Compliance
Data Privacy
SourceTag takes a privacy-first approach. The attribution data never leaves the visitor’s browser and your form submissions. This page gives a clear breakdown of what is stored where.
Data that stays in the visitor’s browser
All attribution data is stored locally in the visitor’s browser as a first-party cookie. This data is never sent to SourceTag’s servers.
The _sourcetag cookie is set with SameSite=Lax and the Secure flag on HTTPS sites (so it’s only transmitted over encrypted connections). It contains:
- Marketing channel (e.g. Paid Search, Organic Social, Direct)
- Detail field values (d1-d4, content depends on the channel)
- UTM parameter values (utm_source, utm_medium, utm_campaign, utm_term, utm_content)
- Click IDs (gclid, fbclid, msclkid, ttclid, gbraid, wbraid)
- Referrer domain and URL
- Landing page path
- Custom parameter values (if configured)
- First click data (set once, never overwritten)
- Last click data (updated on each new visit with attribution data)
- Visit count (number of sessions)
- Timestamps (first visit and last seen)
When the visitor submits a form on your site, the SourceTag script copies this data from the cookie into hidden form fields. The form data is then submitted to your server, CRM, or email notification system. SourceTag’s infrastructure is not involved in this form submission at all.
Data that SourceTag stores on its servers
SourceTag stores the minimum data needed to run the service:
Account data
- Your email address
- Your name
- Your billing information (managed by Stripe)
Site configuration
- Your site domain(s)
- Channel rules and priority order
- Field group settings (which groups are enabled, custom field names)
- Cookie configuration (name, lifetime)
- Custom parameters
Usage data
- Monthly submission count per site (a single number, updated each time a form submission is detected). This is used to enforce plan limits.
That’s it. The submission count is just a number. SourceTag does not record what the form submission contained, who submitted it, or any details about the visitor.
Data that SourceTag does NOT store
To be explicit, SourceTag does NOT store on its servers:
- Visitor IP addresses
- Visitor names, email addresses, or any form field values
- Attribution data (channels, UTMs, referrers, landing pages)
- Cookie contents
- Click ID values (gclid, fbclid, msclkid, ttclid, etc.)
- Browser fingerprints or device information
- Page view data or browsing history
- Geographic location data
How the data flows
Here’s the complete data flow:
Visitor arrives on your site. The browser loads the SourceTag script from
cdn.sourcetag.io. The script reads the URL parameters and referrer, categorises the visit, and stores the data in a cookie on your domain.Visitor browses your site. On each page load, the script updates the session data (visit count, last seen timestamp) in the cookie. If the visitor returns with new UTM parameters, the last click data is updated.
Visitor submits a form. The script reads the cookie and populates hidden form fields with the attribution data. The form submits to your server/CRM. SourceTag’s submission counter is incremented by one (just the count, no submission data).
You view the data in your CRM or form entries. The attribution data is in your system, alongside the form fields the visitor filled in. SourceTag has no visibility into this data.
The tracking script file
The script file (st.js) is a static JavaScript file hosted on SourceTag’s CDN. It contains your site’s configuration (channel rules, field names, etc.) baked in. When the browser downloads this file, it’s a standard HTTP request. The CDN logs standard access information (IP address, user agent, timestamp) as part of normal CDN operations, but this data is not used by SourceTag for any tracking purpose and is subject to the CDN provider’s retention policies.
Third-party sub-processors
SourceTag uses the following third-party services:
| Service | Purpose | Data involved |
|---|---|---|
| Cloudflare | Application hosting (Pages), edge compute (Workers), database (D1), CDN, DNS | Account data, site config, submission counts, CDN access logs |
| Stripe | Payment processing and subscription billing | Billing information |
| Klaviyo | Onboarding emails, product updates, marketing emails (opt-in) | Email address, name |
| Resend | Transactional email delivery (account notifications, password resets) | Email address |
| Sentry | Error tracking and performance monitoring | Error data (no visitor personal data) |
| Crisp | Live chat on sourcetag.io and the SourceTag dashboard | Chat messages, email (if provided in chat) |
| OAuth authentication (sign in with Google), Google Analytics on sourcetag.io | Name, email, profile picture (OAuth); anonymous usage data (Analytics) |
The full sub-processor list with locations is available on the Sub-processors page. See GDPR Compliance for details.
Visitor data deletion
Since SourceTag doesn’t store visitor-level data on its servers, there’s nothing to delete when a visitor requests data erasure.
The visitor can delete the _sourcetag cookie by clearing their browser cookies. The attribution data in your CRM or form system is your responsibility to delete as the data controller.
Further reading
- GDPR Compliance for compliance roles and responsibilities
- Working with Cookie Consent Tools for conditional script loading
- Cookie Settings for configuring the cookie
Doesn't answer your question or need more help? Get in touch.