Privacy & Data Inventory
For administrators integrating Lead Source Tracker with their privacy policy and cookie banner.
What the plugin stores
Lead Source Tracker captures lead-attribution data only. It does not capture personally identifiable information beyond what you already collect with your own form.
Per-visitor browser data (first-party cookies)
| Cookie name | Contents | Lifetime |
|---|---|---|
| leadtracker_source | e.g. Google Ads | 90 days* |
| leadtracker_medium | e.g. cpc | 90 days* |
| leadtracker_campaign | UTM campaign value | 90 days* |
| leadtracker_campaign_id | Ad-platform campaign ID | 90 days* |
| leadtracker_term | UTM term | 90 days* |
| leadtracker_content | UTM content | 90 days* |
| leadtracker_referrer | Original referrer URL | 90 days* |
| leadtracker_landing | First landing-page URL | 90 days* |
| leadtracker_click_id | e.g. gclid / fbclid value | 90 days* |
| leadtracker_click_type | e.g. cpc / paid-social | 90 days* |
| leadtracker_first_seen | Timestamp of first detection | 90 days* |
* Lifetime is configurable in the plugin params. On Safari/iOS, JavaScript-set cookies are capped at 7 days by Apple's ITP; we extend this via a server-side cookie refresh on the second pageview.
Server-side data (in your Joomla database)
#__leadtracker_sources— one row per RSForm!Pro submission with source, medium, campaign, click ID, referrer, landing page, first-seen timestamp.#__leadtracker_injected— registry of hidden RSForm! components created by the plugin (no visitor data).#__rsform_submission_values— the same attribution fields are stored alongside the regular form submission via RSForm!Pro's standard storage.
What the plugin does NOT do
- It does not fire pixels or send conversion events to ad networks (Google Ads, Meta, etc).
- It does not send any visitor data to third-party servers. All data stays in your Joomla database.
- It does not capture passwords, payment information, IP addresses, or device fingerprints.
- It does not use third-party trackers or external scripts.
GDPR / CCPA considerations
Under both regulations, the attribution cookies we set qualify as "necessary for marketing analytics" and typically require either prior consent (EU/UK) or a clear notice + opt-out (CA). Recommended integration:
- Add a paragraph to your Privacy Policy listing the cookies above (use this page as a starting point).
- If you use a cookie-consent banner, classify these as "Marketing" or "Analytics" cookies and only load the plugin's JavaScript after consent.
- Lead-attribution data on a submission counts as personal data once paired with the contact's name/email. Honor data-subject-access and erasure requests against the submission record — the audit table can be cleared with one SQL DELETE keyed to
SubmissionId.
Disabling tracking for opted-out visitors
Set the global window.LeadTrackerConfig = { disabled: true } before our script loads (e.g., from your cookie-consent script's "reject" branch) to skip detection and cookie writing for that visit. The plugin reads this flag on initialization.
Plugin updates and license server
If you provide a license key in the plugin params, the plugin periodically (once per 24 hours) sends an HTTP request to api.leadsourcetracker.com/check containing:
- Your license key
- The site URL the plugin is installed on
- The currently installed version
No visitor or submission data is ever transmitted. The endpoint is used solely to authorize update downloads.
Contact
For privacy questions or data-subject requests addressed to this plugin's vendor, email privacy@leadsourcetracker.com.
Last updated: 2026-05-21