Last updated: November 2023
PostHog is an open source project and collaborative community, as well as a company. This means that many portions of our Websites, including information you voluntarily provide, will be public-facing for the open sharing of innovative developments, ideas, and information that makes our collaborative community so great. While we are committed to open sharing, we strive to respect the privacy of individual community members and will minimize the information we collect and share. If you do not want to share your information, including personally identifiable information, with other community members and the public, please be thoughtful as to how you interact with our Websites and what information you provide through the Websites (for example, through creating a public profile, project contributions, comments, and blog posts).
We may provide additional information about our privacy practices in other places - for example, when we ask you to provide personal information in connection with a particular service or when you apply for a job with us.
What Information PostHog collects and why
Information from website visitors
Like most website operators, PostHog automatically collects i) technical information about your device including your device's internet protocol (IP) address; and (ii) information about your visit to our Websites (the referral URL, the content viewed and the content interacted with). Some of this information is collected using cookies and related technologies. See below for further information on these technologies. We collect this information to better understand how visitors use our Websites, to improve our Websites and experience for visitors, and to monitor the security of the Websites.
For logged-in customers to PostHog deployments, PostHog also collects this information on our application using our own software, to help us understand how to make the deployments more useful for different categories of customer.
Usage data information from self-managed PostHog instances
We may aggregate all information (including your personal information) collected from our Websites and self-managed installations for our own statistical and analytics purposes and share such aggregated information with third parties for our own promotional purposes (eg by publishing a report on trends in the usage of our Websites).
Information PostHog does not collect
PostHog does not intentionally collect sensitive or special category personal information, such as genetic data, biometric data for the purposes of uniquely identifying a natural person, health information, or religious information.
PostHog does not knowingly collect information from or direct any of our Website or content specifically to children under the age of 18. If we learn or have reason to suspect that a customer is under the age of 18, we will close that account.
Lawful basis and purposes for processing your personal information
To fulfil a contract or take steps linked to a contract with you
We use your personal information to:
- administer access to your accounts;
- manage our customer relationships;
- process orders, provide our products and services and send you service related communications; and
- provide you with customer support.
We use your personal information:
- to improve and personalize your experience with us and our Websites and to tailor communications to you;
- to monitor and improve the performance of our products and services for administrative, security and fraud prevention purposes;
- for our own internal functions, management and corporate reporting, and internal research and analytics;
We may rely on your consent:
- Where you ask us to send marketing information (e.g. newsletter updates) via a medium where we need your consent under applicable law (for example email marketing in some countries);
- Where you give us consent to place cookies or similar technologies;
- On other occasions where we ask for your consent, for the purpose we explain at the time.
How PostHog uses and protects your personal information
Sharing your information
PostHog only shares your personal information with those of its employees, contractors, and affiliated organizations that (i) need to know that personal information in order to process it on PostHog's behalf or to provide services available on the Website, and (ii) that have agreed not to disclose it to others
Service Providers and partners. PostHog engages a number of service providers or partners to manage or support certain aspects of our business operations on our behalf. For instance, we currently use the following service providers who will handle your personal information:
- AWS - cloud data hosting
- Clearbit - marketing data engine
- Cloudflare - cloud data hosting
- Customer.io - email campaign service provider
- Digital Ocean - website user data for community profiles
- GitHub - open source repositories and internal project management tool
- Google Cloud Platform - cloud data hosting
- Google Workspace - internal collaboration tools
- Heroku - cloud data hosting
- HubSpot - CRM database
- Sentry - application monitoring and error tracking
- Slack - internal communications tool
- Zendesk - customer support tool
Our service providers and partners are required by contract to safeguard any personal information they receive from us and are prohibited from using the personal information for any purpose other than to perform the services as instructed by PostHog.
Legal Requirements. We may disclose personal information to government authorities or other third-parties if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a subpoena, court order or similar legal obligation, (b) protect and defend our rights or property, (c) act in urgent circumstances to protect the personal safety of users of any Website or the public, (d) protect against legal liability, (e) to investigate fraud or other unlawful activity, or (f) or as otherwise required or permitted by law.
Please note, email and IP addresses of users of a PostHog deployment may be shared with the respective users of that deployment.
PostHog takes measures reasonably necessary to protect your personal information against any unauthorized access, use, alteration, or destruction.
PostHog at its sole discretion may make use of company logos where those companies are using the software that we provide. If you have concerns over the use of your logo, please email email@example.com.
International transfer of personal information
The Websites are hosted in the United States, or in Germany if you are a PostHog Cloud customer who has selected EU hosting, and the personal information we collect about our customers' users will be stored and processed on our servers in either the United States or Germany. Information about our customers is processed in the United States by us, and may also be by the service providers and partners listed above. Our employees, contractors and affiliated organizations that process information for us as described above may be located in the United States or in other countries outside of your home country which may have different data protection standards to those which apply in your home country.
