GDPR Compliance
SourceTag is designed with privacy in mind. Here's how we handle GDPR.
We don't store visitor data
SourceTag does not collect, store, or process your visitors' personal data on our servers. The attribution data (UTMs, channel, landing page, etc.) is stored in a first-party cookie on the visitor's device and submitted directly to your form. We only receive an anonymous count of form submissions (site ID + timestamp).
Roles
| Party | GDPR Role | What they control |
|---|---|---|
| You (our customer) | Data Controller | The cookie set on your visitors' devices, the form submission data |
| SourceTag | Data Processor | The script that sets the cookie and populates form fields on your behalf |
Your obligations
- Cookie consent: You must obtain consent before the SourceTag cookie is set if your visitors are in the EU/UK. Implement a cookie consent banner (CookieYes, Iubenda, Cookiebot, etc.).
- Cookie policy: Include the SourceTag cookie in your website's cookie policy.
- Privacy policy: Mention that you use a lead attribution tool and explain what data it captures.
Our commitments
- We offer a Data Processing Agreement (DPA) to all customers
- We maintain a sub-processors list
- We process data only as instructed by you (through your site configuration)
- All data is hosted on Cloudflare's infrastructure
- We will notify you of any data breach within 72 hours
Data minimisation
We've designed SourceTag to minimise the data we handle:
- No visitor personal data on our servers
- No IP addresses stored
- No cross-site tracking
- No data shared with third parties for advertising
- Lead counters are anonymous (site ID + timestamp, no visitor identifiers)
Questions
Contact us at privacy@sourcetag.io for any GDPR-related enquiries.