PostHog

PostHog

Open-source product analytics and session recording platform used as a privacy-friendly alternative to Mixpanel or Amplitude. PostHog tracks custom events, feature flag exposures, and user journeys. Can be self-hosted for full data ownership or used via PostHog Cloud.

Back to Vendor Library

Overview

PostHog is an open-source product analytics and session recording platform that competes with Mixpanel, Amplitude, and FullStory. It tracks custom user events, feature flag exposures, and session replays. Uniquely, PostHog can be self-hosted on the organization's own infrastructure (PostHog Open Source) or used as a managed cloud service (PostHog Cloud), giving teams full control over data residency.

What This Script Does

PostHog's browser library (posthog.js) is a single comprehensive SDK that handles event capture, session recording, feature flags, A/B testing, and user identification.

Script Files and Domains

  • posthog.js — Loaded from app.posthog.com/static/chunk-*.js (PostHog Cloud) or from the self-hosted instance domain. Approximately 80–200KB depending on configuration.
  • API endpoint: app.posthog.com/capture/ (US Cloud), eu.posthog.com/capture/ (EU Cloud), or the self-hosted instance URL.
  • Feature flag evaluation: app.posthog.com/decide/

Cookies and Storage

  • ph_{project_api_key}_posthog — Primary PostHog cookie. Contains a JSON payload with the distinct user ID, session ID, and properties set via identify() or people.set(). Default expiry: 1 year. Set as a first-party cookie on the host domain.
  • ph_opt_in_{project_api_key} / ph_opt_out_{project_api_key} — Opt-in/opt-out state cookies. Used when opt_in_site_apps or explicit consent management is configured.
  • posthog_crosssubdomain_id — Cross-subdomain identity cookie (if configured). Persists for 1 year.
  • PostHog also stores event queues and session metadata in localStorage under ph_ prefixed keys.

Data Collected Per Interaction

  • $pageview event: URL, referrer, page title, screen dimensions, viewport dimensions
  • $autocapture events (if enabled): clicks, form submissions, and input changes — capturing element text, CSS classes, and DOM structure up to the nearest identifiable ancestor
  • $session_recording_snapshot events: DOM mutations and user interactions recorded as session replays (if session recording is enabled)
  • Custom events: any events defined by the site operator via posthog.capture()
  • $identify call: links the anonymous ID to a named user ID along with trait data (name, email, plan, etc.)
  • Feature flag exposure events: which flags were evaluated and what variant was returned
  • Performance: Page load timing is captured if the Performance Observer API is available

Feature Flags and A/B Testing Feature flag state is evaluated server-side and returned to the client on initialization. The SDK stores flag values locally and reports $feature_flag_called events when flags are evaluated. This enables product teams to correlate flag variants with conversion metrics.

Consent & Compliance

Consent category: Analytics

  • GDPR/ePrivacy: PostHog Cloud (US or EU) requires consent as it constitutes third-party data processing. The ph_* cookie identifies individuals across sessions and requires opt-in under ePrivacy. If using PostHog EU Cloud (eu.posthog.com), data stays within the EU, removing the cross-border transfer concern, but consent is still required for the cookie.
  • Self-hosted PostHog: If deployed on the organization's own infrastructure with no third-party data transfer, GDPR's third-party processor obligations do not apply. However, the cookie identifying individual users still requires consent under ePrivacy unless fully anonymized. PostHog offers a disable_cookie mode that uses sessionStorage instead of persistent cookies — under this mode, combined with IP anonymization, some DPAs may recognize a legitimate interest basis.
  • CCPA/CPRA: Event data linked to a distinct user ID constitutes personal information collection. Opt-out rights apply.
  • Session recording: Session replay captures detailed user interactions (keystrokes, mouse movements, DOM content) and constitutes sensitive behavioral profiling. This requires explicit consent regardless of GDPR basis.
  • EU-US Data Privacy Framework: PostHog participates in the DPF for US Cloud deployments.

Should You Block This Without Consent?

Conditional. For PostHog Cloud deployments with session recording, block until analytics consent is granted. For self-hosted PostHog with cookie disabled, IP anonymized, and no session recording, a legitimate interest basis may be defensible with appropriate documentation. Default PostHog Cloud configurations require consent before initialization.

Visit website

Consent Categories

Analytics

Also Known As

PostHogPostHog analyticsPostHog self-hostedsession recordingproduct analyticsopen source analyticsPostHog Cloud

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (5)

us.i.posthog.comAnalytics
eu.i.posthog.comAnalytics
app.posthog.comAnalytics
us.posthog.comAnalytics
eu.posthog.comAnalytics

Frequently Asked Questions

Do I need consent to use PostHog on my website?

Conditional. PostHog Cloud requires analytics consent — the ph_* cookie identifies users across sessions and requires opt-in under ePrivacy. Self-hosted PostHog with cookies disabled and IP anonymized may support a legitimate interest basis. Session recording requires explicit consent in all deployment modes regardless of hosting.

What does PostHog track on my website?

PostHog captures pageview events (URL, referrer, screen dimensions), autocapture events (clicks, form submissions, input changes), and session recording snapshots (DOM mutations, mouse movements, scroll depth). The ph_{api_key}_posthog cookie stores the user ID and session ID for 1 year. Feature flag exposures and custom events are also recorded.

How does ConsentStack handle PostHog?

ConsentStack detects PostHog via app.posthog.com or eu.posthog.com script loads and the /capture/ API endpoint. Classified as analytics and blocked until consent is granted. For self-hosted deployments, ConsentStack detects posthog.js and the /decide/ endpoint. Session recording is treated as requiring consent across all deployment modes.

Related Vendors

Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Microsoft
Microsoft
Runs Clarity (session recording and heatmaps), the Microsoft Advertising UET tag (conversion tracking), and Bing's remarketing pixel. Clarity injects a recording script that captures mouse movements, clicks, and rage clicks. The UET tag fires conversion events to tie ad clicks to on-site actions across Microsoft's ad network.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
LinkedIn Insight Tag
LinkedIn Insight Tag
LinkedIn Insight Tag is a JavaScript tracking pixel for LinkedIn's advertising and analytics platform. The tag fires on every page view to collect URL, referrer, IP address, and device data for conversion tracking, website demographics reporting, and retargeting audience building. Sets cookies to identify LinkedIn members across advertiser websites.

Manage consent for PostHog

ConsentStack automatically detects and manages PostHog trackers so your site stays compliant with global privacy regulations.

Get started