Hotjar and Microsoft Clarity EU Alternative 2026: GDPR Session Recording Risk and What EU Teams Use Instead

Post #938 in the sota.io EU Cyber Compliance Series | EU-ANALYTICS-SERIE Post #5

Session recording tools occupy a different risk category than web analytics platforms. Google Analytics tracks page views and referrers. Hotjar and Microsoft Clarity record what individual users do on each page: every mouse movement, scroll position, click, and — critically — every character they type into every form field your application renders. The GDPR exposure is not just about international data transfers. Session recording creates systematic collection of unstructured personal data that your own developers have not explicitly tagged, classified, or consented to collecting.

Hotjar was incorporated in Malta, acquired by Contentsquare (Paris, France) in 2021, and rebranded as part of the Contentsquare group. Microsoft Clarity is a free session recording tool operated by Microsoft Corporation, headquartered in Redmond, Washington. Both tools have GDPR compliance problems that EU teams frequently underestimate — Hotjar through its US corporate parent, Clarity through Microsoft's full CLOUD Act exposure and opacity around what happens to behavioral data from a free product.

Hotjar: The Contentsquare Acquisition and the CLOUD Act Problem

Hotjar's Corporate Structure After the 2021 Acquisition

Hotjar Ltd. was originally incorporated in Malta — an EU member state — and founded by David Darmanin in 2014. In September 2021, Contentsquare SAS acquired Hotjar for a reported $900 million, making Hotjar a wholly owned subsidiary of the Contentsquare group.

Contentsquare SAS is a French société par actions simplifiée incorporated in Paris. In isolation, a French parent company would be GDPR-favorable: France is an EU member state, the CNIL (Commission nationale de l'informatique et des libertés) is the lead supervisory authority, and French-incorporated entities are subject to EU jurisdiction rather than US jurisdiction for data access purposes.

The CLOUD Act problem arises from the US entity in Contentsquare's corporate structure. Contentsquare, Inc. is a Delaware corporation with offices in New York. Contentsquare has raised over $1.7 billion in venture and growth equity, including from US-based investors. The group operates as an integrated international business with a significant US commercial and operational presence.

The CLOUD Act (18 U.S.C. § 2713) extends US government compulsion authority to "providers of electronic communication service or remote computing service" that are incorporated or headquartered in the United States, or that otherwise fall under US federal jurisdiction. The statute requires disclosure of electronic records "regardless of whether such communication, record, or other information is located within or outside of the United States."

When US authorities serve a CLOUD Act demand on Contentsquare, Inc. — the Delaware entity — Contentsquare's legal obligation to respond applies to records held anywhere in the corporate group, including records held by Hotjar Ltd. in Malta or processed on behalf of EU customers in EU data centers. The French parent (Contentsquare SAS) does not insulate the Delaware subsidiary from US jurisdiction; the Delaware subsidiary is independently subject to US compulsion authority.

What Hotjar Collects from Your Users

Understanding the GDPR risk requires understanding what Hotjar's session recordings actually contain. Unlike product analytics tools that receive discrete named events (feature_activated, checkout_completed), session recording tools receive a continuous stream of UI state:

Mouse movement data: Hotjar records precise cursor coordinates at sub-second intervals as users move their mouse across your page. Heatmaps aggregate this data across thousands of sessions. Individual session recordings show exact cursor trajectories — including hesitation patterns over form fields, which can indicate confusion or anxiety.

Click and tap data: Every click is recorded with element selectors, position, and timestamp. For e-commerce sites, this includes clicks on product pages, pricing comparisons, and checkout buttons. The behavioral profile of a user's purchase decision process is implicitly captured.

Scroll depth and engagement: Scroll positions, time-on-page per section, and viewport coverage are tracked per session and per user. For authenticated sessions where userId is passed to Hotjar, this creates a longitudinal behavioral record tied to an identifiable individual.

Form interaction data: Hotjar records which form fields users interact with, in what order, how long they spend on each field, and — in misconfigured deployments — what they type. Hotjar's default configuration attempts to suppress form field content using keylogging exclusions and input masking. However, masking is not applied automatically to custom UI components, React controlled inputs with non-standard patterns, or dynamically rendered fields.

User attributes: Hotjar's identify API allows you to pass userId, name, email, and custom attributes into Hotjar's session data. When used, this directly links session recordings to named individuals in your database.

Special Category Data Risk in Session Recordings

GDPR Article 9 prohibits processing special category data — data concerning health, racial or ethnic origin, religious beliefs, political opinions, genetic data, biometric data, sexual orientation — without explicit consent or another enumerated basis.

