Quick answer: Most popular SaaS tools — Hotjar, Mailchimp, HubSpot, Intercom, Zendesk — process personal data and require GDPR compliance measures. Whether they're "GDPR compliant" depends on how you configure them, not just whether the vendor claims compliance. Here's what you need to check for each tool.
Why "GDPR Compliant" Doesn't Mean What You Think
When a SaaS vendor says they're "GDPR compliant," they mean their platform supports GDPR compliance — not that using their tool automatically makes you compliant. Under GDPR,you are the data controller. The vendor is your data processor. You're responsible for:
- Having a valid Data Processing Agreement (DPA) with every vendor
- Getting user consent before the tool loads (if it sets cookies or tracks behavior)
- Disclosing the tool in your privacy policy
- Ensuring cross-border data transfers have adequate safeguards
- Responding to data subject requests (access, deletion) across all vendors
Tool-by-Tool GDPR Compliance Guide
Hotjar — Session Recording & Heatmaps
| Aspect | Status | Action Required |
|---|---|---|
| DPA available? | Yes | Sign it in Settings > Account > DPA |
| Data location | EU (AWS Ireland) by default | Verify in account settings |
| Cookie consent needed? | Yes — sets tracking cookies | Load Hotjar only AFTER consent |
| Records personal data? | Yes — IP, session recordings, form inputs | Enable IP anonymization, suppress sensitive fields |
| Consent Mode support? | Yes (v2 compatible) | Configure via Consent Mode V2 |
Key risk: Hotjar session recordings can capture personal data typed into forms(names, emails, passwords). You MUST enable the "Suppress all text" option or manually tag sensitive elements with data-hj-suppress.
Mailchimp — Email Marketing
| Aspect | Status | Action Required |
|---|---|---|
| DPA available? | Yes (Standard Contractual Clauses included) | Accepted automatically in ToS since 2021 |
| Data location | US (Intuit servers) | SCCs cover EU→US transfers under new DPF |
| Cookie consent needed? | Yes — embedded forms set cookies | Use custom forms or load after consent |
| Double opt-in? | Supported but not default | Enable double opt-in for EU lists |
| Data deletion? | Supports GDPR delete requests | Process via Mailchimp API or manually |
Key risk: Mailchimp transfers data to the US. While now covered by the EU-US Data Privacy Framework, some DPAs still scrutinize US transfers. Always have SCCs in place as a fallback. See our cross-border transfers guide.
HubSpot — CRM & Marketing Automation
| Aspect | Status | Action Required |
|---|---|---|
| DPA available? | Yes | Sign in Settings > Account Defaults > Security |
| Data location | US, EU (Germany), or Australia — you choose | Select EU datacenter for EU customers |
| Cookie consent needed? | Yes — HubSpot tracking code sets cookies | Use HubSpot's cookie banner or your CMP |
| Consent tracking? | Built-in consent management | Enable GDPR features in Settings > Privacy |
| Data portability? | Full export available | Available via Settings > Import/Export |
Key risk: HubSpot's tracking code loads before consent by default. You must configure it to respect your consent banner — either through HubSpot's built-in cookie policy tool or by conditionally loading the script via yourCMP.
Intercom — Live Chat & Support
| Aspect | Status | Action Required |
|---|---|---|
| DPA available? | Yes | Request via Intercom support or legal portal |
| Data location | US and EU (you can request EU hosting) | Request EU-only hosting for EU users |
| Cookie consent needed? | Yes — sets session and identity cookies | Load Intercom widget only after consent |
| AI features? | Fin AI agent processes conversation data | Disclose AI use in privacy policy per EU AI Act |
| Data deletion? | Supported via API and dashboard | Automate with DSAR workflow |
Key risk: Intercom's AI features (Fin) process user conversations, which may trigger EU AI Act transparency obligations. You must disclose AI-powered support in your privacy policy and provide a way for users to reach a human agent.
Zendesk — Customer Support
| Aspect | Status | Action Required |
|---|---|---|
| DPA available? | Yes (comprehensive) | Included in Enterprise agreement; request for other tiers |
| Data location | US, EU, Australia, Japan | Enable EU data locality for EU customers |
| Cookie consent needed? | Yes — widget sets cookies | Load Web Widget conditionally |
| Sub-processors? | Published list at zendesk.com/trust | Review and monitor for changes |
| Encryption | In-transit and at-rest | Enable Advanced Encryption for sensitive data |
Complete GDPR Compliance Checklist for SaaS Tools
- Sign a DPA with every vendor that processes personal data
- Don't load tracking scripts before consent — use your CMP to conditionally load them
- List every tool in your privacy policy with purpose, data processed, and legal basis
- Choose EU data centers when available (HubSpot, Zendesk, Intercom all offer this)
- Enable data anonymization features (IP anonymization in Hotjar, GA4)
- Map your data flows — know exactly where each vendor sends your users' data
- Test with PrivacyChecker — scan your site to detect which third-party scripts load, when they set cookies, and whether they fire before consent
- Audit regularly — vendors change sub-processors and data practices. Set quarterly reviews
Frequently Asked Questions
Do I need consent to use Hotjar?
Yes. Hotjar sets tracking cookies and records user behavior, which constitutes personal data processing under GDPR. You must obtain consent before loading the Hotjar script.
Is Mailchimp legal to use in Europe?
Yes, provided you have SCCs or rely on the EU-US Data Privacy Framework for transfers. Enable double opt-in for EU subscribers, and always use Mailchimp's GDPR-compliant signup forms.
How do I check which SaaS tools my website loads?
Use PrivacyChecker to scan your website. It detects all third-party scripts, cookies, and trackers — including tools you may have forgotten about. You might be surprised by how many services load on your pages.