Our data journey
Learn more on how we take care of your dataThe Exatom platform is built with a digital privacy focus for your website visitors in mind, this from day one. Moreover, Exatom pioneered cookieless Form Analytics, a way to provide website owners actionable insights on how their forms are performing without the need to show a cookie notice and invade your visitor's digital privacy.
At Exatom, we'll never
- Collect any data entered on your forms by your visitors
- Create or use any persistent identifiers to identify visitors over an extended period
- See if your visitor is active on any other websites where Exatom is used
- Store any personal data like IP address, user-agent or detailed geographic location
- Sell any personal data
Tags and technology
Your website should be handled with care, and that is why we heavily invest time and effort in how our tags are operated. We make sure they play nice with every environment.
No matter which technology or platform you use to create your web-forms, we continuously try to make our platform compatible with each one.
We support dynamic forms and fields, multi-step forms, single-page applications, and many more scenarios.
Basic vanilla javascript. No external frameworks are used that could interfere with the ones that you deploy on your website. A secondary reason and benift of not using external dependencies is security.
We're compatible with most popular frameworks and modern website technologies.
We're using a Content Delivery Network to cache and host the content of our tags. This means fast response times for every website visitor, no matter where they are located.
Our tags
To get started with Exatom it's required to place our tags on your website. Each customer receives a set of two (see below). Our tags provide all the necessary data points to provide our services while maintaining your website visitor's digital privacy.
You can place the Exatom script tags directly on your website or within your tag-management solution of choice.
Tag one: Event tag
Our JavaScript event tag is installed on every page of your website. When it's loaded, we look for forms and start analysing visitor activity. Our tags also power our smart tooltips and other offerings.
Tag two: Conversion tag
To put your forms analytics and enhancements in perspective, it's key to measure successful actions (purchase, sign-up, and more). The conversion JavaScript tag should be placed on the so-called 'Thank you' pages.
In our sections What data is collected on my website and Data processing location we dive deeper into the details of what and where we securely and privacy compliant process your visitor's data.
Cookieless analysis explained
Cookies should be delicious, but they have a terrible aftertaste in this digital era. And this is something we understand entirely at Exatom. With our startup, we've bundled a few decades of experience in digital marketing to work on technology that is future-proof and puts your visitors' digital privacy first.
Did you know that only 30% of visitors agree and accept the default choices in your cookie notice? That's only a third of your website visitors that you have visibility on! With cookieless data measurement, you're assured of insights into all your traffic.
Sessions, new or existing
All the data points that we collect are tied to a session, which is a visitor activity timespan of 30 minutes or as long the visitor is active on your website. Based on the session, we can calculate metrics like starts per form, hesitation, conversion attribution, etc.
To see if the event we're analysing is for a new or existing session, we'll need to use a visitor identifier and retrieve its current session.
Visitors and temporary identifiers
To assign all visitor activities to a single session, we'll need a temporary identifier that is unique to the visitor but also respects its digital privacy.
To establish a privacy-safe identifier, we're using the following process:
- We create a temporary irreversible cryptographic hash for each website visitor that allows us to analyse visitor behavior without using cookies.
- Our hashing method uses the following data composition: Exatom client-code, user-agent, IP address, current date; All these data points are concatenated into one long string of text and hashed with the irreversible cryptographic SHA-256 algorithm using a secret key.
Example of a temporary identifier (hash)
Exatom client-code: ABCD
Visitors browser user agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Visitors IP address: 123.44.18.240
Day: 2020-01-01
Given the above data the resulting irreversible SHA-256 hash would be aa6db7d9e2a962d1169947c6d36bffbc32491fe595bc8a9689909be57963c099
Based on the composition of the hash, it's impossible to- Identify visitors over an extended period (1 day max)
- Seeing on which websites a visitor is active, as we include the Exatom client code
- Obtain any of the input data from the temporary identifier
- A SHA-256 hash is one way only, so cannot be reversed to get the original data
- SHA-256 is one of the most secure hashing functions on the market
- A rotatable secret key is used to create the hash
What data is collected on my website
To ensure digital privacy for each of your online visitors, we deploy the principle of data minimisation. This means we only collect, process and store the data necessary to provide Exatom services.
At Exatom, we will never collect any data entered on your forms. In our data examples, you can see that the value data points will always contain an asterisks *.
Pageviews
Every time the browser executes our tag, we'll collect it as a pageview and internally lookup to see if you have any forms configured that match and assign the pageview appropriately.
Data sample
Type: pageView
Page: https://exatom.io
Date and time: 2020-01-01T00:00:28.302Z
Random identifier: 60c60519-46f62673-a5bf4e8-56e4f5fa
Forms found on your website
When a visitor starts interacting with a form on your website, we capture its basic structure and use it to help you manage your forms easily.
