PostHog

posthog.com · facts updated 1 week ago

Privacy facts at a glance

Jurisdictions: US · EU · EEA · UK · CH
Retention: Data is kept as long as the account is active, and users can delete it at any time.
Breach notification: PostHog states it will notify customers of a breach without delay and provide everything needed to handle notification duties.
Transfer mechanism: Standard Contractual Clauses (SCCs), including UK addendum and Swiss FDPA coverage; PostHog is also part of the EU-US Data Privacy Framework.
DPA available: Yes
Certifications: SOC 2 Type II
GDPR addressed: Yes
CCPA addressed: Yes

Tracked documents

https://posthog.com/privacy checked 11 hours ago

https://posthog.com/terms checked 8 hours ago

Data processing agreement

https://posthog.com/dpa checked 12 hours ago

Subprocessor list

https://posthog.com/dpa checked 11 hours ago

Security / trust page

https://posthog.com/handbook/company/security checked 6 hours ago

Recent changes

Security / trust page 1 week ago

Document updated.

Subprocessor list 1 week ago

Document updated.

Data processing agreement 1 week ago

Document updated.

Security / trust page 1 week ago

Document updated.

Security / trust page 1 week ago

Document updated.

moderate Security / trust page 3 weeks ago

PostHog added a new Mobile Device Management (MDM) section to their security page, documenting the use of Fleet to manage laptops with specific security policies including password length, screen lock, software updates, 1Password provisioning, and supply chain attack investigation capabilities.

Public summary; per-account review history visible to subscribers tracking this vendor.

Track PostHog in your workspace.

Get notified when PostHog adds a subprocessor, changes retention, updates their DPA, or quietly amends their privacy posture.

Start tracking — 14-day trial

No card required.