How to Track Individual Movement on My Website: A Complete Guide

Every session replay tool tells you the same story. Watch a user click through your nav, hover over the pricing section, scroll down to 60%, then leave. Do it 500 times. Find the patterns. Fix the friction. That is the pitch, and it is legitimate.

What nobody in the session recording category wants to explain is this: roughly a third of the sessions you are watching are not humans. They are bots, scrapers, VPN exits, datacenter proxies, and automated crawlers mimicking browser behavior well enough to trigger your JavaScript snippet and generate a recording. Another 25-35% of your actual human sessions never fire a recording at all because ad blockers kill the third-party tracking script before it loads. So when you sit down with your heatmap tool to understand individual user movement, the room you are analyzing is missing half its occupants and filled with mannequins dressed as visitors.

This is not a tool problem. It is a data layer problem. Every session recording platform inherits it equally. Hotjar, Clarity, FullStory, Mouseflow: they all record whatever the browser sends them. If the browser sends a bot, they record a bot. If the browser sends nothing because uBlock Origin blocked the script, they record nothing. Your "individual user journeys" are a mix of real behavior, automated noise, and invisible gaps you cannot see in any dashboard.

That upstream failure is the thing to solve first. The tool you watch sessions in is secondary.

---

What "tracking individual movement" actually requires in 2026

There are four distinct things marketers and product teams mean when they say they want to track individual user movement on their website, and each requires a different architecture:

Session behavior, which is what someone does on a single visit: pages they hit, scroll depth, clicks, mouse path, form fields they fill in or abandon. This is heatmap and session replay territory.

Cross-visit identity, which is knowing that the person who visited your pricing page today is the same person who read your case study three weeks ago. This requires persistent first-party identity resolution, not cookies (ITP kills seven-day cookies, and users delete them), but a consent-gated, first-party mechanism that survives browser-level restrictions.

Conversion attribution, which connects individual sessions to actual purchase or lead events and routes clean signals to Meta, Google, TikTok, and LinkedIn so their algorithms optimize toward real humans, not bot patterns. This is CAPI territory.

Fraud filtering, which happens before any of the above. If you are not running IP-level bot classification before events fire, you are feeding garbage into all three layers above it.

Most teams buy a session recording tool and call the first layer solved. The other three remain completely broken. You watch pretty videos of user behavior, but you do not know which sessions belong to returning customers, your conversion signals are corrupted by bot traffic, and your attribution algorithms are actively being trained on junk.

This guide covers all four. The tools section covers 15-plus platforms across each layer so you can build a stack that actually works.

---

Quick answers

What is the best free tool for tracking individual user sessions on a website?

Microsoft Clarity is free with unlimited session recordings and no daily cap. It records 100% of sessions by default, gives you heatmaps, rage click detection, and dead click flagging, and integrates natively with GA4. The real cost is the approximately 25-35% of human sessions that ad blockers prevent from firing the Clarity script in the first place. For sites with tech-savvy audiences, actual capture rate is lower than the dashboard implies.

How do I track mouse movement on my website?

Any session recording tool captures mouse movement as part of the session replay. Hotjar, Mouseflow, FullStory, Clarity, Lucky Orange, and PostHog all include it. The more precise question is: are those mouse movements from real humans? Install a session tool, yes, but run IP-level bot classification before recording to avoid burning analysis time on automated traffic.

Is it legal to track individual users on a website?

In the EU and EEA, session recording requires consent under GDPR and the ePrivacy Directive. Anonymous aggregate analytics (heatmaps with no user-level identifiers) remain legal after a "Reject All" response. In the US, CCPA compliance is required for California residents. Global sites need a consent management platform that actually loads: OneTrust and Cookiebot load from third-party CDNs that uBlock Origin and Brave block 30-40% of the time, which means a significant chunk of sessions never see the consent banner, and you never see that failure in your reports.

What is the difference between session replay and heatmaps?

Session replay records individual visits as a playback. You watch one user's complete journey. Heatmaps aggregate thousands of sessions into a visual overlay: where most people click, how far most people scroll, where most attention clusters. Heatmaps show patterns. Replays diagnose specific friction. Both are useful. Neither tells you which sessions were bots.

How many of my session recordings are bots?

