Privacy policy

Last updated: November 2023

Privacy Policy

Introduction

This privacy policy (“Privacy Policy”) applies to all visitors and customers of the PostHog.com hosted services and websites (collectively, the “Website” or “Websites”) and self-managed installations, which are offered by PostHog Inc (formerly Hiberly Inc) and/or any of its affiliates (“PostHog” or “we” or “us”) and describes how we process your personal information in connection with those Websites or self managed installations, customer events and demos, and how we collect information through the use of cookies and related technologies. It also tells you how you can access and update your personal information and describes the data protection rights that may be available under your country’s or state's laws, including (in the European Economic Area ("EEA"), and UK), a right to object to some processing that we carry out or, where we rely on consent, how to withdraw that consent. Please read this Privacy Policy carefully. By accessing or using any part of the Websites or self-managed installations, you acknowledge you have been informed of and consent to our practices with regard to your personal information and data.

PostHog is an open source project and collaborative community, as well as a company. This means that many portions of our Websites, including information you voluntarily provide, will be public-facing for the open sharing of innovative developments, ideas, and information that makes our collaborative community so great. While we are committed to open sharing, we strive to respect the privacy of individual community members and will minimize the information we collect and share. If you do not want to share your information, including personally identifiable information, with other community members and the public, please be thoughtful as to how you interact with our Websites and what information you provide through the Websites (for example, through creating a public profile, project contributions, comments, and blog posts).

Unless otherwise stated, we act as the data controller for the data processing operations described in this Privacy Policy.

We may provide additional information about our privacy practices in other places - for example, when we ask you to provide personal information in connection with a particular service or when you apply for a job with us.

What Information PostHog collects and why

Information from website visitors

Like most website operators, PostHog automatically collects i) technical information about your device including your device's internet protocol (IP) address; and (ii) information about your visit to our Websites (the referral URL, the content viewed and the content interacted with). Some of this information is collected using cookies and related technologies. See below for further information on these technologies. We collect this information to better understand how visitors use our Websites, to improve our Websites and experience for visitors, and to monitor the security of the Websites.

For logged-in customers to PostHog deployments, PostHog also collects this information on our application using our own software, to help us understand how to make the deployments more useful for different categories of customer.

Usage data information from self-managed PostHog instances

PostHog automatically collects information about usage from each self-managed PostHog instance (Open Source, Scale and Enterprise Edition). We may use cookies and similar technologies to collect some of this information. It is possible to opt out of your personal information being transferred, and for self-managed PostHog instances, we do not track your end users at all. PostHog tracks the usage of these instances at an aggregate level - it is also possible to prevent this through modifying the code, which is made available to you.

Personal information

You may choose to interact with our Websites in ways that provide us with your personal information. In some instances, a User ID is generated for form and URL tracking, page views, page pings and usage counts in order to ascertain product performance and development. The amount and type of information that PostHog gathers depends on the nature of your interaction with us, as well as the amount of information you choose to share. For example, we ask visitors who use our community Slack group to provide a username and email address. We will also collect the information you provide with us in connection with creating an account on the Website. Certain profile information (such as your username) may be shared publicly, as well as activity under your profile. If you report a security vulnerability to PostHog and request public acknowledgement, then we may publicly disclose the personal information you provided to us in connection with the report, including your name to fulfil your request for acknowledgement. In each case, PostHog collects such personal information only insofar as is necessary or appropriate to fulfil the purpose of your interaction with or your request to PostHog. We may also collect certain personal information during live in-person events and demos. We will not disclose your personal information other than as described in this Privacy Policy.

We may aggregate all information (including your personal information) collected from our Websites and self-managed installations for our own statistical and analytics purposes and share such aggregated information with third parties for our own promotional purposes (eg by publishing a report on trends in the usage of our Websites).

Information PostHog does not collect

PostHog does not intentionally collect sensitive or special category personal information, such as genetic data, biometric data for the purposes of uniquely identifying a natural person, health information, or religious information.

PostHog does not knowingly collect information from or direct any of our Website or content specifically to children under the age of 18. If we learn or have reason to suspect that a customer is under the age of 18, we will close that account.

Lawful basis and purposes for processing your personal information

To fulfil a contract or take steps linked to a contract with you

We use your personal information to:

  • administer access to your accounts;
  • manage our customer relationships;
  • process orders, provide our products and services and send you service related communications; and
  • provide you with customer support.

