Skip to content

Cookies set in a visitor's browser by HubSpot

Last updated: February 2, 2024

Available with any of the following subscriptions, except where noted:

All products and plans

If you use HubSpot to host your website or installed the HubSpot tracking code, HubSpot sets a number of tracking cookies when a visitor lands on your website to understand their behavior better. You can display a cookie policy banner for your visitors to opt in or out of the non-essential cookies.

If you're a visitor to a website hosted by HubSpot or has the HubSpot tracking code, the cookies below may be set on your browser, depending on the site's set up. You can learn more about the cookies by reading below.

Please note: if you're visiting your own site to test your HubSpot tracking cookies, you may see a console error on the SameSite attribute for cookies related to hubspot.com or app.hubspot.com. These cookies are your HubSpot app cookies (e.g., they let you log into HubSpot) and are unrelated to the tracking cookies for your visitors. Check the Community thread for more information.

Necessary cookies

These are essential cookies that do not require consent.

__hs_opt_out

  • This cookie is used by the opt-in privacy policy to remember not to ask the visitor to accept cookies again.
  • This cookie is set when you give visitors the choice to opt out of cookies.
  • It contains the string "yes" or "no".
  • It expires in 6 months.

__hs_do_not_track

  • This cookie can be set to prevent the tracking code from sending any information to HubSpot.
  • It contains the string "yes".
  • It expires in 6 months.

__hs_initial_opt_in

  • This cookie is used to prevent the banner from always displaying when visitors are browsing in strict mode.
  • It contains the string "yes" or "no".
  • It expires in seven days.

__hs_cookie_cat_pref

  • This cookie is used to record the categories a visitor consented to.
  • It contains data on the consented categories.
  • It expires in 6 months.

__hs_gpc_banner_dismiss

  • This cookie is used when the Global Privacy Control banner is dismissed.
  • It contains the string "yes" or "no".
  • It expires in 180 days.

__hs_notify_banner_dismiss

  • This cookie is used when the website uses a Notify consent banner type.
  • It contains a boolean value of True.
  • It expires in 180 days.

hs_ab_test

  • This cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before.
  • It contains the id of the A/B test page and the id of the variation that was chosen for the visitor.
  • It expires at the end of the session.

<id>_key

  • When visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again.
  • The cookie name is unique for each password-protected page.
  • It contains an encrypted version of the password so future visits to the page will not require the password again.
  • It expires in 14 days.
hs-messages-is-open
  • This cookie is used to determine and save whether the chat widget is open for future visits.
  • It is set in your visitor's browser when they start a new chat, and resets to re-close the widget after 30 minutes of inactivity.
  • If your visitor manually closes the chat widget, it will prevent the widget from re-opening on subsequent page loads in that browser session for 30 minutes.
  • It contains a boolean value of True if present.
  • It expires in 30 minutes.

hs-messages-hide-welcome-message

  • This cookie is used to prevent the chat widget welcome message from appearing again for one day after it is dismissed.
  • It contains a boolean value of True or False.
  • It expires in one day. 
__hsmem
  • This cookie is set when visitors log in to a HubSpot-hosted site.
  • It contains encrypted data that identifies the membership user when they are currently logged in.
  • It expires in seven days. 
hs-membership-csrf
  • This cookie is used to ensure that content membership logins cannot be forged.
  • It contains a random string of letters and numbers used to verify that a membership login is authentic.
  • It expires at the end of the session.

hs_langswitcher_choice

  • This cookie is used to save a visitor’s selected language choice when viewing pages in multiple languages.
  • It is set when a visitor selects a language from the language switcher and is used as a language preference to redirect them to sites in their chosen language in the future if they are available.
  • It contains a colon delimited string with the ISO639 language code choice on the left and the top level private domain it applies to on the right. An example will be "EN-US:hubspot.com".
  • It expires in two years.

__cfruid

This cookie is set by HubSpot’s CDN provider because of their rate limiting policies. It expires at the end of the session. Learn more about Cloudflare cookies

__cfuvid

This cookie is set by HubSpot’s CDN provider because of their rate limiting policies. It expires at the end of the session. Learn more about Cloudflare cookies

__cf_bm

This cookie is set by HubSpot's CDN provider and is a necessary cookie for bot protection. It expires in 30 minutes. Learn more about Cloudflare cookies

Analytics cookies 

These are non-essential cookies controlled by the cookie banner. If you're a visitor to a site supported by HubSpot, you can opt out of these cookies by not giving consent.

