← Back to Home

Legal

Privacy Policy

Effective Date: April 7th 2026 | Last Updated: April 8th 2026

1. Introduction

Sourcemetrics ("we," "our," or "us") provides a marketing attribution platform that helps businesses understand how their advertising and marketing efforts drive customer engagement and revenue. This Privacy Policy explains how we collect, use, store, and protect information when you use our platform and services.

This policy applies to:

  • Platform Users — Businesses and individuals who use the Sourcemetrics dashboard to manage connections, view analytics, and configure attribution settings.
  • Website Visitors — Individuals who visit websites operated by our customers where the Sourcemetrics tracking script is installed.

1.1 Our Legal Role (Controller vs. Processor)

Under applicable data protection laws (such as the GDPR and CCPA), Sourcemetrics acts as a Data Controller for the personal information of our Platform Users (e.g., account details and organization information). We act as a Data Processor (or Service Provider) for the data collected from Website Visitors via our tracking script on behalf of our customers. Our customers are the Data Controllers of their website visitors' data.

2. Information We Collect

2.1 Information from Platform Users (Dashboard)

When you create an account and use the Sourcemetrics platform, we collect:

  • Account Information — Email address, display name, and authentication credentials via Firebase Authentication.
  • Organization Information — Company name, customer ID, and role assignments.
  • Connected Account Data — When you connect third-party services (Google Ads, Salesforce, Microsoft Ads), we collect account identifiers, campaign metrics, and performance data through authorized API access.
  • Usage Preferences — Dashboard settings, date range selections, and view configurations stored in browser cookies.

2.2 Information Collected via the Tracking Script

When our customers install the Sourcemetrics tracking script on their websites, the script collects the following information from website visitors:

  • Browsing Data: Page URLs visited and referrer URLs, landing page and destination URLs, time spent on each page, session duration and page view counts.
  • Device and Browser Information: Browser type and version, screen dimensions and device type (mobile, tablet, or desktop), browser language and timezone, and a hashed device identifier derived from browser characteristics. The raw data is not stored — only a one-way hash is retained for anonymous visitor recognition.
  • Form Submission Data: When a website visitor submits a form (excluding login forms), we collect the email address and form field data submitted. We automatically exclude password fields and login/sign-in forms from collection. Form data is used to identify prospects and link website activity to CRM records.
  • Cookies: The tracking script sets a small number of first-party cookies used solely for session management and visitor recognition. These cookies have lifetimes ranging from 30 minutes (session) to 1 year (visitor identification) and are not used to track visitors across unrelated websites.

2.3 Information from Third-Party Integrations

When platform users connect third-party services, we access data through authorized APIs:

  • Google Ads — Account information, campaign performance metrics (impressions, clicks, conversions, cost), and click attribution data.
  • Salesforce CRM — Contacts, leads, accounts, opportunities, campaigns, and campaign member records.
  • Microsoft Ads — Account information and campaign performance metrics.

3. How We Use Information

We use the information we collect to:

  • Provide attribution analytics — Link marketing touchpoints to sales outcomes using multi-touch attribution models.
  • Enrich marketing data — Connect website visitor behavior with advertising data and CRM records to provide full-funnel visibility.
  • Configure connected platforms — With your authorization, we may write limited configuration data back to connected platforms to enable attribution tracking. For example: Google Ads — Setting tracking URL templates and enabling auto-tagging on your account so that ad clicks can be attributed to website visits. Salesforce — Syncing attribution records back to your CRM so that marketing credit is visible alongside your sales data.
  • Maintain connections — Manage authorized access to third-party platforms on behalf of our customers.
  • Improve our service — Monitor platform performance, diagnose errors, and improve functionality.
  • Provide customer support — Diagnose connection issues and troubleshoot data discrepancies.

We do not:

  • Sell personal information to third parties.
  • Use collected data for advertising purposes outside of our customers' attribution analysis.
  • Share individual visitor data across different Sourcemetrics customers.

3.1 Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), our legal basis for collecting and using the personal information described above depends on the specific context:

  • Performance of a Contract: To provide our platform services to Platform Users.
  • Legitimate Interests: To improve our platform, ensure security, and provide customer support, provided these interests are not overridden by your data protection rights.
  • Consent: Where applicable, such as when Website Visitors consent to our customers' use of tracking cookies.

