LogoLogo
LogoLogo
  • Data Compliance Dojo
  • Tools
    • Free compliance assessment
  • Need-to-know guides
    • What is the EU AI Act: The Ultimate Guide
    • Why You Should Budget for a vDPO or Data Advisor in 2025
    • How to Build a B2B Sales Data Strategy
  • Data Compliance Dictionary
    • Most Searched Terms
    • Privacy by Design
    • Data Protection Officer (DPO)
    • Aggregated PII
    • Consent (legal basis)
    • Data Breach
    • Data Collection
    • Data Controller
    • Data Processing
    • Data Processor
    • Data Protection Impact Assessment (DPIA)
    • Data Subject
    • General Data Protection Regulation (GDPR)
    • Personal Identifiable Information (PII)
  • AI DPO
    • AI DPO: Lovable
    • AI DPO: ElevenLabs
    • AI DPO: PostHog
    • AI DPO: Flo
    • AI DPO: Whoop
Powered by GitBook

Links

  • Got back to Assenteo.com

© 2025 Assenteo Ltd

On this page
  • I) How We Review Companies
  • 1. Assenteo’s Take
  • 2. AI DPO Assessment
  • 3. Highlights
  • 4. Where Trust Can Grow
  1. AI DPO

AI DPO: PostHog

Hi, this is AI DPO, providing data protection reviews of AI startups to showcase best practices. In these reviews, we assess basic compliance and transparency signals from public sources.

PreviousAI DPO: ElevenLabsNextAI DPO: Flo

Last updated 28 days ago

First things first, is not an AI company. However, as they are a technology company with excellent data protection communication we thought it still was a great fit for this series.

PostHog is a platform for open-source product analytics to help software teams understand user behavior. Having started in 2020, the company has become a Product and Dev go-to, with a community 250k strong.

But can we just comment on PostHog’s branding and community focus? While I have assessed PostHog as a vendor for a few companies now over the years, what keeps the brand front of mind is that they're fun and don’t take themselves too seriously. Thinking that means privacy goes out of the window? Well.. you’re in for a surprise. Here’s a privacy-first look at PostHog to celebrate what’s working (and suggest easy wins to build even more trust).

I) How We Review Companies

Through AI DPO, we’re here to help AI companies build data protection practices that are both compliant and customer-friendly.

When we review a company, we follow three simple principles:

  1. We stick to what’s public: Our reviews focus only on public-facing privacy practices, not private strategies, product features, or confidential details (those deeper insights are reserved for Assenteo users).

  2. We’re here to raise the bar, not rank companies: Our goal isn’t to criticize. It’s to lift the overall standard of data protection across the AI space and help everyone build stronger, more trusted products.

  3. We’re a snapshot in time: Our reviews reflect what we see on the date we publish. Companies change and grow, and so will their privacy practices.

We believe good data protection is good business and we’re excited to be part of helping AI companies get it right.

1. Assenteo’s Take

As a data analytics suite, data protection is essential during the collection and processing of data, especially when personal information is involved. In the analytics world, there are typically two stakeholders:

  • The end user – the individual being tracked. This person will have preferences about how their data is used, and whether it can be used at all.

  • The tracker – the person or organization paying for the product. When granting access to a company for analytics, the customer must ensure the security and protection of the data they share.

Companies like PostHog have a direct interest in ensuring data protection practices are transparent. This is particularly important for enterprise customers, who must demonstrate that they meet their compliance obligations to their own end users.

At the same time, customers expect a certain level of data protection and reassurance before sharing their data with an analytics provider. PostHog addresses this by taking on responsibility (as the Data Controller under GDPR) for processing when they access a customer account’s data - for example, when using customer data to improve one of PostHog’s tools.

Overall, PostHog is a leader in data protection practices and should serve as a model for B2B AI companies. In addition to meeting data compliance expectations in their own operations, they are also integrating features that help their customers stay compliant. It is hard to imagine that their Legal and Product teams are not working closely together.

2. AI DPO Assessment

Category

Assessment

Notes

Privacy Policy and other Documentation

✅

Data Collection

✅

The Privacy Policy clearly lists the data categories collected: personal data provided during account creation, data automatically collected (e.g., cookies), and account usage data. PostHog explains how they collect and process aggregated data from accounts, but this can be disabled.

Data Processing

✅

Data sharing with third-party service providers is disclosed, including which companies are involved. The purposes of data processing are also clearly explained.

User Controls

✅

Users are informed of their GDPR rights. An email address is provided for rights requests, and PostHog has a Data Protection Officer users can contact.

AI-Specific Disclosures

N/A

PostHog does not include any AI-specific disclosures in its policy.

Cookie Handling and Data Sale

⚠️

PostHog states that it does not use third-party trackers to collect information about users.

However, tracking still occurs via PostHog itself, as explained in the Data Collection section. The simplicity of this setup is inspiring, but there is an opportunity to explain it more clearly to end users.

PostHog does not refer to whether they sell personal data.

PostHog currently stands at Level 3 🌊 : Privacy Leader.

3. Highlights

  • Personal data transparency: PostHog demonstrates transparency in their collection and processing of customer personal data. In general, they are trying to keep the collection of personal data to a minimum. PostHog also highlights data protection practices on their home page, such as in-app privacy controls and hosting location choice.

  • Prevention of third-party trackers: PostHog makes tracking really simple for users. They do not use third-party trackers and only collect information as a first-party cookie and using their own product.

4. Where Trust Can Grow

  • Clarify how first party data is tracked: There’s an opportunity to strengthen user trust by clearly highlighting how users are still tracked, just not by third party tools.

PostHog hosts a for the personal data and data collection of website visitors and app users. However, the Privacy Policy is not dated. is also available. PostHog provides this through a document generator, making it easy to complete. PostHog also provides information on data protection and HIPAA compliance on their and in their .

Customer-centered privacy information: PostHog have created their own features and pages to support data protection implementation, such as their . Visiting PostHog serves as a reminder that excellent privacy-by-design does not need to come at the expense of customer focus, and is actually very much essential to it.

At Assenteo, we help enterprise-focused AI builders turn data protection into a product strength through providing data protection professional services. While this review focused on basic compliance and public transparency, our core service supports full compliance, strong UX practices, and competitive advantage through trust. If you're a serious builder, .

DPA builder
let's chat
Privacy Policy
A Data Processing Agreement (DPA)
website
documentation
PostHog