Legitimate interests

We use your personal information:

  • to improve and personalize your experience with us and our Websites and to tailor communications to you;
  • to monitor and improve the performance of our products and services for administrative, security and fraud prevention purposes;
  • for our own internal functions, management and corporate reporting, and internal research and analytics;
  • to enforce compliance with our terms of use and other policies or otherwise in connection with legal claims, compliance, regulatory and investigatory purposes as necessary (including disclosure of such information in connection with legal process or litigation); and

Consent

We may rely on your consent:

  • Where you ask us to send marketing information (e.g. newsletter updates) via a medium where we need your consent under applicable law (for example email marketing in some countries);
  • Where you give us consent to place cookies or similar technologies;
  • On other occasions where we ask for your consent, for the purpose we explain at the time.

You may withdraw your consent at any time through the unsubscribe feature provided with the relevant marketing email or by contacting us using the details in the ‘Contacting PostHog About Your Privacy’ section of this Privacy Policy.

How PostHog uses and protects your personal information

Sharing your information

PostHog may share your personal information with the third-parties listed below for the purposes that are described in this Privacy Policy or otherwise with your consent.

PostHog only shares your personal information with those of its employees, contractors, and affiliated organizations that (i) need to know that personal information in order to process it on PostHog's behalf or to provide services available on the Website, and (ii) that have agreed not to disclose it to others

Service Providers and partners. PostHog engages a number of service providers or partners to manage or support certain aspects of our business operations on our behalf. For instance, we currently use the following service providers who will handle your personal information:

  • AWS - cloud data hosting
  • Clearbit - marketing data engine
  • Cloudflare - cloud data hosting
  • Customer.io - email campaign service provider
  • Digital Ocean - website user data for community profiles
  • GitHub - open source repositories and internal project management tool
  • Google Cloud Platform - cloud data hosting
  • Google Workspace - internal collaboration tools
  • Heroku - cloud data hosting
  • HubSpot - CRM database
  • Sentry - application monitoring and error tracking
  • Slack - internal communications tool
  • Zendesk - customer support tool

Our service providers and partners are required by contract to safeguard any personal information they receive from us and are prohibited from using the personal information for any purpose other than to perform the services as instructed by PostHog.

Affiliates. PostHog is a global business, headquartered in the United States. Your personal information collected by us in accordance with this Privacy Policy is used and shared by PostHog Inc to our affiliate company based in the UK (Hiberly Ltd) for the purposes of providing the Websites, delivering our Products and services, managing your accounts, hosting, IT, security, support, billing, marketing, and communications.

Legal Requirements. We may disclose personal information to government authorities or other third-parties if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a subpoena, court order or similar legal obligation, (b) protect and defend our rights or property, (c) act in urgent circumstances to protect the personal safety of users of any Website or the public, (d) protect against legal liability, (e) to investigate fraud or other unlawful activity, or (f) or as otherwise required or permitted by law.

Please note, email and IP addresses of users of a PostHog deployment may be shared with the respective users of that deployment.

PostHog takes measures reasonably necessary to protect your personal information against any unauthorized access, use, alteration, or destruction.

PostHog at its sole discretion may make use of company logos where those companies are using the software that we provide. If you have concerns over the use of your logo, please email logos@posthog.com.

International transfer of personal information

The Websites are hosted in the United States, or in Germany if you are a PostHog Cloud customer who has selected EU hosting, and the personal information we collect about our customers' users will be stored and processed on our servers in either the United States or Germany. Information about our customers is processed in the United States by us, and may also be by the service providers and partners listed above. Our employees, contractors and affiliated organizations that process information for us as described above may be located in the United States or in other countries outside of your home country which may have different data protection standards to those which apply in your home country.

Where your personal information is transferred outside of the EEA, Switzerland and UK and where this is to a country which is not subject to an adequacy decision by the EU Commission or considered adequate as determined by applicable data protection laws, we will take steps to ensure your personal information is adequately protected by safeguards such as Standard Contractual Clauses (“SCCs”) approved by the EU Commission or by the UK Government. A copy of the relevant mechanism can be obtained for your review on request by using the contact details in the ‘Contacting PostHog About Your Privacy’ section of this Privacy Policy.

Posthog complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Posthog has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Posthog has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (together, the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/ .

For the actions of third party agents PostHog engages to process data on our behalf, PostHog remains responsible and liable under the DPF Principles if a third party agent processes the Personal Data in a manner inconsistent with the DPF Principles, unless PostHog proves that it is not responsible for the event giving rise to the damage.