PostHog communications with you
If you are a registered user of the Websites and have supplied your email address, PostHog may occasionally send you an email to tell you about security, system information, new features, solicit your feedback, or just keep you up to date with what's going on with PostHog and our products. We primarily use our blog to communicate this type of information, so we expect to keep this type of email to a minimum. There's an unsubscribe link located at the bottom of each of the marketing emails we send you so you can stop receiving such emails at any time.
If you send us a request (for example via a support email or via one of our feedback mechanisms), we reserve the right to publish your request in order to help us clarify or respond to your request or to help us support other customers. We will not publish your personal information in connection with your request.
Cookies, tracking technologies and Do Not Track
We do not use third party tracking services to collect information about you.
Do Not Track
"Do Not Track" is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. PostHog does not track your online browsing activity on other online services over time and we do not permit third-party services to track your activity on our site. Because we do not share this kind of data with third party services or permit this kind of third party data collection for any of our users, and we do not track our users on third-party websites ourselves, we do not need to respond differently to an individual browser's Do Not Track setting.
Global privacy practices and your rights
- provide clear methods of unambiguous, informed consent when we do collect your personal information and where required by applicable law;
- only collect the minimum amount of personal information necessary for the purpose it is collected for, unless you choose to provide us more;
- offer you simple methods of accessing, correcting, or deleting your information that we have collected, with the exception of information you voluntarily provide that is necessary to retain as is for the integrity of our project code as described further below; and
- provide Website customers notice, choice, accountability, security, and access, and we limit the purpose for processing. We also provide our customers a method of recourse and enforcement.
Where our affiliate within the UK processes your personal information or where we process personal information of individuals located in the EEA or the UK, you are entitled to the following rights with regards to your personal information:
- Right of access to your personal information, to know what information we hold about you.
- Right to correct any incorrect or incomplete personal information about yourself that we hold.
- Right to restrict/suspend our processing of your personal information.
- Right to complain to a supervisory authority if you believe your privacy rights are being violated. In the UK, this will be the Information Commissioner.
Additional rights that may apply to you in certain instances:
- Right of data portability (if our processing is based on consent or a contract and the processing carried out by automated means);
- Right to withdraw consent at any time (if processing is based on consent). If you ask to withdraw your consent, this will not affect any processing which has already taken place at that time.
- Right to object to processing (if processing is based on legitimate interests)
- Right to object to processing of personal data for direct marketing purposes
- Right of erasure of your personal data from our system (“right to be forgotten”) if certain grounds are met
These rights may be limited, for example if fulfilling your request would reveal personal information about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep.
Where we collect personal information to administer your accounts or your contract with us or to comply with our legal obligations, this is mandatory and we will not be able to manage our relationship with you without this. In all other cases, the provision of requested personal information is optional, but this may affect your ability to participate in certain Website-related activities or being able to access and use certain features and services, where the information is needed for those purposes.
Data retention and deletion
If you already have an account on the Websites, you may access, update, alter, or delete your basic customer profile information by logging into your account and updating profile settings.
This Addendum reflects the parties’ desire and intent to modify and amend the Agreement, in accordance with the terms and conditions hereinafter set forth, with regard to the processing of Customer Personal Information (as defined below) by PostHog on behalf of the Customer.
Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
You represent and warrant that you have full authority to bind the Customer to this Addendum. If you cannot, or do not agree to, comply with and be bound by this Addendum, or do not have authority to bind the Customer or any other entity, please do not provide any Customer Personal Information to us.
This Addendum shall become effective as of the commencement of processing of Customer Personal Information under the Agreement (“Addendum Effective Date”).
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations.
“Customer Personal Information” means any Customer Data maintained by Customer and processed by PostHog solely on Customer’s behalf, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, to the extent that such information is protected as “personal information” (or an analogous variation of such term) under applicable U.S. Data Protection Laws.
“U.S. Data Protection Laws” means all laws and regulations of the United States of America, including the CCPA, applicable to the processing of personal information (or an analogous variation of such term).
“Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA.
The parties acknowledge and agree that with regard to the processing of Customer Personal Information performed solely on behalf of Customer, PostHog is a Service Provider and receives Customer Personal Information pursuant to the business purpose of providing the Services to Customer in accordance with the Agreement.
No Sale of Customer Personal Information to PostHog
Customer and PostHog hereby acknowledge and agree that in no event shall the transfer of Customer Personal Information from Customer to PostHog pursuant to the Agreement constitute a sale of information to PostHog, and that nothing in the Agreement shall be construed as providing for the sale of Customer Personal Information to PostHog.
Limitations on Use and Disclosure
PostHog is prohibited from using or disclosing Customer Personal Information for any purpose other than the specific purpose of performing the Services specified in the Agreement, the permitted business purposes set under applicable law, and as required under applicable law. PostHog hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of applicable U.S. Data Protection Laws.