Session recording tools are structurally incapable of guaranteeing that special category data is not captured. Consider:

• A healthcare SaaS where users enter symptoms, medications, or diagnoses into forms. Session recordings capture the rendering of these fields and potentially their content.
• A financial services platform where users answer questions about income, assets, or debts. This financial data relates to identifiable individuals.
• A platform that renders user profile information including religious affiliation, nationality, or relationship status — data that users entered during registration but that the session recording tool now captures each time it is rendered to the screen.

Article 35 requires a Data Protection Impact Assessment before processing that is "likely to result in a high risk to the rights and freedoms of natural persons." Systematic, large-scale processing of behavioral data from authenticated users — including the risk of capturing special category data from screen renderings — falls within Article 35's scope for most product teams using Hotjar at scale.

Microsoft Clarity: The Free Tool That Costs Your GDPR Compliance

Microsoft's Corporate Structure

Microsoft Corporation is incorporated in the state of Washington and headquartered in Redmond, Washington. As a US corporation, Microsoft is subject to the CLOUD Act. Microsoft is also a US person under the Foreign Intelligence Surveillance Act (FISA), meaning US intelligence agencies can compel Microsoft to provide access to communications and records of non-US persons outside the United States under FISA Section 702 — without any requirement to notify the target or seek prior judicial approval.

Clarity is a free product. Microsoft does not charge for Clarity because behavioral data from your users' sessions has value to Microsoft's AI training programs and advertising business. The product's terms of service permit Microsoft to use aggregated, anonymized data for product improvement — a characterization that GDPR supervisory authorities have repeatedly challenged as insufficient basis for behavioral data processing at scale.

Why EU Data Boundary Does Not Help for Clarity

Microsoft has operated its EU Data Boundary program since 2023, which commits to storing and processing certain commercial customer data within the EU for Microsoft 365 and Azure. The program is intended to address GDPR transfer restrictions for enterprise Microsoft customers.

Microsoft Clarity is not part of the EU Data Boundary scope. The EU Data Boundary applies to core Microsoft 365 services and Azure services used by enterprise customers with explicit contractual commitments. Clarity is a free web analytics service — no enterprise contract, no EU Data Boundary coverage, no processing limitation to EU infrastructure.

Even for the services covered by EU Data Boundary, the program has faced scrutiny from privacy regulators. The EU Data Boundary does not change Microsoft's legal obligations under the CLOUD Act. It commits to geographic storage of data, not to refusal of compulsion demands from US authorities. The German data protection conference (Datenschutzkonferenz) and several EU DPAs have noted that EU Data Boundary commitments do not eliminate CLOUD Act exposure.

What Clarity Collects and Microsoft's Data Use

Clarity captures session recordings and heatmaps using JavaScript that runs in your users' browsers. The data collected includes:

• Full session recordings showing cursor movement, clicks, scrolls, and page interactions
• Rage clicks, dead clicks, and quick back navigation (frustration indicators)
• Device type, browser, operating system, and viewport dimensions
• Geographic location derived from IP address
• Referrer and URL data

Microsoft's Clarity privacy documentation states that Clarity uses cookies and local storage to associate sessions with returning visitors. These cookies enable cross-session behavioral tracking of the same user over time — creating longitudinal behavioral profiles from your website visitors without requiring explicit identify() calls.

The data processing agreement for Clarity designates Microsoft as data processor. However, Microsoft's terms for Clarity reserve the right to use aggregated behavioral data for "improving Microsoft's products and services." Under GDPR Article 5(1)(b), personal data collected for one purpose cannot be used for an incompatible purpose. Using data collected via Clarity — ostensibly to help you understand your users' experience — to train Microsoft's AI models or improve its advertising products is a purpose incompatible with the purpose for which users provided consent on your website.

Why Session Recording Creates Deeper GDPR Exposure Than Web Analytics

Product and web analytics tools receive data that your application code explicitly sends: a named event with specific properties. Session recording tools receive everything rendered in the user's browser — including data your application renders from your database, data users type before submitting, and data visible in UI elements your developers never intended to be captured by a third party.

The Residual Data Problem

When your application renders a user's profile page, the session recording JavaScript captures the rendered HTML. If that HTML includes the user's name, email address, home city, or account tier — because your UI displays them — all of that information is now in the session recording. Your developers did not "send" this data to Hotjar or Clarity. But it was captured anyway because session recording tools instrument the entire rendered DOM.