Disputes

As part of our commitment to the DPF Principles, if you are a resident of the European Union, UK, or Switzerland and you have a privacy or data use concern, please contact PostHog directly at privacy@posthog.com and PostHog will use its best efforts to address your concern within 45 days of receipt of your complaint. For an unresolved privacy or data use concern that PostHog has not addressed satisfactorily, please contact our U.S. based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/dpf-dispute-resolution

For any DPF disputes that cannot be resolved by the methods above, you may be able to invoke a binding arbitration process under certain conditions. To find out more about the DPF's binding arbitration scheme, please see Annex I of the DPF Principles, here: https://www.dataprivacyframework.gov/s/article/Participation-Requirements-Data-Privacy-Framework-DPF-Principles-dpf. The Federal Trade Commission has investigation and enforcement authority over PostHog’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF

PostHog communications with you

If you are a registered user of the Websites and have supplied your email address, PostHog may occasionally send you an email to tell you about security, system information, new features, solicit your feedback, or just keep you up to date with what's going on with PostHog and our products. We primarily use our blog to communicate this type of information, so we expect to keep this type of email to a minimum. There's an unsubscribe link located at the bottom of each of the marketing emails we send you so you can stop receiving such emails at any time.

If you send us a request (for example via a support email or via one of our feedback mechanisms), we reserve the right to publish your request in order to help us clarify or respond to your request or to help us support other customers. We will not publish your personal information in connection with your request.

Cookies, tracking technologies and Do Not Track

Cookies

A cookie is a string of information that a website stores on a visitor's computer, and that the visitor's browser provides to the website each time the visitor returns. PostHog uses cookies to help PostHog identify and track visitors, their usage of the Websites, and their Website access preferences. PostHog visitors who do not wish to have cookies placed on their computers may set their browsers to refuse cookies before using the Websites. Disabling browser cookies may cause certain features of PostHog's websites to not function properly.

Certain pages on the Website may set other third party cookies. For example, we may embed content, such as videos, from another site that sets a cookie. These sites set their own cookies and we do not have access or control over these cookies. The use of cookies by third parties is not covered by our Privacy Policy.

Tracking technologies

We do not use third party tracking services to collect information about you.

Do Not Track

"Do Not Track" is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. PostHog does not track your online browsing activity on other online services over time and we do not permit third-party services to track your activity on our site. Because we do not share this kind of data with third party services or permit this kind of third party data collection for any of our users, and we do not track our users on third-party websites ourselves, we do not need to respond differently to an individual browser's Do Not Track setting.

Global privacy practices and your rights

Information we collect may be stored and processed in the United States in accordance with this Privacy Policy but we understand that users from other countries may have different expectations and rights with regard to their privacy. For all Website visitors and customers, no matter their country of location, we will:

  • provide clear methods of unambiguous, informed consent when we do collect your personal information and where required by applicable law;
  • only collect the minimum amount of personal information necessary for the purpose it is collected for, unless you choose to provide us more;
  • offer you simple methods of accessing, correcting, or deleting your information that we have collected, with the exception of information you voluntarily provide that is necessary to retain as is for the integrity of our project code as described further below; and
  • provide Website customers notice, choice, accountability, security, and access, and we limit the purpose for processing. We also provide our customers a method of recourse and enforcement.

Where our affiliate within the UK processes your personal information or where we process personal information of individuals located in the EEA, Switzerland or the UK, you are entitled to the following rights with regards to your personal information:

  • Right of access to your personal information, to know what information we hold about you.
  • Right to correct any incorrect or incomplete personal information about yourself that we hold.
  • Right to restrict/suspend our processing of your personal information.
  • Right to complain to a supervisory authority if you believe your privacy rights are being violated. In the UK, this will be the Information Commissioner.

Additional rights that may apply to you in certain instances:

  • Right of data portability (if our processing is based on consent or a contract and the processing carried out by automated means);
  • Right to withdraw consent at any time (if processing is based on consent). If you ask to withdraw your consent, this will not affect any processing which has already taken place at that time.
  • Right to object to processing (if processing is based on legitimate interests)
  • Right to object to processing of personal data for direct marketing purposes
  • Right of erasure of your personal data from our system (“right to be forgotten”) if certain grounds are met

These rights may be limited, for example if fulfilling your request would reveal personal information about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep.

Where we collect personal information to administer your accounts or your contract with us or to comply with our legal obligations, this is mandatory and we will not be able to manage our relationship with you without this. In all other cases, the provision of requested personal information is optional, but this may affect your ability to participate in certain Website-related activities or being able to access and use certain features and services, where the information is needed for those purposes.

To exercise your privacy rights, you can email us at the address given below in the ‘Contacting PostHog About Your Privacy’ section of this Privacy Policy.

Data retention and deletion

If you already have an account on the Websites, you may access, update, alter, or delete your basic customer profile information by logging into your account and updating profile settings.