Fraudlogix's 2026 IVT report puts global invalid traffic at 20.64%. Meta's own network averages 8.20% IVT, Instagram sits at 38%, and Audience Network reaches 67%. Finance and legal verticals see 42% bot rates. Your session recording tool captures whatever traffic reaches it. Without pre-event IP filtering, a meaningful share of your replay library is automated.

Can I track returning visitors without cookies?

Yes, with cookieless persistent identity resolution. This uses first-party signals to re-identify returning users without relying on cookie expiry timelines or browser deletion. For EU visitors it requires consent through a CMP that actually loads. For US, UK, and APAC visitors, no consent banner is legally required, so identity resolution can activate by default.

What happened to Heap after the Contentsquare acquisition?

Contentsquare completed its acquisition of Heap in December 2023. Heap continues to operate as a product but its roadmap is now shaped by Contentsquare's enterprise and ecommerce focus. If you were evaluating Heap specifically for product analytics, PostHog and Mixpanel are now the more actively developed alternatives in that segment.

---

The buyer decision matrix

Before the tool reviews, decide which layer you are actually solving for. Most people start at the wrong place.

You are a UX or product team trying to improve on-site experience. You need session replay and heatmaps. Start with Microsoft Clarity (free) or Hotjar (starts $39/month with surveys included). Add bot filtering only if your traffic volume makes analysis unmanageable with noise.

You are an ecommerce team trying to diagnose checkout drop-off. You need session replay with form analytics. Mouseflow, Lucky Orange, or Hotjar. If you are on Shopify, note that January 13, 2026, Shopify silently changed App Pixel defaults to "Optimized" mode, throttling pixel firing on iOS traffic with no merchant notification. Your pixel data since that date may be underreporting.

You are a growth or paid media team trying to close the attribution loop. You need server-side CAPI plus clean first-party analytics. Session recording is secondary. Your primary problem is that bot conversion events are flowing into Meta and training Lookalike Audiences on garbage traffic. Fix the pipe first: DataCops at $49/month gives you Meta CAPI, Google CAPI, TikTok Events API, and LinkedIn Insight CAPI with 361B-IP bot classification before any event fires.

You are a B2B company wanting to know which companies or individuals are visiting your site. You need identity resolution tools: RB2B for US person-level identification, Leadfeeder or ZoomInfo WebSights for company-level data. Session replay shows you what anonymous visitors do; identity resolution tells you who they are.

You are an enterprise with a dedicated analytics engineering team. Raw server-side GTM on Cloud Run gives you maximum control at $90-150/month for infrastructure, but requires $5K-10K in initial setup and ongoing maintenance. FullStory or Contentsquare for the behavioral layer, mParticle or Segment for the CDP layer.

---

The tools

Microsoft Clarity

Clarity is the default starting point for any team that does not want to spend money on behavioral analytics. Free, unlimited sessions, no daily cap, no monthly quota. It records 100% of sessions, surfaces rage clicks and dead clicks automatically, generates heatmaps, and integrates with GA4 so you can pull session segments directly from analytics events. Microsoft added Mina AI, a natural-language query interface that surfaces relevant sessions from a description rather than requiring manual filter construction.

What does not work: Clarity's terms of service explicitly prohibit attaching personally identifiable information to session recordings. You cannot look up a specific customer's session by email or name. FullStory and LogRocket handle this natively; Clarity does not. No funnel analysis, no form field-level drop-off data. Recordings are stored for 90 days only. And Clarity's script loads from Microsoft's CDN, which means ad blockers can and do intercept it. You will never see the gap in your dashboard.

Right for: any team that wants zero-budget behavioral analytics and does not need user-level identification or form analytics. Value: 9/10. The free price point changes the calculus. Price: $0.

Hotjar

Hotjar invented the modern heatmap category and still dominates it on brand recognition alone. Click maps, scroll maps, move maps (mouse hover correlates with visual attention roughly 87% of the time), and session recordings live alongside survey widgets and feedback polls. The surveys are genuinely differentiated: no other tool in this category matches Hotjar's depth of survey types, targeting logic, and templates.

