SourceTag

Reference

Frequently Asked Questions

Billing and plans

What plans are available?

SourceTag offers single-site plans and agency plans:

Single-site plans:

  • Basic - for smaller sites with lower form volume
  • Standard - for growing sites with moderate form volume
  • Pro - includes server-side cookies for Safari, priority support, and higher submission limits

Agency plans:

  • Designed for agencies managing multiple client sites
  • Available in tiers of 10, 20, and 40 sites
  • Unlimited form submissions across all sites

All plans start with a 14-day free trial. No credit card required to start.

Can I upgrade or downgrade my plan?

Yes. You can change your plan at any time from the Billing section of your dashboard. When upgrading, you’re charged the prorated difference for the remainder of the billing period. When downgrading, the new price takes effect at the start of the next billing period.

How do I cancel?

Go to Settings > Billing in your dashboard and click Cancel subscription. Your account remains active until the end of the current billing period. After cancellation:

  • Your tracking script continues to run until the period ends
  • Form data already in your CRM or form builder is unaffected (we never stored it)
  • After the period ends, the script stops working and the CDN file is removed

What happens if I exceed my submission limit?

If you hit your plan’s monthly submission limit, the tracking script continues to run and cookies continue to be set. Hidden fields continue to be populated in forms. The only thing that stops is the beacon ping (the optional server-side event sent on form submission). Your core attribution tracking is unaffected.

We’ll send you an email when you’re approaching your limit so you can upgrade if needed.

Data and privacy

What data does SourceTag store?

SourceTag does not store any of your lead data. We never see form submissions, email addresses, names, phone numbers, or any personal information your visitors enter into forms.

Here’s what happens:

  • The tracking script runs entirely in the visitor’s browser
  • Attribution data is stored in a first-party cookie on your domain
  • When a form is submitted, hidden fields are included in the form data and sent to wherever your form sends data (your email, your CRM, your form builder’s database)
  • That data never passes through our servers

The only data we receive is:

  • An optional beacon ping on form submission (contains only your Site ID, a timestamp, and the domain, no form data)
  • Script download requests to our CDN (standard web server logs)

Is SourceTag GDPR-compliant?

SourceTag uses a first-party cookie. Under GDPR, first-party cookies used for analytics or marketing attribution generally require user consent.

We recommend:

  • Including the SourceTag cookie in your cookie consent banner
  • Categorising it as a “marketing” or “analytics” cookie
  • Only loading the script after the visitor has given consent (most cookie consent tools support this, either through conditional script loading or via GTM consent triggers)

SourceTag does not process personal data on our servers. The cookie contains marketing attribution data (channels, UTM values, click IDs), not personal identifiers. However, some regulators consider click IDs (like gclid) to be pseudonymous personal data, so consent is the safe approach.

Do you sell or share data?

No. We have no access to your visitors’ personal data, and we don’t share the limited data we do receive (beacon pings, CDN logs) with any third party.

Compatibility

What forms does SourceTag work with?

SourceTag works with any HTML form on the web. If your form renders as a <form> element in the page’s HTML, SourceTag will detect it and populate hidden fields.

This includes:

  • WordPress form builders (Gravity Forms, WPForms, Contact Form 7, Elementor, Ninja Forms, Formidable, Fluent Forms)
  • Standalone form tools (Typeform, JotForm, Tally, Fillout, Formstack)
  • CRM-embedded forms (HubSpot Forms, Pardot, Salesforce Web-to-Lead)
  • Platform native forms (Webflow, Squarespace, Wix)
  • Landing page builder forms (Unbounce, Instapage, ClickFunnels)
  • Scheduling tools (Calendly, Cal.com, Acuity)
  • Custom HTML forms

For forms that load dynamically (popups, modals, AJAX-loaded content), the MutationObserver detects them automatically.

What about forms in iframes?

If a form is loaded inside an iframe from the same domain, SourceTag can access it. If the iframe loads content from a different domain, browser security prevents any script on your domain from interacting with it. This is a browser restriction, not a SourceTag limitation.

For cross-domain iframes (e.g. a HubSpot form embedded as an iframe), the form tool usually provides a way to pass hidden field values via URL parameters or their own API. Check the specific form builder guide.

Does it work on single-page applications?

Yes. The MutationObserver watches for forms added to the DOM at any point, so dynamically rendered forms in React, Vue, Angular, or other SPA frameworks are detected.

For programmatic form submissions (where there’s no traditional form element), use the JavaScript API to read attribution data and include it in your API calls.

