Heap

Heap

Product analytics and behavioral data platform used by growth and product teams. Heap automatically captures all user interactions — clicks, form submissions, page views — without requiring manual event instrumentation. Sets cookies to build retroactive user journey analysis from historical data.

Back to Vendor Library

Overview

Heap is a product analytics platform that automatically captures every user interaction on a website or web application without requiring manual event instrumentation. Unlike traditional analytics tools where engineers must code each tracked event in advance, Heap's auto-capture approach records all clicks, form submissions, page views, and UI interactions from the moment the script loads. Product and growth teams use Heap for retroactive funnel analysis, user journey mapping, cohort retention analysis, and feature adoption measurement. Heap also offers session replay capabilities when that feature is enabled.

What This Script Does

The Heap script (cdn.heapanalytics.com/js/heap-[APP_ID].js) initializes the Heap SDK and begins comprehensive event capture immediately:

Auto-capture behavior:

  • Captures every click interaction, including the target element's CSS selector path, text content, element attributes (aria-label, data-* attributes, id, class), and coordinates
  • Records all form field interactions — focus, blur, and change events — along with field metadata. Note: Heap masks input values by default to avoid capturing passwords and sensitive data, but this is configurable.
  • Tracks page views (URL, referrer, page title) on every navigation and route change in single-page applications
  • Captures rage clicks, dead clicks, and scroll depth when session replay is enabled

Cookies and identity:

  • Sets _hp2_id.[APP_ID] (first-party, persistent, 13-month expiry) — the primary user identity cookie storing a pseudonymous Heap user ID
  • Sets _hp2_ses_props.[APP_ID] (first-party, session, expires at session end) — current session metadata including session start time and initial referrer
  • Sets _hp2_hld.[APP_ID] (first-party, 1-day expiry) — used for holdout experiment group assignment

Data transmission:

  • Batches captured events and sends them via POST to heapanalytics.com/api/track at regular intervals and on page unload
  • Each event payload includes: user ID from cookie, session ID, event type, timestamp, element metadata, and page URL

Session replay (if enabled):

  • Records DOM snapshots and mutation events to reconstruct user sessions
  • Captures mouse movements, scroll positions, and viewport dimensions
  • Replay data is transmitted to Heap's servers separately from event data

Retroactive analysis:

  • Heap's data model stores raw event streams, allowing teams to define virtual events (e.g., "clicked Add to Cart") after the fact and apply them to historical data

Consent & Compliance

  • Category: Analytics
  • GDPR/ePrivacy: Heap captures extensive behavioral data and sets persistent cookies for user identification across sessions. The auto-capture model means data collection is broad and continuous. Explicit consent is required under the ePrivacy Directive before the script loads. A data processing agreement with Heap is required. Heap offers EU data residency options.
  • CCPA: Behavioral event data, session data, and the pseudonymous user ID constitutes personal information. Must be disclosed in your privacy policy. Honor opt-out requests by blocking the script.
  • Session replay: If session replay is enabled, the privacy implications are heightened — DOM snapshots may capture sensitive content visible to users. Additional notice to users is advisable.
  • EU-US transfers: Heap is US-based (San Francisco). Transfers rely on Standard Contractual Clauses or the EU-US Data Privacy Framework.

Should You Block This Without Consent?

Yes. Heap's auto-capture approach records all user interactions and sets persistent identifying cookies from the moment it loads. Its broad-by-default data collection model makes prior consent especially important — there is no "minimal" version of Heap that loads without tracking. Block until analytics consent is granted.

Visit website

Consent Categories

Analytics

Also Known As

Heap AnalyticsHeap.ioautocapture analyticsproduct analyticsbehavioral analyticsheap trackingsession analytics

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (3)

heapanalytics.comAnalytics
heap.ioAnalytics
cdn.heapanalytics.comAnalytics

Frequently Asked Questions

Why does Heap require consent before it loads?

Heap auto-captures every click, form interaction, and page view from the moment it loads, setting a 13-month persistent identity cookie. There is no minimal mode — the script begins comprehensive behavioral data collection immediately without any configuration.

What cookies does Heap set?

Heap sets _hp2_id (13-month persistent identity cookie), _hp2_ses_props (session metadata), and _hp2_hld (holdout experiment assignment, 1-day). All are first-party but non-essential, as they enable behavioral profiling rather than delivering a user-requested service.

How does ConsentStack handle Heap?

ConsentStack blocks Heap until analytics consent is granted. Given Heap's auto-capture approach, partial loading is not viable — ConsentStack suppresses the script entirely and enables it only after consent, ensuring no behavioral data is collected from visitors who decline analytics.

Related Vendors

Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Microsoft
Microsoft
Runs Clarity (session recording and heatmaps), the Microsoft Advertising UET tag (conversion tracking), and Bing's remarketing pixel. Clarity injects a recording script that captures mouse movements, clicks, and rage clicks. The UET tag fires conversion events to tie ad clicks to on-site actions across Microsoft's ad network.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
LinkedIn Insight Tag
LinkedIn Insight Tag
LinkedIn Insight Tag is a JavaScript tracking pixel for LinkedIn's advertising and analytics platform. The tag fires on every page view to collect URL, referrer, IP address, and device data for conversion tracking, website demographics reporting, and retargeting audience building. Sets cookies to identify LinkedIn members across advertiser websites.

Manage consent for Heap

ConsentStack automatically detects and manages Heap trackers so your site stays compliant with global privacy regulations.

Get started free