What does not work: pricing is the perennial complaint. The free tier caps at 35 sessions per day. A site with 1,000 daily visitors captures 3.5% of traffic on Hotjar free. Growth starts at $39/month for 100 daily sessions and scales from there. At 500 daily sessions you are looking at Hotjar Business at $80/month, capturing still a fraction of total traffic while Clarity captures everything at zero. G2 and Trustpilot reviews consistently cite session limits as the main frustration. Hotjar is also web-only with no mobile app support, which matters for product teams with both surfaces.

Right for: teams that need the full feedback loop, combining session data with on-page surveys and user sentiment, not just behavioral replay. Value: 6/10 for pure session recording; 8/10 if you actually use the survey features. Price: $0 free (35 sessions/day), $39/month Observe, $79/month Ask, bundled plans from $99/month.

Mouseflow

Mouseflow is Hotjar's closest feature-equivalent at a lower price point. Session recordings, six heatmap types, funnel tracking, form analytics, and friction scoring per session. The form analytics are particularly strong: field-level drop-off, time to complete by field, and abandoned form replay that shows exactly where users bail. For ecommerce checkout optimization, this specificity is genuinely useful.

What does not work: the interface feels dated relative to FullStory or PostHog. Users on G2 report that the filtering system requires more configuration than Hotjar to get useful segments quickly. No mobile app support. The $109/month cost at 500 daily sessions is higher than Clarity (free) and comparable to Hotjar without the survey depth.

Right for: ecommerce teams optimizing checkout and form conversion where field-level drop-off data justifies the price. Value: 7/10. Price: $31/month Starter, $109/month Growth, $219/month Business, custom Enterprise.

Lucky Orange

Lucky Orange combines session recordings, heatmaps, form analytics, and a live visitor view into one platform at an entry price that undercuts most competitors. The live view is the genuine differentiator: you watch real users navigate your site in real time and can trigger a chat prompt when they show abandonment signals. For ecommerce stores with someone available to monitor the queue, this is genuinely useful. Sessions start at $32/month annually for 3,500 sessions, scaling to $839/month for 300,000.

What does not work: the interface shows its age in places. Users report occasional lag in recording capture and inconsistencies in heatmap rendering on dynamic content. No mobile app analytics. The live view requires someone to be watching; it generates no actionable insight on its own.

Right for: small ecommerce teams that can staff a live chat response to real-time session signals. Value: 8/10. Price: Free (100 sessions/month), $32/month (3,500 sessions), scales to $839/month.

FullStory

FullStory is the enterprise-grade behavioral analytics platform. It autocaptures every DOM interaction without requiring manual tagging, which means retroactive analysis is possible: you can ask a question about user behavior from six months ago against data you never explicitly thought to collect. Session replays include frustration signals (rage clicks, dead clicks, error clicks), funnel analysis, and journey analytics mapping paths across multiple pages. Pricing is enterprise: starts around $1,000/month for business-scale usage, with custom contracts above that.

What does not work: price is prohibitive for SMBs and most mid-market teams. The autocapture model creates data volume that can feel overwhelming without a dedicated analytics function to manage it. FullStory offers no built-in survey capability. Contentsquare acquired Hotjar in 2021 and Heap in 2023, and FullStory is now competing against a consolidated platform with more cross-sell leverage.

Right for: enterprise product and UX teams that need retroactive analysis, user-level session identification, and a compliance-grade data model. Value: 7/10 at enterprise scale; poor value for SMBs. Price: Custom, entry around $1,000/month. Free trial available.

Contentsquare (with Hotjar and Heap)

Contentsquare operates as an experience intelligence platform following its acquisitions of Hotjar in 2021 and Heap in December 2023. The combined platform covers seven automatic heatmap types, session replay with full HTML capture, friction detection across seven signal types including rage clicks and JavaScript errors, form analytics, journey analytics, and revenue impact modeling that calculates potential revenue lost at each funnel drop-off step. It is the most comprehensive behavioral analytics suite in the market.

What does not work: pricing is enterprise. Contentsquare targets large ecommerce brands and financial services companies, not SMBs. The acquisition integration is still ongoing; users who came through the Hotjar or Heap product lines report UI inconsistencies as capabilities merge. Heap's product analytics roadmap has shifted toward Contentsquare's enterprise priorities, which has frustrated the product-led growth audience Heap originally served.

