Compliance
GDPR Compliance
SourceTag is designed with privacy in mind. This page explains how SourceTag fits into your GDPR compliance obligations, what data is involved, and who is responsible for what.
Does SourceTag require cookie consent?
Yes, in the EU and UK. SourceTag sets a first-party cookie (_sourcetag) on your domain. Under GDPR and the ePrivacy Directive, you need the visitor’s consent before setting non-essential cookies.
The _sourcetag cookie is classified as a marketing/analytics cookie (it tracks the source of visits for lead attribution). It is not strictly necessary for the website to function, so it requires consent.
If your visitors are outside the EU/UK, the consent requirements differ by jurisdiction. GDPR specifically applies to visitors in the EU and UK.
How to handle consent
You should only load the SourceTag script after the visitor has given consent for marketing/analytics cookies. See Working with Cookie Consent Tools for specific implementation examples with popular consent tools.
If a visitor does not give consent:
- The SourceTag script should not be loaded
- No cookie is set
- No attribution data is captured
- Forms still work normally, just without the hidden attribution fields
Data roles: controller vs processor
Under GDPR, there are two key roles:
You (the site owner) are the data controller. You decide what data to collect, how to use it, and how long to keep it. You are responsible for having a legal basis for processing (consent, legitimate interest, etc.) and for informing visitors about the data you collect.
SourceTag is the data processor. SourceTag provides the script that runs on your site and generates the tracking script file hosted on its CDN. SourceTag processes data on your behalf according to your instructions.
What this means in practice
- You need to list the
_sourcetagcookie in your cookie policy - You need to describe what data it collects and why
- You need to get consent before loading the script (in the EU/UK)
- SourceTag needs to have a Data Processing Agreement (DPA) with you
Data Processing Agreement (DPA)
SourceTag provides a DPA that covers its obligations as a data processor under GDPR. You can view the DPA here or contact us with any questions.
The DPA covers:
- What personal data is processed
- The purpose and duration of processing
- Security measures in place
- Sub-processor list
- Data breach notification procedures
What data does SourceTag store?
SourceTag’s approach is minimal by design. Here’s the breakdown:
Data that stays in the visitor’s browser
- The
_sourcetagcookie (contains channel, UTM values, referrer, landing page, click IDs, visit count, timestamps) - The hidden form field values (populated from the cookie)
This data is stored on the visitor’s device and submitted with the form to your server or CRM. SourceTag’s servers never see this data.
Data that SourceTag stores on its servers
- Monthly submission counts (a number per site, used for billing and plan limits)
- Site configuration (your channel rules, field settings, cookie settings)
- Account information (your email, billing details)
SourceTag does NOT store on its servers:
- Visitor IP addresses
- Visitor attribution data
- Form submission contents
- Cookie values
- Landing page URLs
- UTM parameter values
- Click IDs
- Referrer data
See Data Privacy for a more detailed breakdown.
Cookie information for your privacy policy
You should include the following information about the SourceTag cookie in your privacy policy or cookie policy:
| Detail | Value |
|---|---|
| Cookie name | _sourcetag |
| Type | First-party, persistent |
| Purpose | Marketing attribution. Tracks the source and channel of website visits to attribute form submissions to the correct marketing channel. |
| Duration | 400 days |
| Data stored | Marketing channel, UTM parameters, referrer domain, landing page, click IDs, visit count, timestamps |
| Category | Marketing / Analytics |
Legitimate interest vs consent
Some organisations consider marketing attribution to fall under “legitimate interest” rather than requiring explicit consent. This is a legal question that depends on your jurisdiction, your data protection authority’s guidance, and your specific situation.
Most organisations in the EU/UK take the safer approach of requiring consent for the cookie. This is what we recommend unless you’ve received specific legal advice to the contrary.
Right to erasure
If a visitor requests deletion of their data under GDPR’s right to erasure:
- Cookie data: The visitor can delete the
_sourcetagcookie themselves by clearing their browser cookies, or you can instruct them how to do so - Form submission data: This is in your CRM or email system. You need to delete it from there as part of your normal data erasure process
- SourceTag’s servers: Since SourceTag doesn’t store visitor-level data, there’s nothing to delete on our end
Further reading
- Working with Cookie Consent Tools for implementation details
- Data Privacy for a detailed breakdown of what data is stored where
Doesn't answer your question or need more help? Get in touch.