PostHog will retain your information for as long as your account is active or as needed to perform our contractual obligations, provide you services through the Website, to comply with legal obligations, resolve disputes, preserve legal rights, or enforce our agreements. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable opportunity. For instance, in respect of data held for the management of customers and potential customers, we consider the lead time necessary to develop and maintain our commercial relationships and how recent our interactions are with you. We may rectify, update or remove incomplete or inaccurate information, at any time and at our own discretion. For more information on our retention periods you can contact us using the details in the “Contacting PostHog About Your Privacy” section of this Privacy Policy.

Please note that due to the open source nature of our products, services, and community, we may retain limited personal information indefinitely in order to ensure transactional integrity and nonrepudiation. For example, if you provide your information in connection with a blog post, GitHub issue or comment, we may display that information even if you have deleted your account as we do not automatically delete community posts. Also, as described in our Terms of Use, if you contribute to a PostHog project and provide your personal information in connection with that contribution, that information (including your name) will be embedded and publicly displayed with your contribution and we will not be able to delete or erase it because doing so would break the project code.

CCPA Addendum

Introduction

This Addendum (“Addendum”) forms part of the Privacy Policy, and of any superseding written agreement, entered by and between you, the Customer (as defined in the Agreement) (“Customer”), and PostHog Inc. (“PostHog”; and collectively – the “Agreement”).

This Addendum reflects the parties’ desire and intent to modify and amend the Agreement, in accordance with the terms and conditions hereinafter set forth, with regard to the processing of Customer Personal Information (as defined below) by PostHog on behalf of the Customer.

Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.

You represent and warrant that you have full authority to bind the Customer to this Addendum. If you cannot, or do not agree to, comply with and be bound by this Addendum, or do not have authority to bind the Customer or any other entity, please do not provide any Customer Personal Information to us.

This Addendum shall become effective as of the commencement of processing of Customer Personal Information under the Agreement (“Addendum Effective Date”).

If you need a signed copy of this Addendum you can download a template, enter your details, send a request to privacy@posthog.com and we’ll provide you a countersigned copy.

Definitions

CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations.

Customer Personal Information” means any Customer Data maintained by Customer and processed by PostHog solely on Customer’s behalf, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, to the extent that such information is protected as “personal information” (or an analogous variation of such term) under applicable U.S. Data Protection Laws.

U.S. Data Protection Laws” means all laws and regulations of the United States of America, including the CCPA, applicable to the processing of personal information (or an analogous variation of such term).

Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA.

Amendments

Roles

The parties acknowledge and agree that with regard to the processing of Customer Personal Information performed solely on behalf of Customer, PostHog is a Service Provider and receives Customer Personal Information pursuant to the business purpose of providing the Services to Customer in accordance with the Agreement.

No Sale of Customer Personal Information to PostHog

Customer and PostHog hereby acknowledge and agree that in no event shall the transfer of Customer Personal Information from Customer to PostHog pursuant to the Agreement constitute a sale of information to PostHog, and that nothing in the Agreement shall be construed as providing for the sale of Customer Personal Information to PostHog.

Limitations on Use and Disclosure

PostHog is prohibited from using or disclosing Customer Personal Information for any purpose other than the specific purpose of performing the Services specified in the Agreement, the permitted business purposes set under applicable law, and as required under applicable law. PostHog hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of applicable U.S. Data Protection Laws.

Data Subject Access Requests

PostHog will reasonably assist Customer with any data subject access, erasure or opt-out requests and objections. If PostHog receives any request from data subjects, authorities, or others relating to its data processing, PostHog will without undue delay inform Customer and reasonably assist Customer with developing a response (but PostHog will not itself respond other than to confirm receipt of the request, to inform the data subject, authority or other third party that their request has been forwarded to Customer, and/or to refer them to Customer, except per reasonable instructions from Customer). PostHog will also reasonably assist Customer with the resolution of any request or inquiries that Customer receives from data protection authorities relating to PostHog, unless PostHog elects to object such requests directly with such authorities.

Effect of this Addendum

In the event of any conflict or inconsistency between the terms of this Addendum and the terms of the Agreement with respect to the subject matter hereof and solely where U.S. Data Protection Laws apply, the terms of this Addendum shall control.

Job Applications

This section sets out how we collect, store, and process personal information as part of our recruitment process. It only applies to users of our website who submit an application for one of our open roles and is supplemental to the above Privacy Policy.

We use Ashby, an online application provided by Ashby Inc., to assist with our recruitment process. We use Ashby to process personal information as a data processor on our behalf. Ashby is only entitled to process your personal data in accordance with our instructions.

