TL;DR: as Hotjar's CEO, I'm writing this article to talk openly about what we've learned around privacy, mistakes we've made, and how this is changing the way we are building Hotjar going forward.
From its very first day in 2014, Hotjar was designed with privacy of the end user in mind. We believed that looking at how people use a website as a whole was enough to get actionable insight, and set out to build a tool that could only collect anonymized behavioral data.
In those pre-GDPR days, we chose not to build functionality that would allow customers to see user IP addresses or assign other parameters and attributes to data within Hotjar, out of concern that some of it could be misused. For example, that people would watch a recording of somebody abandoning a shopping cart, find their email address, and message them to solicit a purchase.