacy Policy") applies to all visitors and customers of the PostHog.com hosted services and websites (collectively, the "Website" or "Websites") and self-managed installations, which are offered by PostHog Inc (formerly Hiberly Inc) and/or any of its affiliates ("PostHog" or "we" or "us") and describes how we process your personal information in connection with those Websites or self managed installations, customer events and demos, and how we collect information through the use of cookies and related technologies. It also tells you how you can access and update your personal information and describes the data protection rights that may be available under your country’s or state's laws, including (in the European Economic Area ("EEA"), and UK), a right to object to some processing that we carry out or, where we rely on consent, how to withdraw that consent. Please read this Privacy Policy carefully. By accessing or using any part of the Websites or self-managed installations, you acknowledge you have been informed of and consent to our practices with regard to your personal information and data.
PostHog is an open source project and collaborative community, as well as a company. This means that many portions of our Websites, including information you voluntarily provide, will be public-facing for the open sharing of innovative developments, ideas, and information that makes our collaborative community so great. While we are committed to open sharing, we strive to respect the privacy of individual community members and will minimize the information we collect and share. If you do not want to share your information, including personally identifiable information, with other community members and the public, please be thoughtful as to how you interact with our Websites and what information you provide through the Websites (for example, through creating a public profile, project contributions, comments, and blog posts).
Unless otherwise stated, we act as the data controller for the data processing operations described in this Privacy Policy.
We may provide additional information about our privacy practices in other places - for example, when we ask you to provide personal information in connection with a particular service or when you apply for a job with us.
This policy describes how we use your personal information when you use the PostHog app or visit our website. It includes:
- Use of cookies
- How you can access your personal info
- Your data protection rights under your country’s or state’s law.
We suggest you read the privacy policy carefully as by using our website you are agreeing to it.
PostHog is an open-source project, so some of the information you voluntarily provide will be public facing for sharing ideas – it’s what makes us such a great collaborative community.
However, we are committed to minimizing the info we collect and share, and in particular any personal info.
PostHog is the Data Controller for what is described in this Privacy Policy.
We also might provide more information about other privacy related matters if you give us personal info, like if you apply for a job with us.
What information PostHog collects and why
Information from website visitors
Like most website operators, PostHog automatically collects (i) technical information about your device including your device's internet protocol (IP) address; and (ii) information about your visit to our Websites (the referral URL, the content viewed and the content interacted with).
Some of this information is collected using cookies and related technologies. See below for further information on these technologies. We collect this information to better understand how visitors use our Websites, to improve our Websites and experience for visitors, and to monitor the security of the Websites.
For logged-in customers to PostHog deployments, PostHog also collects this information on our application using our own software, to help us understand how to make the deployments more useful for different categories of customer.
We collect things like:
- IP address
- Information about your device
- Pages you have viewed
- Content you have viewed
We use cookies to do this and they help us understand how we can improve a user's experience.
FYI, we don’t use any third-party cookies at all. This means we don’t run any retargeting ad campaigns, or use any other invasive tracking techniques that follow you around the internet.
Usage data information from self-managed PostHog instances
PostHog automatically collects information about usage from each self-managed PostHog instance (Open Source, Scale and Enterprise Edition). We may use cookies and similar technologies to collect some of this information. It is possible to opt out of your personal information being transferred, and for self-managed PostHog instances, we do not track your end users at all. PostHog tracks the usage of these instances at an aggregate level – it is also possible to prevent this through modifying the code, which is made available to you.
We automatically collect info on your usage of our self-managed instances. You can opt out of this.
Personal information
You may choose to interact with our Websites in ways that provide us with your personal information. In some instances, a User ID is generated for form and URL tracking, page views, page pings, and usage counts in order to ascertain product performance and development.
The amount and type of information that PostHog gathers depends on the nature of your interaction with us, as well as the amount of information you choose to share. For example, we ask visitors who use our community group to provide a username and email address. We will also collect the information you provide with us in connection with creating an account on the Website.
Certain profile information (such as your username) may be shared publicly, as well as activity under your profile. If you report a security vulnerability to PostHog and request public acknowledgement, then we may publicly disclose the personal information you provided to us in connection with the report, including your name to fulfill your request for acknowledgement.
In each case, PostHog collects such personal information only insofar as is necessary or appropriate to fulfill the purpose of your interaction with or your request to PostHog. We may also collect certain personal information during live in-person events and demos. We will not disclose your personal information other than as described in this Privacy Policy.