Right for: large ecommerce and enterprise teams that want a single vendor for behavioral analytics, session replay, and revenue impact modeling. Value: 8/10 at enterprise scale. Price: Growth from $49/month (7K sessions), Enterprise custom.

Smartlook

Smartlook covers web and mobile in a single platform, which is its primary differentiator. Native iOS, Android, React Native, and Flutter SDKs give product teams unified session replay across web and app surfaces. For companies with both a website and a mobile product, this eliminates the tool fragmentation that otherwise requires separate investments in a web session recorder and a mobile analytics platform.

What does not work: the feature depth on web is shallower than FullStory or Contentsquare. Enterprise reviews on G2 note that the filtering and segmentation tools are less sophisticated than competitors at similar price points. Small-business teams dominate the review base, which suggests the enterprise fit is still developing.

Right for: product teams that need unified web and mobile session tracking without stitching two separate tools together. Value: 7/10. Price: Free (3K sessions/month), $55/month Pro, custom Business.

PostHog

PostHog is the open-source option that covers session replay, product analytics, feature flags, A/B testing, and surveys in one self-hostable platform. The free tier includes 5,000 session recordings per month. The open-source model means you can self-host on your own infrastructure with full data ownership, which matters for companies in regulated industries or those with EU data residency requirements. Native mobile SDKs for iOS, Android, React Native, and Flutter round out the cross-platform coverage.

What does not work: self-hosting requires engineering capacity to maintain. The cloud-hosted version is straightforward, but organizations choosing PostHog specifically for data control often want self-hosted, which is not a weekend project. The interface prioritizes product analytics; heatmap capabilities are less developed than Hotjar or Mouseflow.

Right for: product-led growth companies that want analytics, experimentation, and session replay in one tool, especially those with EU data residency requirements. Value: 9/10 on the free tier. Price: Free (5K sessions/month), usage-based above that. Self-hosted free.

LogRocket

LogRocket is session replay built for engineering teams. Alongside the standard replay and heatmap capabilities, it captures console logs, Redux state, network requests, and JavaScript errors, linking them to the specific session where they occurred. When a user reports a bug or a checkout fails, you can pull the exact session and see the full technical context: what API call failed, what the error was, what state the application was in. No other tool in this category gives engineers that debugging depth.

What does not work: it is the wrong tool if your primary use case is UX optimization rather than bug investigation. The session-based pricing fluctuates in ways that surprise teams as traffic scales. Non-engineering users find the interface heavier than Hotjar or Clarity.

Right for: engineering and product teams where session replay is primarily a debugging tool, not a UX research tool. Value: 7/10. Price: Free tier available, Teams from $69/month, Enterprise custom.

Matomo

Matomo is the privacy-first self-hosted analytics platform with a heatmap and session recording plugin. You own the data entirely: no third-party servers, no data sharing with the vendor, no sampling. For EU businesses under strict GDPR compliance requirements, Matomo's on-premise model eliminates many of the consent and data transfer obligations that apply to cloud-based tools.

What does not work: heatmaps and session recording are a paid plugin add-on, not included in the base platform. The plugin architecture means setup requires technical capacity. The interface is functional rather than modern. The session recording feature is less polished than dedicated tools.

Right for: EU-based businesses that need full data sovereignty and can accept the trade-off on feature polish and setup complexity. Value: 7/10. Price: Cloud from $23/month (free trial). On-premise free. Heatmaps and sessions plugin additional cost.

Plerdy

Plerdy positions itself as a conversion optimization suite combining heatmaps, session recordings, A/B testing, and profit-driven element analysis that tracks which specific page elements correlate with revenue. The profit-element analysis is distinctive: rather than just showing click patterns, it shows which elements contribute to purchase completion, giving ecommerce teams a direct line from behavioral data to revenue impact.

What does not work: the feature breadth creates complexity that smaller teams find overwhelming. Reviews note a steeper learning curve than Hotjar or Clarity. The A/B testing module is less sophisticated than dedicated experimentation platforms like Optimizely or VWO.

Right for: ecommerce teams that want behavioral analytics tied directly to revenue attribution without enterprise pricing. Value: 7/10. Price: Free plan, paid from $32/month.