Channel detection

How does SourceTag decide which channel a visitor belongs to?

SourceTag evaluates channel rules top to bottom. Each rule primarily checks utm_medium (not utm_source or utm_campaign), because the medium tells you how the traffic arrived. Some channels also check for click IDs (gclid, msclkid) or referrer domains. The first rule that matches wins.

utm_source and utm_campaign are used as filters to narrow a match, not as primary detectors. For example, Paid Social detects on utm_medium=cpc but filters on utm_source being a social platform.

See How Channels Work for the full breakdown.

Are AI search engines tracked as Organic Search?

Yes. SourceTag recognises ChatGPT, Claude, Gemini, Copilot, Perplexity, Phind, Meta AI, Kagi, Andi, and Arc Search as search engines. Traffic referred from these domains is categorised as Organic Search. See Recognised Search Engine Domains for the full list.

Are link-in-bio tools tracked as Organic Social?

Yes. Linktree, Beacons, bio.link, and similar link-in-bio tools are included in the social network domains list. Traffic from these services is categorised as Organic Social, since users typically reach these links via social platforms. See Recognised Social Network Domains for the full list.

What does “(not set)” mean in form fields?

When a detail field has no value (e.g. no utm_term was present), SourceTag populates the form field with (not set) rather than leaving it blank. This makes it clear in your CRM that the field was captured but had no value, rather than the field being missing entirely.

How long do Safari cookies last?

By default, Safari limits JavaScript-set cookies to 7 days (ITP). With server-side cookies enabled (WordPress plugin or data-server-cookie attribute), the cookie persists for up to 400 days. See Safari Cookie Limitations for details.

Cookie consent

Do I need to get consent before using SourceTag?

If you’re subject to GDPR, ePrivacy Directive, or similar privacy regulations, yes. SourceTag sets a cookie in the visitor’s browser, and this requires informed consent in most European jurisdictions.

In other regions (US, NZ, Australia), cookie consent requirements are generally less strict, but it’s good practice to disclose cookie usage in your privacy policy regardless.

How do I integrate with my cookie consent tool?

Most cookie consent tools (CookieYes, Cookiebot, Iubenda, OneTrust, etc.) let you conditionally load scripts based on consent category.

Method 1: Script type blocking. Change the script tag type so it doesn’t load until consent is given:

<script type="text/plain" data-cookiecategory="marketing"
  src="https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js" async></script>

The exact attribute (data-cookiecategory, data-consent-category, etc.) depends on your consent tool.

Method 2: GTM consent mode. If you load SourceTag via Google Tag Manager, you can use GTM’s consent triggers to only fire the tag when marketing consent has been granted.

Method 3: Delayed loading. Some consent tools provide a JavaScript callback when consent is given. You can use this to dynamically inject the script:

// Example: load SourceTag after consent
onConsentGranted('marketing', function() {
  var s = document.createElement('script');
  s.src = 'https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js';
  s.async = true;
  document.head.appendChild(s);
});

Cross-domain tracking

Does SourceTag work across multiple domains?

Each domain gets its own cookie. If you run example.com and shop.example.com, a visitor moving between these two sites will have separate cookies on each domain.

This is by design. Cookies are scoped to a specific domain by the browser. Cross-domain cookie sharing introduces complexity and privacy concerns.

If you need to connect attribution across domains, consider:

  • Passing key attribution values as URL parameters when linking between domains
  • Using the JavaScript API to read data from one domain and send it to the other via your backend

What about subdomains?

SourceTag auto-detects the cookie domain and sets it to the root domain (e.g. .example.com). This means subdomains like www.example.com and blog.example.com share the same cookie automatically. Both subdomains need the script installed, but they read from and write to the same cookie. See Cross-Domain and Subdomains for details.

Multi-step forms

Where should the hidden fields go in a multi-step form?

The hidden fields should be in the final step of the form, or in the step that triggers the actual submission. SourceTag adds hidden fields to the <form> element when it detects the form, so they’ll be present regardless of which step the visitor is on. As long as the form’s submit action includes all the hidden fields in the payload, the data will come through.

Some multi-step form builders use separate <form> elements for each step. In this case, SourceTag will add hidden fields to whichever form element is present on the page. Make sure the form that actually submits to your backend or CRM is the one that contains the hidden fields.

What about conditional/branching forms?

Forms with conditional logic (showing or hiding fields based on answers) work fine with SourceTag. The hidden fields are added to the form element itself, not to any specific conditional step. They’re always present and always included in the submission.