Privacy policy
Last updated: 15 March 2026
OpenAttribution is a community interest company limited by guarantee, registered in England and Wales (company number 17002582). We operate openattribution.org and api.openattribution.org.
This policy explains what data we collect, why, and what we do with it. We have tried to keep it short and honest. If something is unclear, email privacy@openattribution.org.
What we collect
Account data
When you create an account we collect:
- Email address (required - used for passwordless sign-in)
- Name (optional - from Google if you use OAuth)
- Organisation name and domain (during onboarding)
If you sign in with Google, we receive your Google profile (name, email, profile picture URL, email verification status). We store the email and name. We do not store your profile picture or access any other Google data.
Domain verification data
When you register a domain, we generate a verification token and store the domain name, token, verification method (DNS TXT, HTML meta tag, or .well-known file), and verification timestamp.
Telemetry data
The core purpose of OpenAttribution is to receive and store content attribution telemetry. When AI agents or publishers send telemetry to our API, we store:
- Session metadata - session ID, timestamps, content scope, agent ID
- Content events - URLs retrieved, cited, displayed, or engaged with
- Conversation signals - privacy level, intent category, topic tags, token counts
- Commerce events - product views, cart actions, checkout outcomes
- Outcome data - conversion type and value
- Source role - which system reported the event (agent, publisher origin, CDN, index)
- Correlation IDs - for deduplicating events reported by multiple observers
Telemetry is designed to track content influence, not people. The specification
explicitly discourages personally identifiable information. The user_context field
accepts only opaque identifiers and segment labels - never names, emails, or device fingerprints.
However, we cannot fully control what third parties include in free-form fields. If you believe telemetry data contains your personal information, contact us and we will investigate and remove it.
Server logs
Our servers log IP addresses, user agent strings, request paths, and timestamps for operational and security purposes. Logs are retained for 30 days.
Cookies
We set one cookie: session. It is httpOnly, Secure, SameSite=Lax, and expires
after 30 days. It contains a hashed session token. That is it. No analytics cookies, no tracking
pixels, no third-party cookies.
During Google OAuth sign-in, a temporary google_oauth_state cookie is set for
CSRF protection. It expires after 10 minutes and is deleted after use.
Why we collect it
| Data | Legal basis (UK GDPR) | Purpose |
|---|---|---|
| Account data | Contract performance | Providing the service you signed up for |
| Domain verification | Contract performance | Proving you control the domain you registered |
| Telemetry data | Legitimate interests | Content attribution - the service's core function |
| Server logs | Legitimate interests | Security, debugging, abuse prevention |
| Session cookie | Contract performance | Keeping you signed in |
Who we share data with
We use the following processors:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Neon | Database hosting | All stored data | EU (eu-west-2) |
| Fly.io | Application hosting | Request data in transit | EU |
| Resend | Transactional email | Email address, sign-in link | US |
| OAuth sign-in | OAuth tokens (if you choose Google sign-in) | US |
We do not sell data. We do not share data with advertisers. We do not use data for profiling.
Telemetry data associated with your verified domains is visible to you through the dashboard. Aggregated, non-identifying telemetry may be used in public reporting about standard adoption (for example, total events processed across the network).
Where data is stored
Our database is hosted in the EU (AWS eu-west-2, London region) via Neon. Application servers run on Fly.io in EU regions. Transactional emails are sent via Resend (US-based processor with Standard Contractual Clauses).
How long we keep it
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Session tokens | 30 days (auto-expire) |
| Magic link tokens | 15 minutes (single-use, then deleted) |
| Click attribution tokens | 90 days (auto-expire) |
| Telemetry events | Retained for attribution. Aggregated into daily metrics. We will publish specific retention limits as the service matures. |
| Server logs | 30 days |
Your rights
Under UK GDPR you can:
- Access your data - ask us what we hold
- Correct inaccurate data
- Delete your account and associated data
- Export your data in a portable format
- Object to processing based on legitimate interests
- Restrict processing while we resolve a complaint
Email privacy@openattribution.org to exercise any of these rights. We will respond within 30 days.
If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ico.org.uk).
Children
OpenAttribution is a B2B service for publishers and platforms. It is not directed at children. We do not knowingly collect data from anyone under 18.
Changes
We will update this policy as the service evolves. Material changes will be communicated via email to account holders. The "last updated" date at the top will always reflect the current version.
Contact
OpenAttribution
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ
England and Wales
privacy@openattribution.org