VWO (Visual Website Optimizer)

VWO is primarily an experimentation platform that includes behavioral analytics as part of a broader suite. The combination of A/B testing, multivariate testing, heatmaps, session recordings, and on-page surveys in one platform is the pitch: run the test, watch the sessions, read the survey, measure the conversion, all without stitching tools together.

What does not work: if you only need session replay and heatmaps, VWO is overbuilt. You are paying for an experimentation platform and getting analytics as a bundled feature. Teams that are serious about testing will appreciate the integration; teams that are not will find the interface heavier than Hotjar or Clarity for pure behavioral analysis.

Right for: conversion rate optimization teams that run A/B tests actively and want behavioral context native to their testing workflow. Value: 7/10. Price: From $199/month, scales by monthly tracked users.

Inspectlet

Inspectlet is the veteran in the session recording space. It records mouse movements, scrolls, clicks, and keypresses, offers dynamic heatmaps, basic A/B testing, and error logging alongside form analytics. The filtering system is robust: user-level segmentation by source, device, behavior, and custom metadata lets you find specific session types quickly.

What does not work: the interface has not kept pace with the design quality of Clarity, Hotjar, or FullStory. Users on G2 and Capterra note that the UI feels dated. The feature set is solid but not differentiated enough to justify choosing it over competitors with better interfaces at similar price points.

Right for: teams that prioritize filtering flexibility over interface quality and need a reliable mid-market session tool. Value: 6/10. Price: Free (100 sessions/month), $39/month Plus (10K sessions), scales up.

UXtweak

UXtweak positions itself in the UX research space alongside behavioral analytics. Session recordings, heatmaps, and smart filtering (over 40 filter types including clicked elements, typed text, and visited URLs) sit alongside usability testing, card sorting, and tree testing modules. The research depth is genuine: if your team runs structured UX studies in addition to passive session analysis, UXtweak covers both workflows.

What does not work: the analytics features are secondary to the research tools. Teams that want session recording as their primary capability will find Clarity or Hotjar more purpose-built for that use case. The research modules are valuable but add cost and complexity for teams that do not use them.

Right for: UX research teams that want passive session data integrated with structured usability research in one platform. Value: 7/10. Price: Free limited plan, paid from $59/month.

Crazy Egg

Crazy Egg is one of the original heatmap tools and has maintained a simple, accessible product positioning. Click maps, scroll maps, confetti maps (individual click attribution with source/segment data), A/B testing, and session recordings. Simple setup, no developer required, works on any site with a script tag.

What does not work: feature depth is shallower than Hotjar or Mouseflow at comparable price points. The interface, as multiple reviews note, feels dated. Form analytics are limited. The A/B testing module is basic compared to dedicated experimentation platforms.

Right for: small businesses and content sites that want heatmaps and basic recording without complexity. Value: 6/10. Price: From $29/month (5,000 pageviews), scales up.

---

The layer most session recording reviews skip: your data quality before the tool

Here is what no session replay comparison tells you. Those tools are recorders. They record what arrives. If bots arrive, they record bots. If ad blockers intercept the script, they record silence.

Project Andromeda, fully deployed by Meta in October 2025, acts on contaminated conversion signals within hours, not weeks. If your session recordings are being supplemented by bot-corrupted CAPI events, Meta's algorithm is learning from that pollution in near-real-time. The session behavior you are analyzing and the conversion signals you are sending to Meta are downstream of the same corrupted data layer.

The fix for session quality and conversion signal quality is the same thing: IP-level classification before any event fires, first-party script delivery that survives ad blockers, and a consent layer that actually loads.

DataCops addresses this at the infrastructure level. Before any analytics event fires, 361,873,948,495 IPs are classified, covering 146.4 billion datacenter and cloud IPs, 202 billion residential and mobile carrier IPs, 11.9 billion VPN endpoints, and 620 million proxy and anonymizer IPs. Automated sessions from Puppeteer, Selenium, and Playwright are detected and filtered. Bot events never reach your CAPI pipeline. Clean signals flow to Meta, Google, TikTok, and LinkedIn from a single pipeline.

