Our data journey

Learn more on how we take care of your data

The Exatom platform is built with a digital privacy focus for your website visitors in mind, this from day one. Moreover, Exatom pioneered cookieless Form Analytics, a way to provide website owners actionable insights on how their forms are performing without the need to show a cookie notice and invade your visitor's digital privacy.

At Exatom, we'll never

  • Collect any data entered on your forms by your visitors
  • Create or use any persistent identifiers to identify visitors over an extended period
  • See if your visitor is active on any other websites where Exatom is used
  • Store any personal data like IP address, user-agent or detailed geographic location
  • Sell any personal data

Tags and technology

Your website should be handled with care, and that is why we heavily invest time and effort in how our tags are operated. We make sure they play nice with every environment.

descriptionForm technology-agnostic

No matter which technology or platform you use to create your web-forms, we continuously try to make our platform compatible with each one.

We support dynamic forms and fields, multi-step forms, single-page applications, and many more scenarios.

codeFramework agnostic

Basic vanilla javascript. No external frameworks are used that could interfere with the ones that you deploy on your website. A secondary reason and benift of not using external dependencies is security.

We're compatible with most popular frameworks and modern website technologies.


We're using a Content Delivery Network to cache and host the content of our tags. This means fast response times for every website visitor, no matter where they are located.

Our tags

To get started with Exatom it's required to place our tags on your website. Each customer receives a set of two (see below). Our tags provide all the necessary data points to provide our services while maintaining your website visitor's digital privacy.

You can place the Exatom script tags directly on your website or within your tag-management solution of choice.

Tag one: Event tag

Our JavaScript event tag is installed on every page of your website. When it's loaded, we look for forms and start analysing visitor activity. Our tags also power our smart tooltips and other offerings.

Tag two: Conversion tag

To put your forms analytics and enhancements in perspective, it's key to measure successful actions (purchase, sign-up, and more). The conversion JavaScript tag should be placed on the so-called 'Thank you' pages.

In our sections What data is collected on my website and Data processing location we dive deeper into the details of what and where we securely and privacy compliant process your visitor's data.

Cookieless analysis explained

Cookies should be delicious, but they have a terrible aftertaste in this digital era. And this is something we understand entirely at Exatom. With our startup, we've bundled a few decades of experience in digital marketing to work on technology that is future-proof and puts your visitors' digital privacy first.

Did you know that only 30% of visitors agree and accept the default choices in your cookie notice? That's only a third of your website visitors that you have visibility on! With cookieless data measurement, you're assured of insights into all your traffic.

Sessions, new or existing

All the data points that we collect are tied to a session, which is a visitor activity timespan of 30 minutes or as long the visitor is active on your website. Based on the session, we can calculate metrics like starts per form, hesitation, conversion attribution, etc.

To see if the event we're analysing is for a new or existing session, we'll need to use a visitor identifier and retrieve its current session.

Visitors and temporary identifiers

To assign all visitor activities to a single session, we'll need a temporary identifier that is unique to the visitor but also respects its digital privacy.

To establish a privacy-safe identifier, we're using the following process:

  • We create a temporary irreversible cryptographic hash for each website visitor that allows us to analyse visitor behavior without using cookies.
  • Our hashing method uses the following data composition: Exatom client-code, user-agent, IP address, current date; All these data points are concatenated into one long string of text and hashed with the irreversible cryptographic SHA-256 algorithm using a secret key.

Example of a temporary identifier (hash)

Exatom client-code: ABCD Visitors browser user agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Visitors IP address: Day: 2020-01-01

Given the above data the resulting irreversible SHA-256 hash would be aa6db7d9e2a962d1169947c6d36bffbc32491fe595bc8a9689909be57963c099

Based on the composition of the hash, it's impossible to
  • Identify visitors over an extended period (1 day max)
  • Seeing on which websites a visitor is active, as we include the Exatom client code
  • Obtain any of the input data from the temporary identifier
    • A SHA-256 hash is one way only, so cannot be reversed to get the original data
    • SHA-256 is one of the most secure hashing functions on the market
    • A rotatable secret key is used to create the hash

What data is collected on my website

To ensure digital privacy for each of your online visitors, we deploy the principle of data minimisation. This means we only collect, process and store the data necessary to provide Exatom services.

At Exatom, we will never collect any data entered on your forms. In our data examples, you can see that the value data points will always contain an asterisks *.


Every time the browser executes our tag, we'll collect it as a pageview and internally lookup to see if you have any forms configured that match and assign the pageview appropriately.

Data sample

Type: pageView Page: https://exatom.io Date and time: 2020-01-01T00:00:28.302Z Random identifier: 60c60519-46f62673-a5bf4e8-56e4f5fa

Forms found on your website

When a visitor starts interacting with a form on your website, we capture its basic structure and use it to help you manage your forms easily.

