Privacy compliance

Last updated:

|Edit this page

PostHog offers considerable flexibility in hosting and configuration options to comply with privacy regulations around the world.

In these guides, we offer advice for using PostHog in a compliant manner under the following legal frameworks:

Please note: these guides do not constitute legal advice. We recommend seeking professional advice to ensure you remain compliant with relevant legislation.

Frequently asked questions

This overview covers some frequently asked questions about PostHog and privacy. Have a question not covered here? Use the 'Ask a question' box at the bottom of the page.

Is it ok for my API key to be exposed and public?

It is ok for your project API key (starts with phc_) to be public. It is used to initialize PostHog, capture events, evaluate feature flags, and more, but doesn't have access to your private data.

It is not recommended for your personal API key (starts with phx_) to be public as it enables reading and writing potentially private data.

What is and isn't considered personal data?

It's hard to have a single legal definition of personal data because every legal privacy framework has different ideas, and even names, for it. The GDPR calls it 'personal data' but the US uses the term 'personally identifiable information' (PII) and others refer to it as 'personal information'.

According to the GDPR, personal data is any information which:

  1. Identifies a 'data subject' directly
  2. Can be used to identify a 'data subject' when combined with other information

Read our simple guide to personal data and PII for more specific examples to help you identify what personal data you are collecting.

How does the GDPR impact analytics?

There are three key GDPR principles that impact your use PostHog and analytics in general:

  1. You need to have a good reason to collect personal data
  2. You need to acquire unambiguous consent
  3. Data must be handled securely

Our guide to personal data provides an overview of what's considered personal data under the GDPR, but suffice it to say that its definition is broad.

Is PostHog GDPR compliant?

We have in-depth GDPR guidance documentation for advice on deploying PostHog in a GDPR-compliant way, including how to configure GDPR consent in PostHog and complying with 'right to be forgotten' requests.

We also offer PostHog Cloud EU – a managed version of PostHog with servers hosted in Frankfurt, ensuring user data never leaves EU jurisdiction.

Can I use PostHog Cloud under HIPAA?

Yes, we can provide a Business Associate Agreement (BAA) to enable HIPAA-compliant usage of PostHog Cloud. Please contact us to arrange a BAA and discuss your requirements.

Is Google Analytics HIPAA compliant?

No, Google Analytics isn't HIPAA compliant, so it can't be used in any context where you're collecting or processing personal health information. PostHog can be used to collect user data under HIPAA. Read our HIPAA guidance for more information.

Questions?

Was this page useful?

Next article

PostHog & GDPR compliance

The General Data Protection Regulation (GDPR) is a privacy and security law, drafted and passed by the European Union (EU). It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. We recommend that you read the full text of the GDPR and seek independent legal advice regarding your obligations. The consequences of violating GDPR are severe. If you require robust GDPR compliance, we recommend using PostHog Cloud EU – a managed…

Read next article