__hstc

  • The main cookie for tracking visitors.
  • It contains the domain, hubspotutk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
  • It expires in 6 months.

hubspotutk

  • This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
  • It contains an opaque GUID to represent the current visitor.
  • It expires in 6 months.

__hssc

  • This cookie keeps track of sessions.
  • This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
  • It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
  • It expires in 30 minutes.

__hssrc

  • Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.
  • If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
  • It contains the value "1" when present.
  • It expires at the end of the session.

If you are logged in to HubSpot, HubSpot will set additional authentication cookies. Learn more about cookies set in the HubSpot product. You can also see whether a contact accepted these cookies in their timeline.

Functionality cookies

Chatflow cookie

This is the cookie used for the chatflows tool. If you're a visitor, this allows you to chat with a representative on the site.

messagesUtk

  • This cookie is used to recognize visitors who chat with you via the chatflows tool. If the visitor leaves your site before they're added as a contact, they will have this cookie associated with their browser.
  • With the Consent to collect chat cookies setting turned on:
    • If you chat with a visitor who later returns to your site in the same cookied browser, the chatflows tool will load their conversation history.
    • The messagesUtk cookie will be treated as a necessary cookie.
  • When the Consent to collect chat cookies setting is turned off, the messagesUtk cookie is controlled by the Consent to process setting in your chatflow.
  • HubSpot will not drop the messagesUtk cookie for visitors who have been identified through the Visitor Identification API. The analytics cookie banner will not be impacted.
  • This cookie will be specific to a subdomain and will not carry over to other subdomains. For example, the cookie dropped for info.example.com will not apply to the visitor when they visit www.example.com, and vice versa. 
  • It contains an opaque GUID to represent the current chat user.
  • It expires after 6 months.

Chatflow cookie consent text

With the Consent to collect chat cookies setting enabled, HubSpot will prompt visitors for consent to drop a cookie in their browser before the start a chat or when they attempt to the leave the page during a chat conversation. This cookie is used to interact with website visitors and provide a visitor's chat history.

If you choose to display the banner before the visitor starts a chat and the visitor does not give consent, they will not be able to start the chat.

If you choose to display the banner upon exit intent, however, the visitor can start the chat, but if they don't consent to cookies before navigating away from the page, the chat widget will reset and the conversation will end.

With this setting disabled, a visitor can start a chat and give consent to process their information via the Consent to process setting

Visitors can also accept or decline cookies on the HubSpot cookie banner if it is enabled on your pages. 

  • If a visitor accepts the cookie when they start a chat, but then clicks Decline on the HubSpot cookie banner, the cookie will be removed. 
  • If a visitor clicks Decline on the HubSpot cookie banner before starting a chat, HubSpot will not drop a cookie or prompt them to consent to cookies in the chat widget. 

Advertisement cookies

Advertisement cookies are ad pixel cookies (such as Facebook, LinkedIn and Google) that you can opt to install using the HubSpot ads tool.

If you have the Facebook pixel code installed on your website, Facebook may set a cookie in a visitor's browser.

If you use the HubSpot ads tool to select and install your Facebook pixel on pages with the HubSpot tracking code, HubSpot will link the placing of that pixel code to the cookie notification banner. If you require opt-in consent via this banner, the Facebook pixel will not be able to set any cookies until the visitor has have opted in. 

If you manually placed the pixel code on pages (e.g., by editing your site header HTML), HubSpot will not be able to control the visitors Facebook is able to set cookies on.

For additional information, refer to Facebook's business tools terms and Facebook's cookie consent guide

Cookies from third-party systems 

HubSpot cannot control cookies placed by third-party scripts on your website. When a visitor accepts cookies via the HubSpot consent banner, they consent to HubSpot's cookies only.

However, you can put code in place to know when a visitor has accepted or declined HubSpot cookie tracking, then send that information to your third-party system. Learn more about using HubSpot's consent banner for third-party scripts

External scripts

If you're placing external scripts on your site, refer to HubSpot's developer documentation to learn more about associating these scripts to the cookie banner. 

Other information

Learn about removing the cookies created by the HubSpot tracking code that are included in the consent banner under data privacy. When a visitor's cookies are removed, the visitor will be considered "new" and will see the cookie policy banner the next time they visit your site.

Visitors who visited your website before your cookie policy banner was set up will already have the cookies created by the HubSpot tracking code in their browser. They will, therefore, not see the cookie policy banner until their cookies are removed or expired.

Was this article helpful?
This form is used for documentation feedback only. Learn how to get help with HubSpot.