SourceTag
← All docs

Reference

Frequently Asked Questions

Billing and plans

What plans are available?

SourceTag offers a free trial and a range of single-site and multi-domain plans:

  • Trial - 14-day free trial, 1 site, 100 submissions. No credit card required.

Single-site plans:

  • Starter - up to 100 submissions per month
  • Growth - up to 500 submissions per month
  • Pro - unlimited submissions

Multi-domain plans:

  • Multi-site - up to 10 domains, unlimited submissions
  • Multi-site Plus - up to 30 domains, unlimited submissions

All paid plans include every feature. See Pricing for current prices.

Can I upgrade or downgrade my plan?

Yes. Go to Billing in your dashboard and click Manage Subscription. This opens the Stripe customer portal where you can switch plans, change between monthly and annual billing, or update your payment method. Upgrades are prorated. Downgrades take effect at the end of the current billing period.

How do I cancel?

Go to Billing in your dashboard, click Manage Subscription, then cancel from the Stripe customer portal. Your account remains active until the end of the current billing period. After cancellation:

  • Your tracking script continues to run until the period ends
  • Form data already in your CRM or form builder is unaffected (we never stored it)
  • After the period ends, the script stops working and the CDN file is removed

What happens if I exceed my submission limit?

If you hit your plan’s monthly submission limit, the tracking script continues to run and cookies continue to be set. Hidden fields continue to be populated in forms, and the submission counter continues to increment. Your attribution tracking is unaffected. We’ll just ask you to upgrade to a plan that fits your volume.

We’ll send you an email when you’re approaching your limit so you can upgrade if needed.

Data and privacy

What data does SourceTag store?

SourceTag does not store any of your lead data. We never see form submissions, email addresses, names, phone numbers, or any personal information your visitors enter into forms.

Here’s what happens:

  • The tracking script runs entirely in the visitor’s browser
  • Attribution data is stored in a first-party cookie on your domain
  • When a form is submitted, hidden fields are included in the form data and sent to wherever your form sends data (your email, your CRM, your form builder’s database)
  • That data never passes through our servers

The only data we receive is:

  • A beacon ping on form submission (contains only your Site ID, a timestamp, and the domain, no form data)
  • Script download requests to our CDN (standard web server logs)

Is SourceTag GDPR-compliant?

SourceTag uses a first-party cookie. Under GDPR, first-party cookies used for analytics or marketing attribution generally require user consent.

We recommend:

  • Including the SourceTag cookie in your cookie consent banner
  • Categorising it as a “marketing” or “analytics” cookie
  • Only loading the script after the visitor has given consent (most cookie consent tools support this, either through conditional script loading or via GTM consent triggers)

SourceTag does not process personal data on our servers. The cookie contains marketing attribution data (channels, UTM values, click IDs), not personal identifiers. However, some regulators consider click IDs (like gclid) to be pseudonymous personal data, so consent may be the safe approach.

Do you sell or share data?

No. We have no access to your visitors’ personal data, and we don’t share the limited data we do receive (beacon pings, CDN logs) with any third party.

Compatibility

What forms does SourceTag work with?

SourceTag works with any HTML form on the web. If your form renders as a <form> element in the page’s HTML, SourceTag will detect it and populate hidden fields.

This includes, but is not limited to:

  • WordPress form builders (Gravity Forms, WPForms, Contact Form 7, Elementor, Ninja Forms, Formidable, Fluent Forms)
  • Standalone form tools (Typeform, JotForm, Tally, Fillout, Formstack)
  • CRM-embedded forms (HubSpot Forms, Pardot, Salesforce Web-to-Lead)
  • Platform native forms (Webflow, Squarespace, Wix)
  • Landing page builder forms (Unbounce, Instapage, ClickFunnels)
  • Scheduling tools (Calendly, Cal.com, Acuity)
  • Custom HTML forms

For forms that load dynamically (popups, modals, AJAX-loaded content), the MutationObserver detects them automatically.

What about forms in iframes?

If a form is loaded inside an iframe from the same domain, SourceTag can usually access it. If the iframe loads content from a different domain, browser security prevents any script on your domain from interacting with it. This is a browser restriction, not a SourceTag limitation.

For cross-domain iframes (e.g. a HubSpot form embedded as an iframe), the form tool usually provides a way to pass hidden field values via URL parameters or their own API. Check the specific form builder guide or get in touch with us for support.

Does it work on single-page applications?

Yes. SourceTag watches for forms added to the page at any point.

For programmatic form submissions (where there’s no traditional form element), use the JavaScript API to read attribution data and include it in your API calls.

Channel detection

How does SourceTag decide which channel a visitor belongs to?