Data sample

Form Name: contact-form ID: contact HTML ID: #contact Destination: /app/website/contact Page: /contact Order: 0 Page title: Exatom - contact us Is visible: yes ​ Fields Name: full_name Label: Your full name ID: fullName HTML ID: #fullName HTML tag: input HTML type: text Order: 0 Value: * Is visible: yes Group label: Contact us ​ Name: email_address Label: Business email ID: email HTML ID: #email HTML tag: input HTML type: email Order: 2 Value: * Is visible: yes Group label: Contact us ​ Date and time: 2020-01-01T00:00:03.978Z Random identifier: 3a384ab9-be87606c-be8b563-c2f1753e

Form events

Every interaction a visitor makes on your forms is analysed and sent over for reporting purposes. For example, when a visitor focuses a field, inputs the requested data, selects a radio button, ticks a checkbox, uses autofill, submits your form, etc.

Data Sample

Form Name: contact-form ID: contact HTML ID: #contact Destination: /app/website/contact Page: /contact Order: 0 Random identifer: ebcefe10-d809-4540-9387-cc7545f6bb19 Event Type: change Value: * Date and time: 2020-01-01T00:00:03.983Z Event number: 3 Field HTML tag: input HTML type: text Order: 1 Label: Your full name Name: full_name ID: fullName Random identifier: 1119bd36-3676-4728-b8cd-9742adde4acb

Conversion events

Every time the browser executes our conversion tag, we will attribute it to one of your configured forms.

Data sample

Tag ID: ABCD1 Type: conversion Date and time: 2020-01-01T00:00:45.000Z ​ Details (optional) Transaction ID: ORD-12381236452673 Revenue: 123.22 ​ Random identifier: 273b28c8-4384-4b57-bbf2-88ef407fd268

Smart tooltip events

When we show a visitor a Motivational Widget or when one is clicked or closed we record those signals for reporting purposes.

Data sample

Type: Smart tooltip impression Trigger Type: ExatomFormStartHesitation ID: c4a9ae02-33ae-4639-98c1-8c1ec9883202 Random identifier: 2020-01-01T00:00:58.503Z

Session Replays

Alongside our Form Analytics product, we provide an optional service Session Replays / Session Recordings, that helps you to understand the qualitative side of the customers' behaviour on your forms (observation and understanding why).

Exatom is a cookieless, privacy-first platform by design. We also took that route whilst developing our Session Replay product.

Exatom's default privacy measurements for Session Recordings, all occurring locally within the user's browser before any data is sent to Exatom:

  • All data within forms is never recorded and replaced with * characters
    • Regardless of whether data was pre-filled, auto-filled or manually entered by the customer
  • All numeric data is replaced with # characters (this includes phone numbers and other possible numeric sensitive data points)
  • All numeric dates are replaced with the date 01/01/1970
  • All email addresses are replaced with privacy@exatom.io
  • Additional controls for safeguarding customers' privacy are available and can be implemented by websites

Data collected for Session Replays

  • Viewed URL's within the website or application
  • The rendered HTML code and incremental changes to it, including text, images, styles, etc
  • Mouse/touch movements, clicks, interactions and scroll behaviour
  • Date and time
Important note: Whilst Exatom implements a good set of first-line privacy measures and controls for Session Recordings, it's crucial for teams to create an inventory of what resembles personal data in their legal jurisdiction and make sure no personal data is being transferred to Exatom.

Data processing location

Our tags are cached and hosted on a worldwide CDN (Content Delivery Network) closest to your visitor, reducing load times to a minimum.

Exatom's data collection leverages AWS (Amazon Web Services) to process and store all your data. This all happens out of the AWS Frankfurt (Germany) location.

AWS has certification for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 9001:2015, and CSA STAR CCM v3.0.1. All the AWS services that Exatom is using all fall under the before mentioned certifications.

Data storage and retention

All the stored data does not contain Personal Information, such as IP address, User-Agent, or GEO location.

Our business is privacy-first and founded with a healthy set of digital privacy principles. In terms of storage, this means we'll never store the full IP address, user-agent and geographic location. Instead, we only use small parts of it or anonymise it by applying irreversible cryptographic hashing.

IP address, user-agent and geographic information

The IP address is used to create your temporary identifier and determine your geographic location; from that result, we only store the country, region-code (ex.: Belgium, West Flanders). Your IP address and any other GEO location data is discarded and never stored.

The user-agent describes what browser and device you are using, for example, Mozilla Firefox on a Mac OS desktop machine. We use the user-agent for our temporary identifier and determine what browser- and device type you're using. Again we only keep data we need, discard detailed version info and never store the entire user-agent string.

Your IP address and user-agent data points are always sent to us by the browser, and it's impossible for Exatom not to receive them. As we take digital privacy seriously, we only use this data to extract minimal bits and only store anonymous data or apply an irreversible cryptographic hashing method to it.

Event data

Our event data is the original data described above and stored for 90 days. After that period, data is securely erased and will not be available anymore.

Reporting data

As long as you are a client to us, we'll keep storing your reporting data.


Disclaimer: This document is not intended as legal advice, and we don't accept any legal liability. Our goal is to be transparent in how we process data.

In today's digital world, privacy should not be taken with a grain of salt and should be, like Exatom, be one of the basic principles for building or evolving your business.

Exatom is fully GDPR and ePrivacy Directive compliant. You can consult our Website privacy policy and our Services Privacy policy for more information.