Do I need to disclose PostHog in my privacy policy?

Yes. PostHog processes personal data including user events, session recordings, and device identifiers, making it a data processing activity that requires disclosure under GDPR, CCPA, and similar regulations. Your privacy policy must identify PostHog as an analytics tool, describe the data collected, and explain the legal basis for processing. Failure to disclose PostHog creates compliance risk and violates user transparency obligations.

What specific data does PostHog collect?

PostHog collects user events (clicks, page views, form submissions), session recordings (video-like replays of user activity), device information (browser type, OS, device type), feature flag assignments, and IP addresses. Session recordings may capture sensitive data like passwords or payment information if not properly masked, so you should configure PostHog's masking settings and disclose this risk in your policy.

Does PostHog require a cookie consent banner?

Yes, in most jurisdictions. PostHog uses the ph_* cookie series (1-year expiration) for user identification and analytics. Under GDPR, ePrivacy Directive, and similar laws, you must obtain affirmative consent before placing non-essential cookies. Implement a consent banner that allows users to opt out of PostHog before the script loads, or ensure PostHog is only loaded after consent is granted.

Who processes my PostHog data and where?

PostHog Inc (United States) is the data processor. Data is transferred to US servers by default, creating GDPR adequacy concerns that require Standard Contractual Clauses (SCCs) or similar legal mechanisms. PostHog offers EU cloud hosting options that keep data within the EU, which is preferable for GDPR compliance. Clarify your data transfer mechanism in your privacy policy and data processing agreement.

Analytics

Privacy policy clauses for PostHog

PostHog is an open-source product analytics platform that tracks user interactions, session behavior, and feature usage on websites and applications. Companies use PostHog to understand how users engage with their products, identify friction points, and measure feature performance through event tracking and session replay technology.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data PostHog collects

Your privacy policy must disclose each of the following data types when you use PostHog.

User events

Session recordings

Feature flag data

Device info

When does PostHog trigger privacy obligations?

Installation triggers immediate obligations

The moment you install PostHog's SDK on your website or app, user event data, device identifiers, and session recordings begin flowing to PostHog Inc servers in the US (or EU infrastructure if selected). This triggers three regulatory obligations:

GDPR (if you have EU users): PostHog collects personal data (user IDs, IP addresses, device fingerprints in recordings). Under GDPR Article 13/14, you must provide a privacy notice *before* collection starts, disclosing the processor (PostHog Inc), the data types, the legal basis (typically consent or legitimate interest), and retention periods. You must also execute a Data Processing Agreement (DPA) with PostHog under Article 28.

ePrivacy Directive Article 5(3):

Privacy policy clauses for PostHog

What data PostHog collects

When does PostHog trigger privacy obligations?

Installation triggers immediate obligations

Where data goes

Cookies set by PostHog

Common compliance pitfalls

Not clarifying session recording consent separately

Missing or outdated Data Processing Agreement

Not updating retention and data minimization settings

Legal note

Sample privacy policy clause

What regulators look for

Enforcement priorities

Frequently asked questions

Do I need to disclose PostHog in my privacy policy?

What specific data does PostHog collect?

Does PostHog require a cookie consent banner?

Who processes my PostHog data and where?

Don't ship without Bandit.