We may aggregate all information (including your personal information) collected from our Websites and self-managed installations for our own statistical and analytics purposes and share such aggregated information with third parties for our own promotional purposes (e.g. by publishing a report on trends in the usage of our Websites).
When you use our websites or app, we may generate an anonymous User ID for pageview tracking etc.
We only collect personal information you share with us, such as your name and email address when you sign up to our product or website community.
If you report a security vulnerability publicly then we may disclose your personal info, but only if the action requires it – e.g. to provide recognition for your reporting of a security vulnerability.
We aggregate the info we collect to analyze usage and improve our website.
Information PostHog does not collect
PostHog does not intentionally collect sensitive or special category personal information, such as genetic data, biometric data for the purposes of uniquely identifying a natural person, health information, or religious information.
PostHog does not knowingly collect information from or direct any of our Website or content specifically to children under the age of 18. If we learn or have reason to suspect that a customer is under the age of 18, we will close that account.
We don’t collect any seriously sensitive information, like genetic or biometric data, and definitely no data on children under 18.
If we think you’re under 18, we will close your account.
Lawful basis and purposes for processing your personal information
To fulfill a contract or take steps linked to a contract with you
We use your personal information to:
- administer access to your accounts;
- manage our customer relationships;
- process orders, provide our products and services and send you service-related communications; and
- provide you with customer support.
This explains how we use your personal information to fulfill our contract(s) with you.
Legitimate interests
We use your personal information:
- to improve and personalize your experience with us and our Websites and to tailor communications to you;
- to monitor and improve the performance of our products and services for administrative, security and fraud prevention purposes;
- for our own internal functions, management and corporate reporting, and internal research and analytics;
- to enforce compliance with our terms of use and other policies or otherwise in connection with legal claims, compliance, regulatory and investigatory purposes as necessary (including disclosure of such information in connection with legal process or litigation); and
We only use your information for stuff we actually need.
Consent
We may rely on your consent:
- Where you ask us to send marketing information (e.g. newsletter updates) via a medium where we need your consent under applicable law (for example email marketing in some countries);
- Where you give us consent to place cookies or similar technologies;
- On other occasions where we ask for your consent, for the purpose we explain at the time.
You may withdraw your consent at any time through the unsubscribe feature provided with the relevant marketing email or by contacting us using the details in the ‘Contacting PostHog About Your Privacy’ section of this Privacy Policy.
We always rely on your consent.
You can withdraw consent at any time following the process in the section below about contacting us.
How PostHog uses and protects your personal information
Sharing your information
PostHog may share your personal information with the third-parties listed below for the purposes that are described in this Privacy Policy or otherwise with your consent.
PostHog only shares your personal information with those of its employees, contractors, and affiliated organizations that (i) need to know that personal information in order to process it on PostHog's behalf or to provide services available on the Website, and (ii) that have agreed not to disclose it to others
PostHog uses other companies to provide our services.
We only use them for the purpose of providing our website and product, nothing else.
Service Providers and partners. PostHog engages a number of service providers or partners to manage or support certain aspects of our business operations on our behalf. For instance, we currently use the following service providers who will handle your personal information:
- AWS - cloud data hosting
- Clearbit - marketing data engine
- Cloudflare - cloud data hosting
- Customer.io - email campaign service provider
- Digital Ocean - website user data for community profiles
- GitHub - open source repositories and internal project management tool
- Google Cloud Platform - cloud data hosting
- Google Workspace - internal collaboration tools
- Heroku - cloud data hosting
- HubSpot - CRM database
- Sentry - application monitoring and error tracking
- Slack - internal communications tool
- Zendesk - customer support tool
Our service providers and partners are required by contract to safeguard any personal information they receive from us and are prohibited from using the personal information for any purpose other than to perform the services as instructed by PostHog.
Here is the list of companies we use.
Affiliates. PostHog is a global business, headquartered in the United States. Your personal information collected by us in accordance with this Privacy Policy is used and shared by PostHog Inc to our affiliate company based in the UK (Hiberly Ltd) for the purposes of providing the Websites, delivering our Products and services, managing your accounts, hosting, IT, security, support, billing, marketing, and communications.
PostHog is a US business, but we also have a UK company.