Data sample
Form
Name: contact-form
ID: contact
HTML ID: #contact
Destination: /app/website/contact
Page: /contact
Order: 0
Page title: Exatom - contact us
Is visible: yes
Fields
Name: full_name
Label: Your full name
ID: fullName
HTML ID: #fullName
HTML tag: input
HTML type: text
Order: 0
Value: *
Is visible: yes
Group label: Contact us
Name: email_address
Label: Business email
ID: email
HTML ID: #email
HTML tag: input
HTML type: email
Order: 2
Value: *
Is visible: yes
Group label: Contact us
Date and time: 2020-01-01T00:00:03.978Z
Random identifier: 3a384ab9-be87606c-be8b563-c2f1753e
Form events
Every interaction a visitor makes on your forms is analysed and sent over for reporting purposes. For example, when a visitor focuses a field, inputs the requested data, selects a radio button, ticks a checkbox, uses autofill, submits your form, etc.
Data Sample
Form
Name: contact-form
ID: contact
HTML ID: #contact
Destination: /app/website/contact
Page: /contact
Order: 0
Random identifer: ebcefe10-d809-4540-9387-cc7545f6bb19
Event
Type: change
Value: *
Date and time: 2020-01-01T00:00:03.983Z
Event number: 3
Field
HTML tag: input
HTML type: text
Order: 1
Label: Your full name
Name: full_name
ID: fullName
Random identifier: 1119bd36-3676-4728-b8cd-9742adde4acb
Conversion events
Every time the browser executes our conversion tag, we will attribute it to one of your configured forms.
Data sample
Tag ID: ABCD1
Type: conversion
Date and time: 2020-01-01T00:00:45.000Z
Details (optional)
Transaction ID: ORD-12381236452673
Revenue: 123.22
Random identifier: 273b28c8-4384-4b57-bbf2-88ef407fd268
Smart tooltip events
When we show a visitor a Motivational Widget or when one is clicked or closed we record those signals for reporting purposes.
Data sample
Type: Smart tooltip impression
Trigger Type: ExatomFormStartHesitation
ID: c4a9ae02-33ae-4639-98c1-8c1ec9883202
Random identifier: 2020-01-01T00:00:58.503Z
Session Replays
Alongside our Form Analytics product, we provide an optional service Session Replays / Session Recordings, that helps you to understand the qualitative side of the customers' behaviour on your forms (observation and understanding why).
Exatom is a cookieless, privacy-first platform by design. We also took that route whilst developing our Session Replay product.
Exatom's default privacy measurements for Session Recordings, all occurring locally within the user's browser before any data is sent to Exatom:
-
All data within forms is never recorded and replaced with * characters
- Regardless of whether data was pre-filled, auto-filled or manually entered by the customer
- All numeric data is replaced with # characters (this includes phone numbers and other possible numeric sensitive data points)
- All numeric dates are replaced with the date 01/01/1970
- All email addresses are replaced with privacy@exatom.io
- Additional controls for safeguarding customers' privacy are available and can be implemented by websites
Data collected for Session Replays
- Viewed URL's within the website or application
- The rendered HTML code and incremental changes to it, including text, images, styles, etc
- Mouse/touch movements, clicks, interactions and scroll behaviour
- Date and time
Data processing location
Our tags are cached and hosted on a worldwide CDN (Content Delivery Network) closest to your visitor, reducing load times to a minimum.
Exatom's data collection leverages AWS (Amazon Web Services) to process and store all your data. This all happens out of the AWS Frankfurt (Germany) location.
AWS has certification for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 9001:2015, and CSA STAR CCM v3.0.1. All the AWS services that Exatom is using all fall under the before mentioned certifications.
Data storage and retention
All the stored data does not contain Personal Information, such as IP address, User-Agent, or GEO location.
Our business is privacy-first and founded with a healthy set of digital privacy principles. In terms of storage, this means we'll never store the full IP address, user-agent and geographic location. Instead, we only use small parts of it or anonymise it by applying irreversible cryptographic hashing.
IP address, user-agent and geographic information
The IP address is used to create your temporary identifier and determine your geographic location; from that result, we only store the country, region-code (ex.: Belgium, West Flanders). Your IP address and any other GEO location data is discarded and never stored.
The user-agent describes what browser and device you are using, for example, Mozilla Firefox on a Mac OS desktop machine. We use the user-agent for our temporary identifier and determine what browser- and device type you're using. Again we only keep data we need, discard detailed version info and never store the entire user-agent string.
Your IP address and user-agent data points are always sent to us by the browser, and it's impossible for Exatom not to receive them. As we take digital privacy seriously, we only use this data to extract minimal bits and only store anonymous data or apply an irreversible cryptographic hashing method to it.
Event data
Our event data is the original data described above and stored for 90 days. After that period, data is securely erased and will not be available anymore.
Reporting data
As long as you are a client to us, we'll keep storing your reporting data.
Compliance
In today's digital world, privacy should not be taken with a grain of salt and should be, like Exatom, be one of the basic principles for building or evolving your business.
Exatom is fully GDPR and ePrivacy Directive compliant. You can consult our Website privacy policy and our Services Privacy policy for more information.