For a GDPR controller, this creates a data processing relationship that is difficult to scope accurately. Your Article 30 records of processing activities (ROPA) should list all personal data you share with processors. If your session recording tool captures user profile data, address data, or financial data through DOM rendering — even if you did not explicitly configure it to do so — that processing must appear in your ROPA with an appropriate legal basis.

Consent Requirements Under ePrivacy

The ePrivacy Directive (2002/58/EC), implemented in national law across EU member states, requires prior informed consent before setting cookies or accessing stored information on a user's device. Session recording tools use cookies and local storage to track users across sessions. This means:

1. Session recording cannot operate under GDPR legitimate interest alone — prior consent is required under ePrivacy in jurisdictions including Germany, France, the Netherlands, Austria, and most EU member states.
2. Users who decline analytics cookies must not have session recordings started for their sessions.
3. Your consent management platform must accurately describe session recording in its cookie categories — and the description must match what the tool actually captures.

The consequence: if your consent rate for analytics cookies is 60%, you have session recordings for only 60% of your users. Hotjar and Clarity both support consent-based recording start, but implementation requires careful configuration to ensure recording truly does not begin before consent is granted.

EU-Native Session Recording Alternatives

Mouseflow

Mouseflow ApS is a Danish company founded in Aarhus, Denmark in 2010. It is EU-incorporated and EU-headquartered, making it subject to EU jurisdiction — specifically the Danish Data Protection Authority (Datatilsynet) — rather than US jurisdiction.

Mouseflow offers session recording, heatmaps, funnel analysis, form analytics, and feedback surveys — comparable feature coverage to Hotjar. Data is stored in EU data centers. As an EU-incorporated entity with no US parent, Mouseflow is not subject to the CLOUD Act. Danish law does not contain FISA-equivalent mass surveillance authorities compelling service providers to enable access to non-Danish customers' data.

Mouseflow's pricing is session-volume based, with a free tier at 500 sessions per month and paid plans starting at approximately €24 per month for 5,000 sessions. Enterprise pricing includes dedicated data processing agreements under GDPR Article 28 with EU data residency commitments.

For EU teams replacing Hotjar or Clarity, Mouseflow is the most direct GDPR-compliant equivalent in terms of feature set, ease of migration, and EU regulatory posture.

Smartlook

Smartlook, a.s. is a Czech company incorporated in Brno, Czech Republic — an EU member state. Founded in 2016, Smartlook provides session recording, heatmaps, event analytics, and funnel visualization. As a Czech-incorporated entity, Smartlook falls under Czech data protection law and the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), which operates under GDPR as a national supervisory authority.

Smartlook differentiates itself with mobile app session recording alongside web recording — capturing user sessions in iOS and Android applications in addition to web browsers. For product teams building mobile apps, this is a significant capability gap compared to Mouseflow.

Smartlook's data residency options include EU-based storage. The company offers GDPR-compliant data processing agreements and has implemented privacy-by-default features including automatic masking of sensitive input fields and configurable consent integration.

Self-Hosted Session Recording: OpenReplay

OpenReplay is an open-source session recording tool available at github.com/openreplay/openreplay. It provides session recording, developer tools replay (network requests, console errors, application state), and heatmaps. The self-hosted deployment model means your session recording data never leaves your own infrastructure.

For EU teams, self-hosting OpenReplay on EU infrastructure — Hetzner (Germany), OVHcloud (France), or Scaleway (Netherlands) — eliminates the CLOUD Act problem entirely. No third-party US processor receives your users' session data. The session recording infrastructure is under your direct control.

Self-hosting requires operational overhead: server provisioning, database management (PostgreSQL), object storage (MinIO or S3-compatible EU storage), and ongoing updates. For teams with infrastructure capacity, this trade-off is worthwhile for maximum GDPR defensibility.

OpenReplay also offers a cloud version, but the self-hosted option is the relevant alternative for teams replacing Hotjar or Clarity on GDPR grounds.

PostHog EU Cloud (Session Recording Feature)

PostHog provides session recording as part of its product analytics platform. PostHog, Inc. is incorporated in the United States (Delaware), which creates the same CLOUD Act concern as other US-incorporated analytics vendors. However, PostHog offers a EU Cloud deployment in Frankfurt, Germany, operated by PostHog's EU entity.

PostHog's EU Cloud deployment has the structural CLOUD Act limitation: the Delaware parent entity could be subject to compulsion demands that reach EU-stored data. For teams already using PostHog for product analytics, the session recording feature adds no additional data processors, and PostHog's EU Cloud is a meaningful step toward EU data residency. For teams specifically replacing Hotjar or Clarity on CLOUD Act grounds, PostHog EU Cloud is a partial rather than complete solution.