Legal Requirements. We may disclose personal information to government authorities or other third-parties if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a subpoena, court order or similar legal obligation, (b) protect and defend our rights or property, (c) act in urgent circumstances to protect the personal safety of users of any Website or the public, (d) protect against legal liability, (e) to investigate fraud or other unlawful activity, or (f) or as otherwise required or permitted by law.
Please note, email and IP addresses of users of a PostHog deployment may be shared with the respective users of that deployment.
PostHog takes measures reasonably necessary to protect your personal information against any unauthorized access, use, alteration, or destruction.
PostHog at its sole discretion may make use of company logos where those companies are using the software that we provide. If you have concerns over the use of your logo, please email logos@posthog.com.
We will disclose information to government authorities if we’re legally obliged to do so.
International transfer of personal information
The Websites are hosted in the United States, or in Germany if you are a PostHog Cloud customer who has selected EU hosting, and the personal information we collect about our customers' users will be stored and processed on our servers in either the United States or Germany. Information about our customers is processed in the United States by us, and may also be by the service providers and partners listed above. Our employees, contractors and affiliated organizations that process information for us as described above may be located in the United States or in other countries outside of your home country which may have different data protection standards to those which apply in your home country.
Where your personal information is transferred outside of the EEA, Switzerland and UK and where this is to a country which is not subject to an adequacy decision by the EU Commission or considered adequate as determined by applicable data protection laws, we will take steps to ensure your personal information is adequately protected by safeguards such as Standard Contractual Clauses ("SCCs") approved by the EU Commission or by the UK Government. A copy of the relevant mechanism can be obtained for your review on request by using the contact details in the ‘Contacting PostHog About Your Privacy’ section of this Privacy Policy.
Posthog complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce. Posthog has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Posthog has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (together, the "DPF Principles"), the DPF Principles shall govern. To learn more about the Data Privacy Framework ("DPF") program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PostHog Inc commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship
For the actions of third party agents PostHog engages to process data on our behalf, PostHog remains responsible and liable under the DPF Principles if a third party agent processes the Personal Data in a manner inconsistent with the DPF Principles, unless PostHog proves that it is not responsible for the event giving rise to the damage.
PostHog might have to share your information outside of the country you are in. PostHog is part of the EU-US Data Privacy Framework, so we rely on various mechanisms that this provides to do so.
Disputes
As part of our commitment to the DPF Principles, if you are a resident of the European Union, UK, or Switzerland and you have a privacy or data use concern, please contact PostHog directly at privacy@posthog.com and PostHog will use its best efforts to address your concern within 45 days of receipt of your complaint. For an unresolved privacy or data use concern that PostHog has not addressed satisfactorily, please contact our U.S. based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/dpf-dispute-resolution
For any DPF disputes that cannot be resolved by the methods above, you may be able to invoke a binding arbitration process under certain conditions. To find out more about the DPF's binding arbitration scheme, please see Annex I of the DPF Principles, here: https://www.dataprivacyframework.gov/s/article/Participation-Requirements-Data-Privacy-Framework-DPF-Principles-dpf. The Federal Trade Commission has investigation and enforcement authority over PostHog’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF
If you dispute anything we’ve done, you can use the links provided to resolve this.
PostHog communications with you
If you are a registered user of the Websites and have supplied your email address, PostHog may occasionally send you an email to tell you about security, system information, new features, solicit your feedback, or just keep you up to date with what's going on with PostHog and our products. We primarily use our blog to communicate this type of information, so we expect to keep this type of email to a minimum. There's an unsubscribe link located at the bottom of each of the marketing emails we send you so you can stop receiving such emails at any time.
If you send us a request (for example via a support email or via one of our feedback mechanisms), we reserve the right to publish your request in order to help us clarify or respond to your request or to help us support other customers. We will not publish your personal information in connection with your request.
PostHog will contact you, mainly over email, from time to time. We promise we won’t spam you, but you can unsubscribe whenever you like.
Cookies, tracking technologies and Do Not Track
Cookies
A cookie is a string of information that a website stores on a visitor's computer, and that the visitor's browser provides to the website each time the visitor returns. PostHog uses cookies to help PostHog identify and track visitors, their usage of the Websites, and their Website access preferences. PostHog visitors who do not wish to have cookies placed on their computers may set their browsers to refuse cookies before using the Websites. Disabling browser cookies may cause certain features of PostHog's websites to not function properly.
To remember you, our system will give you a cookie. It's safe. We’re very careful to only have first-party cookies on our site, including when we embed content from other websites, such as YouTube.
