Cookie Policy
The short version. The Heatmap.report tracker sets two first-party cookies (one short-lived session ID and one yearly anonymous visitor ID). We do not set any third-party cookies, do not use cross-site tracking pixels, and respect your browser's Do Not Track setting.
1. What is a cookie?
A cookie is a small text file a website asks your browser to store. The browser sends it back to that same website on subsequent requests so the site can recognise the same browser across pages. First-party cookies are set by the site you're visiting; third-party cookies are set by another domain whose content is embedded on the page.
2. What Heatmap.report sets
Heatmap.report sets only first-party cookies, on the customer's own domain. We do not set any third-party cookies. Here is the complete list:
| Name | Purpose | Lifetime | Category |
|---|---|---|---|
owa_v |
Anonymous visitor identifier — a random string used to recognise the same browser across multiple sessions for the same customer's website. Contains no personal information. | 1 year | Strictly necessary for analytics |
owa_s |
Session identifier — groups page views that happened in the same continuous visit. Renewed if the visitor returns after 30 minutes of inactivity. | 30 min idle | Strictly necessary for analytics |
3. What we do NOT set
- Third-party advertising cookies (Google Ads, Facebook Pixel, etc.) — we don't run ads.
- Tracking pixels or beacons from social networks or data brokers.
- Identity-graph cookies that link the same visitor across unrelated sites.
- Cookies containing personally identifying information.
4. How to opt out
If you are a visitor and you do not want Heatmap.report to set these cookies on your browser, you can:
- Enable Do Not Track in your browser. Heatmap.report detects this header and will not initialise the tracker if it is set.
- Block first-party cookies for the specific website you are visiting. In Chrome / Edge / Safari / Firefox, this is under Cookie Settings → Manage Exceptions.
- Use a content blocker like uBlock Origin, AdGuard, or Brave's built-in shield. Heatmap.report does not attempt to evade common privacy filter lists.
- Use private / incognito mode — the cookies are deleted when you close the window.
Opting out of cookies will not affect your ability to use the website — the tracker is non-essential to page functionality. The customer who operates the website will simply not see your visit in their analytics.
5. Cookies on heatmap.report itself
This website (heatmap.report and its subdomains) sets one cookie for operator authentication on the reports dashboard:
| Name | Purpose | Lifetime |
|---|---|---|
owa_reports_session |
HMAC-signed session token for the operator dashboard at reports.heatmap.report. Set only after a successful SSO login; HttpOnly + Secure + SameSite=Lax. Not used by anything outside the operator dashboard. | 12 hours |
6. Changes
If we add a cookie, change a lifetime, or change the purpose of an existing cookie, this page will be updated and the "Last reviewed" date adjusted. Material changes will be flagged in a banner on the landing page for 30 days.
7. Contact
Questions about cookies or opt-out: devs@chat2.com.