GDPR Compliance Checklist for Session Recording Tools

Before deploying any session recording tool — including EU-native alternatives — the following compliance steps apply:

Article 6 lawful basis. Session recording requires an explicit lawful basis. Consent (Article 6(1)(a)) is typically required under ePrivacy in EU member states. Legitimate interest (Article 6(1)(f)) is insufficient on its own in most EU jurisdictions for third-party tracking cookies. Document your lawful basis in your ROPA.

Article 7 consent mechanism. If relying on consent, your consent management platform must record timestamped consent before the session recording SDK loads. The SDK must not initialize, set cookies, or begin recording until consent is confirmed. Test this with browser devtools with cookies cleared.

Article 25 data minimization. Configure field masking for all personal data inputs: name, email, password, address, payment, date of birth, and any custom fields containing personal data. For EU tools, this is typically a CSS class configuration (data-hj-suppress for Hotjar, equivalent for Mouseflow/Smartlook). Verify masking works for your specific component library and rendering patterns.

Article 28 DPA. Ensure you have a signed Data Processing Agreement with your session recording provider. Review the DPA for sub-processor lists, data retention limits, and breach notification timelines. EU-native providers (Mouseflow, Smartlook) should have DPAs without SCC requirements.

Article 35 DPIA. If your product processes authenticated user data at scale, or if it handles health, financial, or other sensitive data categories, conduct a DPIA before deploying session recording. Document the necessity and proportionality of session recording relative to your UX optimization goals.

Article 44-49 transfer mechanism. If using a non-EU processor (Hotjar via Contentsquare Inc., Clarity via Microsoft Corp.), document the transfer mechanism. Standard Contractual Clauses (SCCs) are the available mechanism for US providers. Note that SCCs do not eliminate CLOUD Act exposure — they establish contractual obligations but cannot override US law.

Migration Path from Hotjar or Clarity

Migrating from Hotjar or Clarity to a GDPR-compliant EU alternative requires three steps:

Step 1: Data export. Export any session recordings, heatmap data, or funnel data you need to retain before decommissioning Hotjar or Clarity. Session recording data typically has limited long-term value for UX analysis, but form analytics and funnel data may inform current roadmap decisions. Export what you need, then document the deletion of historical data under Article 17.

Step 2: Implementation replacement. Install your EU alternative's SDK in place of Hotjar or Clarity's embed code. For Mouseflow, the JavaScript snippet is a single script tag similar to Hotjar's. For Smartlook, the same pattern applies. Configure field masking, consent integration, and sampling rate before enabling recordings in production.

Step 3: Privacy documentation update. Update your privacy policy to remove references to Hotjar and Microsoft Clarity as data processors. Add your EU alternative with its DPA reference. Update your Article 30 ROPA. Update your cookie consent banner to accurately describe the new session recording tool.

Decommissioning Hotjar requires deleting your organization's data under Hotjar's data deletion request process. Microsoft Clarity data can be deleted through the Clarity dashboard's data deletion features. Document both deletions for your accountability records under GDPR Article 5(2).

Summary

Hotjar — despite its Maltese origins and French parent company — maintains a Delaware US entity through Contentsquare, Inc. that creates CLOUD Act exposure for session recording data processed on behalf of EU customers. Microsoft Clarity is operated directly by Microsoft Corporation, a US person with full CLOUD Act and FISA Section 702 exposure, with no EU Data Boundary coverage for the free analytics service.

Session recording tools capture more personal data than web analytics tools because they record everything rendered in the user's browser — including data your developers never intended to share with a third-party processor. Special category data risk, Art.35 DPIA requirements, and ePrivacy consent obligations make session recording one of the higher-stakes GDPR compliance decisions for EU product teams.

EU-native alternatives exist. Mouseflow (Denmark) and Smartlook (Czech Republic) offer feature-comparable session recording and heatmap tools without CLOUD Act exposure. OpenReplay (self-hosted) eliminates third-party processor risk entirely.

The session recordings that help you understand user behavior should not simultaneously create compliance exposure that your users, regulators, and legal team would not sanction. Switching to an EU-native alternative is a four-hour migration, not a multi-month project.

EU-ANALYTICS-SERIE — This is post #5 of 6 in sota.io's series on GDPR compliance for analytics tools used by EU SaaS developers. Previous posts covered Google Analytics 4, Mixpanel, Segment/Twilio, and Amplitude. The final post will cover A/B testing platforms: Optimizely, LaunchDarkly, and EU alternatives.

sota.io is an EU-native managed PaaS for developers — built on Hetzner Germany, no US parent company, no CLOUD Act exposure.