AttributionHub

beta
Skip to Content
Privacy & Compliance

Privacy & Compliance

AttributionHub is designed with privacy as a core principle. Here’s how it handles user data and compliance with privacy regulations.

No Cookies

AttributionHub does not use cookies. All data is stored exclusively in the browser’s localStorage. This has important implications:

  • No cookie consent banners required in most jurisdictions
  • Data does not leave the user’s browser until a form is submitted
  • No cross-site tracking capability
  • No third-party cookie concerns

Data Storage

What is stored

Attribution data is stored in localStorage under a single key (attrhub by default). The stored data includes:

  • Traffic source information (channel, source, medium, campaign)
  • Landing page URLs and referrer URLs
  • A randomly generated visitor UUID (not linked to any personal data)
  • Timestamps of visits
  • Touch count

What is NOT stored

  • No personal identifiable information (PII)
  • No IP addresses
  • No device fingerprints
  • No cross-browser or cross-device identifiers
  • No behavioral data beyond attribution context

Data scope

  • Data is browser-scoped: each browser on each device has its own independent data
  • Data is origin-scoped: only accessible by scripts on the same domain
  • Data persists in localStorage until the user clears browser data

GDPR Compliance

Under the EU General Data Protection Regulation (GDPR):

  • Legitimate interest can be claimed as the lawful basis for processing, since attribution data is essential for understanding marketing effectiveness
  • No personal data is collected until the user voluntarily submits a form containing their personal details
  • Attribution data is attached to the form submission, so it becomes part of the user’s voluntary data disclosure
  • Right to erasure: since data is stored client-side, users can clear it by clearing their browser’s localStorage
  • Data minimization: only marketing-relevant metadata is captured, no behavioral tracking

Recommendation: While AttributionHub’s localStorage-only approach typically does not require cookie consent, consult your legal team about your specific privacy obligations. Some interpretations of ePrivacy Directive may consider localStorage as requiring consent.

CCPA Compliance

Under the California Consumer Privacy Act (CCPA):

  • AttributionHub does not sell personal data
  • Attribution data is collected for the sole purpose of connecting marketing activity to form submissions
  • Users can request deletion of their data through your standard data subject request process

Data Flow

Browser localStorage (client-side only)
    |
    | (form submission)
    v
Your form handler / CRM
    |
    v
Your database (you control this data)

AttributionHub does not send data to any external server. The only time attribution data leaves the browser is when the user submits a form on your website. At that point, it becomes part of your normal form submission data flow.

Security Considerations

  • No server-side component: the script runs entirely in the browser
  • XSS protection: attribution data should be sanitized when stored in your database, like any other form input
  • License validation: the script performs a lightweight license check but does not transmit visitor data during this process
  • Graceful degradation: if localStorage is blocked (private browsing, full storage), the script fails silently without errors

Recommendations

  1. Mention in your privacy policy that you use AttributionHub for marketing attribution tracking
  2. Describe what data is collected: traffic source, campaign, landing page, referrer, and a random visitor ID
  3. Explain the purpose: to understand which marketing channels bring visitors to your site
  4. Note the retention: data persists in the browser’s localStorage until cleared by the user
  5. Sanitize form data: treat attribution fields like any other user input when storing in your database
Glossary