Where you apply for a job opening posted by us, these provisions will apply to our processing of your personal information. When you apply for a job opening via the application function on a job site like LinkedIn or similar online service provider (referred to below as a “Partner”), you should note that the relevant Partner may retain your personal data and may also collect data from us in respect of the progress of your application. Any use by the Partner of your data will be in accordance with the Partner’s privacy policy.

Information we collect from applicants

Information we collect from you

We collect and process some or all of the following types of information from you:

  • Information you provide when you apply for a role, including contact details such as name, email address, physical address, telephone number
  • Information relating to your employment history such as resumé/CV, employment history, qualifications and skills
  • If you contact us, we may keep a record of that correspondence
  • A record of your progress through any hiring process that we may conduct
  • Details of your visits to Ashby’s Website including, but not limited to, traffic data, location data, weblogs and other communication data, the site that referred you to Ashby’s Website and the resources that you access.

Information we collect from other sources

  • Ashby provides PostHog with the ability to link the data you provide to us, with other publicly available information about you that you have published online, such as on LinkedIn, GitHub or other public social media profiles.
  • Ashby allows PostHog to search various databases which may include your personal data (including your CV or Résumé), to find possible candidates to fill our job openings. Where we find you in this way, we will obtain your personal data from these sources.
  • We may receive your personal data from a third party who recommends you as a candidate for a specific job opening or for our business more generally.

How we use applicant information

We only collect and use your personal information for the following purposes:

  • To communicate with you about the role you have applied for and to manage the recruitment process
  • To consider your application for potential future job opportunities

We will never use a candidate's personal information for marketing purposes.

Lawful basis and purposes for processing applicant personal information

If you are a national of countries in the European Economic Area (EEA), United Kingdom, or Switzerland, we collect and process your personal information on the following legal bases set out by applicable law:

Consent: We may ask you for your consent to process your personal information. You can withdraw your consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn.

Legitimate Interest: We process certain personal information for our legitimate interests. These legitimate interests include, for example, running our recruitment process and managing applicants.

Compliance with Legal Obligations: In some cases, we may have a legal obligation to process your personal information, such as to meet our legal requirements or in response to a court or regulatory order. We also may need to process your personal information to protect vital interests, or to exercise, establish, or defend legal claims.

International data transfer of applicant data

Your personal information may be processed in the United States, the country where you have applied for a job, or any other country where PostHog has team members or operations.

PostHog may transfer, store, or process your personal information in a country outside your jurisdiction, including countries outside the European Economic Area (“EEA”), Switzerland, and the United Kingdom. If we transfer personal information from the EEA, Switzerland, or United Kingdom to a country outside it, such as the United States, we will enter into Standard Contractual Clauses (“SCCs”) approved by the EU Commission or by the UK Government, with the data importer, or take other measures to provide an adequate level of data protection.

How long we keep applicant personal data

We will hold all the data for 24 months. Prior to that, your personal information will be deleted if:

  • You delete your personal information; or
  • You write to us asking us to delete your personal information.

Your rights and choices as an applicant

Please see the section on Global Privacy Practices and Your Rights above.

Data Processing Agreements

If you need to enter into a Data Processing Agreement with us, the version you need will depend on whether you have signed up for PostHog Cloud in the US or EU. Please make a copy of the relevant template below, add your details, and send a signed copy to privacy@posthog.com - we will sign and send this back to you.

For the avoidance of doubt, if you use PostHog Cloud EU, no PII data is transferred to the US.

Contacting PostHog about your privacy

The relevant data controller for any personal information processed in connection with our Websites or self-managed installations is PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114. If you apply for a job with us, the relevant data controller is the country-specific PostHog entity which will be your employer.

If you have any questions about this Privacy Policy or our privacy and security practices or you wish to make a complaint about our compliance with applicable privacy laws, please feel free to contact us at privacy@posthog.com.

If your query is in connection with a job application, please email us at careers@posthog.com.

We have appointed an EU and UK representative who can also be contacted at privacy@posthog.com.

If you have questions or concerns about the way we are handling your personal information, or would like to exercise your privacy rights, please email us with the subject line "Privacy Concern" at privacy@posthog.com.

In most cases, we will respond within 30 days of receiving your message but please note for promptest response, we recommend emailing us.

Privacy policy changes

Although most changes are likely to be minor, PostHog may change its privacy policy from time to time, and in PostHog's sole discretion.

We may also provide notification to customers who have provided us email addresses of material changes to this Privacy Policy through our Website. PostHog encourages visitors to frequently check this page for any minor changes to its Privacy Policy. Your continued use of this site after any change in this Privacy Policy will constitute your acceptance of such change.

Security measures

You can view our complete set of security measures for SOC 2, GDPR, and CCPA here.