Tracking technologies
We do not use third-party tracking services to collect information about you.
We hope this part is pretty clear. However, thanks for actually reading our Privacy Policy, as a reward we’d love to send you a free toilet roll with our Privacy Policy printed on it, send us an email to tpsandcs@posthog.com.
Do Not Track
"Do Not Track" is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. PostHog does not track your online browsing activity on other online services over time and we do not permit third-party services to track your activity on our site. Because we do not share this kind of data with third party services or permit this kind of third party data collection for any of our users, and we do not track our users on third-party websites ourselves, we do not need to respond differently to an individual browser's Do Not Track setting.
Because PostHog doesn’t use third-party tracking services, we don’t need to do anything different when it comes to ‘Do Not Track’ settings on an individual's browser.
Global privacy practices and your rights
Information we collect may be stored and processed in the United States in accordance with this Privacy Policy but we understand that users from other countries may have different expectations and rights with regard to their privacy. For all Website visitors and customers, no matter their country of location, we will:
- provide clear methods of unambiguous, informed consent when we do collect your personal information and where required by applicable law;
- only collect the minimum amount of personal information necessary for the purpose it is collected for, unless you choose to provide us more;
- offer you simple methods of accessing, correcting, or deleting your information that we have collected, with the exception of information you voluntarily provide that is necessary to retain as is for the integrity of our project code as described further below; and
- provide Website customers notice, choice, accountability, security, and access, and we limit the purpose for processing. We also provide our customers a method of recourse and enforcement.
Where our affiliate within the UK processes your personal information or where we process personal information of individuals located in the EEA, Switzerland or the UK, you are entitled to the following rights with regards to your personal information:
- Right of access to your personal information, to know what information we hold about you.
- Right to correct any incorrect or incomplete personal information about yourself that we hold.
- Right to restrict/suspend our processing of your personal information.
- Right to complain to a supervisory authority if you believe your privacy rights are being violated. In the UK, this will be the Information Commissioner.
Additional rights that may apply to you in certain instances:
- Right of data portability (if our processing is based on consent or a contract and the processing carried out by automated means);
- Right to withdraw consent at any time (if processing is based on consent). If you ask to withdraw your consent, this will not affect any processing which has already taken place at that time.
- Right to object to processing (if processing is based on legitimate interests)
- Right to object to processing of personal data for direct marketing purposes
- Right of erasure of your personal data from our system ("right to be forgotten") if certain grounds are met
These rights may be limited, for example if fulfilling your request would reveal personal information about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep.
Where we collect personal information to administer your accounts or your contract with us or to comply with our legal obligations, this is mandatory and we will not be able to manage our relationship with you without this. In all other cases, the provision of requested personal information is optional, but this may affect your ability to participate in certain Website-related activities or being able to access and use certain features and services, where the information is needed for those purposes.
To exercise your privacy rights, you can email us at the address given below in the ‘Contacting PostHog About Your Privacy’ section of this Privacy Policy.
PostHog is a US company, with a UK subsidiary, however our users are based all over the world and you still hold lots of rights that we respect.
Data retention and deletion
If you already have an account on the Websites, you may access, update, alter, or delete your basic customer profile information by logging into your account and updating profile settings.
PostHog will retain your information for as long as your account is active or as needed to perform our contractual obligations, provide you services through the Website, to comply with legal obligations, resolve disputes, preserve legal rights, or enforce our agreements. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable opportunity. For instance, in respect of data held for the management of customers and potential customers, we consider the lead time necessary to develop and maintain our commercial relationships and how recent our interactions are with you. We may rectify, update or remove incomplete or inaccurate information, at any time and at our own discretion. For more information on our retention periods you can contact us using the details in the “Contacting PostHog About Your Privacy” section of this Privacy Policy.
Please note that due to the open source nature of our products, services, and community, we may retain limited personal information indefinitely in order to ensure transactional integrity and nonrepudiation. For example, if you provide your information in connection with a blog post, GitHub issue or comment, we may display that information even if you have deleted your account as we do not automatically delete community posts. Also, as described in our Terms of Use, if you contribute to a PostHog project and provide your personal information in connection with that contribution, that information (including your name) will be embedded and publicly displayed with your contribution and we will not be able to delete or erase it because doing so would break the project code.
PostHog will keep your information as long as you have an active account, but you can delete this at any time by logging in and updating your profile settings.
There are some situations where we cannot delete your information, such as if you provide a contribution to one of our projects.