You are using hotjar, which logs every keystroke from the user if they have JS enabled. Please, please, don't pretend like you "take security very seriously" when it's very clear that you pull stuff like this without even being aware of the implications, or looking it up when someone asks about it.
The dismissiveness in your other comments on this post show, at best, a huge amount of naivety. If you're hiring, make sure your next technical hire is a (rational) security paranoiac.