SourceTag evaluates channel rules top to bottom. Each rule primarily checks utm_medium (not utm_source or utm_campaign), because the medium tells you how the traffic arrived. Some channels also check for click IDs (gclid, msclkid, ttclid, fbclid) or referrer domains. The first rule that matches wins.

utm_source and utm_campaign are used as filters to narrow a match, not as primary detectors. For example, Paid Social detects on utm_medium=cpc but filters on utm_source being a social platform.

See How Channels Work for the full breakdown.

Are AI search engines tracked as Organic Search?

Yes. SourceTag recognises ChatGPT, Claude, Gemini, Copilot, Perplexity, Phind, Meta AI, Kagi, Andi, and Arc Search as search engines. Traffic referred from these domains is categorised as Organic Search. This also works when AI apps (e.g. ChatGPT’s mobile app) add utm_source=chatgpt to links instead of sending a referrer — SourceTag recognises these source values and categorises the traffic as Organic Search. Arc Search is detected via its referrer domain only. See Recognised Search Engine Domains for the full list.

Are link-in-bio tools tracked as Organic Social?

Yes. Linktree, Beacons, bio.link, and similar link-in-bio tools are included in the social network domains list. Traffic from these services is categorised as Organic Social, since users typically reach these links via social platforms. See Recognised Social Network Domains for the full list.

What does “(not set)” mean in form fields?

When a smart field has no value (e.g. no utm_term was present), SourceTag populates the form field with (not set) rather than leaving it blank. This makes it clear in your CRM that the field was captured but had no value, rather than the field being missing entirely.

How long do browser cookies last?

By default, Safari limits JavaScript-set cookies to 7 days via Intelligent Tracking Prevention (ITP). Other privacy-focused browsers may impose similar restrictions. With server-side cookies enabled via the WordPress plugin or the Cloudflare Worker, the cookie persists for up to 400 days. See Safari Cookie Limitations for details.

Cookie consent

Do I need to get consent before using SourceTag?

If you’re subject to GDPR, ePrivacy Directive, or similar privacy regulations, usually yes. SourceTag sets a cookie in the visitor’s browser, and this requires informed consent in most European jurisdictions.

In other regions, cookie consent requirements are generally less strict, but it’s good practice to disclose cookie usage in your privacy policy regardless.

How do I integrate with my cookie consent tool?

Most cookie consent tools (CookieYes, Cookiebot, Iubenda, OneTrust, etc.) let you conditionally load scripts based on consent category.

Method 1: Script type blocking. Change the script tag type so it doesn’t load until consent is given:

<script type="text/plain" data-cookiecategory="marketing"
  src="https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js"></script>

The exact attribute (data-cookiecategory, data-consent-category, etc.) depends on your consent tool.

Method 2: GTM consent mode. If you load SourceTag via Google Tag Manager, you can use GTM’s consent triggers to only fire the tag when marketing consent has been granted.

Method 3: Delayed loading. Some consent tools provide a JavaScript callback when consent is given. You can use this to dynamically inject the script:

// Example: load SourceTag after consent
onConsentGranted('marketing', function() {
  var s = document.createElement('script');
  s.src = 'https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js';
  s.async = true;
  document.head.appendChild(s);
});

Cross-domain tracking

Does SourceTag work across multiple domains?

Each top-level domain gets its own cookie. If you run example.com and myotherbrand.com, a visitor moving between these two sites will have separate cookies on each domain.

This is by design. Cookies are scoped to a specific domain by the browser. Cross-domain cookie sharing introduces complexity and privacy concerns.

If you need to connect attribution across domains, consider:

  • Passing key attribution values as URL parameters when linking between domains
  • Using the JavaScript API to read data from one domain and send it to the other via your backend

What about subdomains?

Subdomains share the same cookie automatically. SourceTag auto-detects the cookie domain and sets it to the root domain (e.g. .example.com). This means www.example.com, blog.example.com, and shop.example.com all read from and write to the same cookie. Both subdomains need the script installed. See Cross-Domain and Subdomains for details.

Multi-step forms

Where should the hidden fields go in a multi-step form?

The hidden fields should be in the final step of the form, or in the step that triggers the actual submission. SourceTag populates hidden fields in the <form> element when it detects the form, so they’ll have values regardless of which step the visitor is on. As long as the form’s submit action includes all the hidden fields in the payload, the data will come through.

Some multi-step form builders use separate <form> elements for each step. In this case, SourceTag will populate hidden fields in whichever form element is present on the page. Make sure the form that actually submits to your backend or CRM is the one that contains the hidden fields.

What about conditional/branching forms?

Forms with conditional logic (showing or hiding fields based on answers) work fine with SourceTag. The hidden fields are added to the form element itself, not to any specific conditional step. They’re always present and always included in the submission.

Doesn't answer your question or need more help? Get in touch.