Service privacy policy
Last updated: 12 May 2026
This policy covers the OpenAttribution telemetry service, dashboard, and API. If you are just browsing our website, see our website privacy notice.
OpenAttribution ("OpenAttribution," "we," or "us") is a community interest company limited by guarantee, registered in England and Wales (company number 17002582). We operate openattribution.org, api.openattribution.org, and telemetry.openattribution.org.
This policy explains what data we collect, why, and what we do with it. We have tried to keep it short and honest. If something is unclear, email privacy@openattribution.org or use our privacy request form.
What we collect
Account data
When you create an account we collect:
- Email address (required - used for passwordless sign-in)
- Name (optional - from Google if you use OAuth)
- Organisation name and domain (during onboarding)
If you sign in with Google, we receive your Google profile (name, email, profile picture URL, email verification status). We store the email and name. We do not store your profile picture or access any other Google data.
Domain verification data
When you register a domain, we store the domain name, the verification method used (.well-known manifest, DNS TXT, or HTML meta tag), the verification timestamp, and a verification token used by the DNS and HTML methods.
Telemetry data
The core purpose of OpenAttribution is to receive and store content attribution telemetry. When AI agents or publishers send telemetry to our API, we store:
- Session metadata - session ID, timestamps, content scope, agent ID
- Content events - URLs retrieved, cited, displayed, or engaged with
- Conversation signals - privacy level, intent category, topic tags, token counts
- Commerce events - product views, cart actions, checkout outcomes
- Outcome data - conversion type and value
- Source role - which system reported the event (agent, publisher origin, CDN, index)
- Correlation IDs - for deduplicating events reported by multiple observers
Telemetry is designed to track content influence, not people. The specification
explicitly discourages personally identifiable information. The user_context field
accepts only opaque identifiers and segment labels - never names, emails, or device fingerprints.
However, we cannot fully control what third parties include in free-form fields. If you believe telemetry data contains your personal information, contact us and we will investigate and remove it.
Server logs
Our servers log IP addresses, user agent strings, request paths, and timestamps for operational and security purposes. Logs are retained for 30 days.
Website analytics
We use PostHog to understand how the site and dashboard are used - which pages are visited,
which flows people complete. It runs cookieless: we hold no persistent identifier, so we
cannot link visits over time or across devices, and we do not record sessions or capture form
inputs. Analytics requests are proxied through our own domain
(openattribution.org/ingest) and forwarded server-side to PostHog's EU
infrastructure.
Click attribution tokens
When a user clicks a link that passes through our attribution redirect, we generate a short-lived token to correlate the click with a downstream outcome. These tokens are opaque identifiers - they do not contain personal data.
Cookies
We set one cookie: session. It is httpOnly, Secure, SameSite=Lax, and expires
after 30 days. It contains a hashed session token. That is it. No analytics cookies, no tracking
pixels, no third-party cookies - our website analytics is cookieless (see above).
During Google OAuth sign-in, a temporary google_oauth_state cookie is set for
CSRF protection. It expires after 10 minutes and is deleted after use.
Why we collect it
| Data | Legal basis (UK & EU GDPR) | Purpose |
|---|---|---|
| Account data | Contract performance | Providing the service you signed up for |
| Domain verification | Contract performance | Proving you control the domain you registered |
| Telemetry data | Legitimate interests | Content attribution - the service's core function |
| Server logs | Legitimate interests | Security, debugging, abuse prevention |
| Website analytics | Legitimate interests | Understanding how the site and dashboard are used (cookieless, no persistent identifier) |
| Session cookie | Contract performance | Keeping you signed in |
Who we share data with
We use the following processors:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Neon | Database hosting | All stored data | UK (AWS eu-west-2, London) |
| Fly.io | API and telemetry-service hosting | Request data in transit | UK |
| Cloudflare | Website and dashboard hosting, content delivery, analytics proxy | Request data in transit | Global edge network |
| Resend | Transactional email | Email address, sign-in link | US |
| PostHog | Website and dashboard analytics (cookieless) | Page paths, referrers, coarse device/browser data - no persistent identifier | EU |
| OAuth sign-in | OAuth tokens (if you choose Google sign-in) | US |
We do not sell data. We do not share data with advertisers. We do not use data for profiling.
Telemetry data associated with your verified domains is visible to you through the dashboard. Aggregated, non-identifying telemetry may be used in public reporting about standard adoption (for example, total events processed across the network).
International data transfers
Our primary database, API, and telemetry servers are in the UK (AWS eu-west-2 via Neon, Fly.io UK region). Account data, domain records, and telemetry data remain in the UK.
The website and dashboard are served by Cloudflare's global edge network, so request data in transit may be processed outside the UK. Cookieless analytics is processed by PostHog in the EU. The following processors are US-based or operate globally:
- Cloudflare (website and dashboard hosting, content delivery) - processes request data (including IP addresses) in transit. Covered by Cloudflare's data processing addendum and Standard Contractual Clauses.
- Resend (transactional email) - receives your email address and sign-in link only. Covered by Standard Contractual Clauses (UK International Data Transfer Agreement).
- Google (OAuth sign-in, if you choose it) - receives OAuth tokens during authentication. Covered by Google's Standard Contractual Clauses.
Telemetry data is not transferred outside the UK. No personal data is transferred to jurisdictions without adequate safeguards.
How long we keep it
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Session tokens | 30 days (auto-expire) |
| Magic link tokens | 15 minutes (single-use, then deleted) |
| Click attribution tokens | 90 days (auto-expire) |
| Telemetry events | Raw events retained for 24 months. Aggregated into daily metrics which are retained indefinitely. Raw events are deleted after aggregation at the end of the retention period. |
| Server logs | 30 days |
Your rights
Under UK and EU data protection law
You can:
- Access your data - ask us what we hold
- Correct inaccurate data
- Delete your account and associated data
- Export your data in a portable format
- Object to processing based on legitimate interests
- Restrict processing while we resolve a complaint
Under US state privacy laws (including California CCPA/CPRA)
If you are a US resident, you have the right to:
- Know what personal information we collect and how we use it
- Delete your personal information
- Opt out of sale - we do not sell personal information
- Non-discrimination - we will not treat you differently for exercising your rights
Categories of personal information we collect: identifiers (email, name), internet activity (server logs), and commercial information (organisation name, domain). We collect this directly from you or from Google during OAuth sign-in. We do not sell personal information or share it for cross-context behavioural advertising.
How to exercise your rights
Email privacy@openattribution.org or submit a request via our privacy request form. We will respond within one calendar month (UK/EU) or 45 days (US).
Complaints
If you are unhappy with how we handle your data, you can complain to:
- UK: Information Commissioner's Office
- EU: Your local data protection supervisory authority (full list)
- US: Your state attorney general's office
Data protection officer
Our data protection officer can be contacted at dpo@openattribution.org.
Children
OpenAttribution is a B2B service for publishers and platforms. It is not directed at children. We do not knowingly collect data from anyone under 18.
Changes
We will update this policy as the service evolves. Material changes will be communicated via email to account holders. The "last updated" date at the top will always reflect the current version.
Contact
OpenAttribution
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ
United Kingdom
General: privacy@openattribution.org
DPO: dpo@openattribution.org
Privacy requests: submit a request