The first-party analytics layer runs on your subdomain via CNAME, not from a third-party CDN. Ad blockers do not see it. And the first-party CMP loads from your domain too: unlike OneTrust and Cookiebot, which load from CDNs that uBlock Origin and Brave block 30-40% of the time, the DataCops consent banner fires on every session. Consent is recorded. Anonymous analytics flow immediately after rejection because anonymous data has always been legal.

For returning user identification, DataCops uses cookieless persistent identity resolution, not cookies. No seven-day ITP expiry. No browser deletion. EU users see the first-party TCF 2.2 CMP banner, consent, and cookieless identity activates. US, UK, and APAC users get identity resolution by default. Returning customers are recognized across visits without any cookie mechanism. Setup is one script tag plus one CNAME record and takes 5-30 minutes with no developer required.

CAPI starts at the Business plan at $49/month, covering Meta, Google, TikTok, and LinkedIn from one pipeline. The Free and Growth plans at $0 and $7.99/month include the first-party analytics, bot detection, and consent management platform without the CAPI connections.

The PillarlabAI case: 4,560 signups collected over four weeks. Only 730 were real humans. 84% were fraudulent, with 650 accounts traced to a single laptop. That ratio is not an outlier. If your signup flow or lead capture has no bot filtering upstream, your CRM, your retargeting audiences, and your attribution models are all working from a corrupted foundation.

---

When DataCops is the wrong call

Pure UX research with no paid media component: if you are a product team analyzing on-site friction with no CAPI requirement and no attribution need, buy Clarity (free) or Hotjar and stop there. DataCops is an infrastructure tool for conversion pipelines, not a session replay platform.

Shopify-only stores under $500K GMV where order-level tracking precision matters most: Elevar at $200/month gives you millisecond-accurate order event tracking native to Shopify. The order-level fidelity at high transaction volumes justifies the cost. DataCops wins on bot filtering and multi-platform CAPI at lower price points, but if your only platform is Shopify and your only concern is conversion accuracy without bot filtering, Elevar has the deeper Shopify integration.

In-house GTM engineering teams that want full container control: Stape at $17/month Pro plus Cloud Run gives your engineers complete ownership of the server-side container. No abstraction layer. Full flexibility to write custom transformations, manage consent manually, and build whatever tag architecture your team specifies. DataCops is an outcome tool. Stape is infrastructure. If you have the engineering capacity to use infrastructure, Stape likely gives you more long-term control.

Teams that need SOC 2 Type II certification today: DataCops is in progress on SOC 2 Type II. Tracklution holds SOC 2 and ISO 27001 now. If your security review requires current certification, factor that into the evaluation timeline.

Small EU agencies running simple Meta and TikTok campaigns: Tracklution at €31/month covers the basics. Simple setup, EU-compliant, Meta plus TikTok plus Google CAPI without the full infrastructure of the DataCops stack. If you are not dealing with significant bot traffic and your multi-platform needs are limited, Tracklution's simplicity wins.

---

The feature comparison

DataCops is the only tool in this table that combines IP-level bot filtering, first-party CNAME delivery, and a first-party TCF 2.2 consent management platform in one architecture. Every other tool is a third-party script that ad blockers can and do intercept. None of them filter bots before recording. None of them include a consent layer.

For the CAPI and conversion tracking layer, see the advanced conversion tracking guide and the Meta CAPI explainer. For fraud traffic specifically, the fraud traffic validation documentation covers what the IP classification actually blocks and how the detection mechanisms differ from behavioral analysis tools.

For consent strategy, the best affordable CMP comparison and the best consent management platform guide cover why first-party CMP delivery changes the consent capture rate. The cookieless analytics comparison explains what is actually lost when you apply cookieless defaults to non-EU traffic.

For B2B teams trying to identify who is visiting, not just what they do when they get there, the B2B conversion tracking best practices guide covers the identity resolution layer separately.

---

The session recordings in your tool right now: what percentage of them can you confirm are real humans? Not "probably most of them." A number. With a methodology behind it.

If you cannot produce that number, your UX analysis is running on an unknown data quality baseline, your conversion optimization is calibrated against a corrupted denominator, and whatever those sessions are teaching your ad platforms about your ideal customer is being cross-pollinated with bot behavior patterns. The tool you use to watch the sessions is the least important part of that problem.