Data Subject Access Requests
PostHog will reasonably assist Customer with any data subject access, erasure or opt-out requests and objections. If PostHog receives any request from data subjects, authorities, or others relating to its data processing, PostHog will without undue delay inform Customer and reasonably assist Customer with developing a response (but PostHog will not itself respond other than to confirm receipt of the request, to inform the data subject, authority or other third party that their request has been forwarded to Customer, and/or to refer them to Customer, except per reasonable instructions from Customer). PostHog will also reasonably assist Customer with the resolution of any request or inquiries that Customer receives from data protection authorities relating to PostHog, unless PostHog elects to object such requests directly with such authorities.
Effect of this Addendum
In the event of any conflict or inconsistency between the terms of this Addendum and the terms of the Agreement with respect to the subject matter hereof and solely where U.S. Data Protection Laws apply, the terms of this Addendum shall control.
We use Ashby, an online application provided by Ashby Inc., to assist with our recruitment process. We use Ashby to process personal information as a data processor on our behalf. Ashby is only entitled to process your personal data in accordance with our instructions.
Information we collect from applicants
Information we collect from you
We collect and process some or all of the following types of information from you:
- Information you provide when you apply for a role, including contact details such as name, email address, physical address, telephone number
- Information relating to your employment history such as resumé/CV, employment history, qualifications and skills
- If you contact us, we may keep a record of that correspondence
- A record of your progress through any hiring process that we may conduct
- Details of your visits to Ashby’s Website including, but not limited to, traffic data, location data, weblogs and other communication data, the site that referred you to Ashby’s Website and the resources that you access.
Information we collect from other sources
- Ashby provides PostHog with the ability to link the data you provide to us, with other publicly available information about you that you have published online, such as on LinkedIn, GitHub or other public social media profiles.
- Ashby allows PostHog to search various databases which may include your personal data (including your CV or Résumé), to find possible candidates to fill our job openings. Where we find you in this way, we will obtain your personal data from these sources.
- We may receive your personal data from a third party who recommends you as a candidate for a specific job opening or for our business more generally.
How we use applicant information
We only collect and use your personal information for the following purposes:
- To communicate with you about the role you have applied for and to manage the recruitment process
- To consider your application for potential future job opportunities
We will never use a candidate's personal information for marketing purposes.
Lawful basis and purposes for processing applicant personal information
If you are a national of countries in the European Economic Area (EEA), United Kingdom, or Switzerland, we collect and process your personal information on the following legal bases set out by applicable law:
Consent: We may ask you for your consent to process your personal information. You can withdraw your consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn.
Legitimate Interest: We process certain personal information for our legitimate interests. These legitimate interests include, for example, running our recruitment process and managing applicants.
Compliance with Legal Obligations: In some cases, we may have a legal obligation to process your personal information, such as to meet our legal requirements or in response to a court or regulatory order. We also may need to process your personal information to protect vital interests, or to exercise, establish, or defend legal claims.
International data transfer of applicant data
Your personal information may be processed in the United States, the country where you have applied for a job, or any other country where PostHog has team members or operations.
PostHog may transfer, store, or process your personal information in a country outside your jurisdiction, including countries outside the European Economic Area (“EEA”), Switzerland, and the United Kingdom. If we transfer personal information from the EEA, Switzerland, or United Kingdom to a country outside it, such as the United States, we will enter into Standard Contractual Clauses (“SCCs”) approved by the EU Commission or by the UK Government, with the data importer, or take other measures to provide an adequate level of data protection.
How long we keep applicant personal data
We will hold all the data for 24 months. Prior to that, your personal information will be deleted if:
- You delete your personal information; or
- You write to us asking us to delete your personal information.
Your rights and choices as an applicant
Please see the section on Global Privacy Practices and Your Rights above.
Data Processing Agreements
If you need to enter into a Data Processing Agreement with us, the version you need will depend on whether you have signed up for PostHog Cloud in the US or EU. Please make a copy of the relevant template below, add your details, and send a signed copy to firstname.lastname@example.org - we will sign and send this back to you.
For the avoidance of doubt, if you use PostHog Cloud EU, no PII data is transferred to the US.
Contacting PostHog about your privacy
The relevant data controller for any personal information processed in connection with our Websites or self-managed installations is PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114. If you apply for a job with us, the relevant data controller is the country-specific PostHog entity which will be your employer.
If your query is in connection with a job application, please email us at email@example.com.
We have appointed an EU and UK representative who can also be contacted at firstname.lastname@example.org.
If you have questions or concerns about the way we are handling your personal information, or would like to exercise your privacy rights, please email us with the subject line "Privacy Concern" at email@example.com.
In most cases, we will respond within 30 days of receiving your message but please note for promptest response, we recommend emailing us.
You can view our complete set of security measures for SOC 2, GDPR, and CCPA here.