4. Data Storage, Security, and Transfers

4.1 Where Data is Stored

All infrastructure is hosted on Google Cloud Platform.

4.2 International Data Transfers

Information we collect may be transferred to, stored, and processed in the United States or other countries where our infrastructure providers operate. When we transfer personal data originating from the EEA, UK, or Switzerland to other countries, we rely on legally approved transfer mechanisms, such as Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework.

4.3 Encryption

  • In transit — All data is encrypted using TLS 1.2 or higher.
  • At rest — All stored data is encrypted using industry-standard encryption. OAuth tokens are encrypted at the application level before storage and are never stored in plaintext.

4.4 Access Controls & Breach Notification

All data access is routed through backend services — no customer data is accessible from client-side code. Production systems are protected by role-based access controls and minimum-privilege service accounts. OAuth tokens are stored server-side only and are never exposed to frontend applications. While no system is completely secure, in the event of a data breach that compromises personal information, we will notify affected individuals and relevant regulatory authorities in accordance with applicable legal requirements.

5. Data Sharing

We share data only in the following circumstances:

  • With our customers — We provide aggregated attribution analytics and prospect data to the Sourcemetrics customer who installed the tracking script on their website.
  • With connected third-party platforms — We sync attribution records back to connected platforms (e.g., Salesforce) as configured by the customer.
  • Infrastructure providers — We use Google Cloud Platform to host our services. Google acts as a data processor under their data processing terms.
  • Legal requirements — We may disclose information if required by law, legal process, or government request.

6. Data Retention

  • Active subscriptions — Data is retained for the duration of the customer's active subscription.
  • After cancellation — Customer data is retained for 30 days to allow for reactivation, after which it is permanently deleted.
  • Immediate deletion — Customers can request immediate data deletion at any time by contacting support.
  • Connection disconnection — OAuth tokens are deleted immediately when a customer disconnects a third-party service from the Sourcemetrics dashboard.

7. Cookies and Tracking Technologies

7.1 Tracking Script Cookies

The Sourcemetrics tracking script sets a small number of first-party cookies on websites where it is installed, as described in Section 2.2. These cookies are used solely for marketing attribution purposes and do not track users across unrelated websites.

7.2 Platform Cookies

The Sourcemetrics dashboard uses cookies for authentication session management and user interface preferences (sidebar state, date range selections). These are functional cookies required for the platform to operate.

8. Your Privacy Rights and Choices

Depending on your location (such as the EEA, UK, or California), you may have specific statutory rights regarding your personal data under the GDPR, CCPA, or similar laws. These include the right to access, correct, delete, or restrict the processing of your data, the right to data portability, and the right to not be discriminated against for exercising these rights.

8.1 For Platform Users

  • Access and export — You can view and export your data through the Sourcemetrics dashboard.
  • Deletion — You can request deletion of your account and associated data by contacting support.
  • Disconnect services — You can revoke Sourcemetrics' access to connected platforms at any time from the Connections page, or directly from the third-party platform's settings.

8.2 For Website Visitors

  • Browser controls — You can clear or block cookies through your browser settings, which will reset your anonymous visitor identifier.
  • Form submissions — Email addresses and form data are only collected when you voluntarily submit a form on a website using Sourcemetrics.
  • Contact us — You can contact us to request information about or deletion of data associated with your email address.

9. Third-Party Services

Sourcemetrics integrates with the following third-party services. Their use of your data is governed by their respective privacy policies:

  • Google Ads — Google Privacy Policy
  • Salesforce — Salesforce Privacy Policy
  • Microsoft Advertising — Microsoft Privacy Statement
  • Firebase / Google Cloud Platform — Google Cloud Privacy Notice

10. Children's Privacy

Our platform and tracking services are not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or 16 where applicable by law). If we become aware that we have inadvertently collected personal information from a child under the applicable age of consent, we will take steps to delete that information as quickly as possible.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify platform users of material changes via email or through the Sourcemetrics dashboard. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@sourcemetrics.com
Website: https://www.sourcemetrics.com