Tracking & Analytics Disclosure

Last updated: April 2026 · Version 2.0 · [DRAFT — NOT PUBLISHED]

This page explains how our server-side tracking works: what data is collected when you visit a website that uses Zephra's sdk.js, how it is processed, and how it is forwarded to advertising platforms. It also provides resources for website owners who use Zephra tracking.

// For website visitors

If you visited a website and are wondering what Zephra tracking collected about you, scroll to Section 1.

// For Zephra customers

If you use Zephra's sdk.js on your website, Section 3 has your privacy notice template and disclosure requirements.


When you visit a website that has installed Zephra's sdk.js tracking script, the following information may be collected and sent to Zephra's servers:

DataHow it's handledStored?
IP address Used for geolocation (country/city); last octet zeroed (IPv4) or last 80 bits zeroed (IPv6) before any storage or forwarding Pseudonymised only
Page URL and referrer Identifies which page you visited and where you came from Yes, 90 days
Browser and device type User agent string for device categorisation Yes, 90 days
client_id cookie A randomly generated pseudonymous ID set in a first-party cookie on the website's own domain (NOT on zephraai.com). Links your events in one session. Contains no personal information. In your browser (1st party), on our servers (90 days)
Visitor identifier (vid) A randomly generated pseudonymous identifier stored first-party in your browser (local storage) to recognise the same browser across pages and sessions for attribution. Set only after you grant consent. Where the website owner enables the optional cross-domain linker, this identifier may be passed between websites that the same owner controls and has confirmed — via a short-lived URL parameter, never a shared cookie, and never to unrelated third-party domains. Contains no personal information. In your browser (1st party, up to 90 days), on our servers (90 days)
Conversion events Actions you took on the website (e.g. viewed product, submitted form, completed purchase) — as configured by the website owner Yes, 90 days
Click IDs (fbclid, gclid) If you arrived via a Facebook or Google ad, the click ID in the URL is captured for attribution matching with those platforms Yes, 90 days
Lead/form data Only if the website owner has configured a lead capture event — your submitted form data (e.g. name, email) may be forwarded as a hashed conversion signal to Meta or Google. The website owner's privacy policy governs this. Forwarded and then deleted within 90 days

No third-party cookies. sdk.js does not set any third-party tracking cookies and does not build advertising profiles about visitors across unrelated websites. Identifiers are stored first-party (in your browser, on the website's own domain). Where the website owner enables the optional cross-domain linker, a first-party visitor identifier may be passed between websites that the same owner controls and has confirmed — using a short-lived URL parameter rather than a shared cookie — so one visit can be measured across that owner's own properties. It is never shared with unrelated third-party domains.

After receiving conversion event data, Zephra forwards it to the advertising platforms specified by the website owner. This is called "server-side conversion forwarding" or "server-side CAPI."

2.1 Meta Conversions API (CAPI)

If the website owner's campaigns run on Facebook or Instagram, Zephra may forward:

This data is sent directly from Zephra's servers to Meta's Conversions API — it does not involve Facebook's pixel browser cookie. Meta uses this data solely for attribution purposes for the website owner's campaigns and according to Meta's own privacy policy.

2.2 Google Ads Enhanced Conversions

If the website owner's campaigns run on Google Ads, Zephra may forward the following fields to the Google Ads Conversions API:

SHA-256 is a one-way hash. Google cannot reverse it to obtain the original email address. It is used only to match a conversion to an existing Google Ads user for attribution purposes. See Google's Enhanced Conversions documentation.

Google uses this data solely for attribution and reporting for the website owner's campaigns, according to Google's Privacy Policy.

2.3 LinkedIn (Coming Soon)

LinkedIn Insight Tag server-side integration is planned. We will update this disclosure when it is available.

Zephra does not receive any advertising revenue from Meta, Google, or LinkedIn. Forwarding is solely for attribution measurement on behalf of the website owner.

If you are a Zephra platform customer using sdk.js on your website, you are the data controller for your visitors' data. You must disclose this tracking in your website's privacy policy.

3.1 Minimum Required Disclosures

Your privacy policy should disclose:

3.2 Copy-Paste Privacy Policy Text

Use or adapt the following in your website's privacy policy:

// COPY-PASTE TEMPLATE — adapt bold items [in brackets] for your site

Server-Side Tracking and Conversion Attribution

We use Zephra, an AI marketing analytics platform operated by Growthsynth LLP (India), to measure the performance of our advertising. Zephra's tracking technology (sdk.js) runs on our website and collects the following information when you visit:

  • Pages and actions you take on our site (e.g. form submissions, purchases)
  • Your approximate location (country/city), derived from your IP address. Your IP address is pseudonymised — the last segment is zeroed — before any storage or forwarding
  • Your browser type and device type
  • A pseudonymous identifier stored in a first-party cookie on our domain, used to connect your events within a single session
  • If you clicked on one of our ads, the click reference (fbclid or gclid) from the URL
  • [If applicable: If you submit a contact or lead form, your name and email may be forwarded as a hashed conversion signal to Meta and/or Google for attribution purposes]

This information is sent from Zephra's servers directly to [Meta's Conversions API / Google Ads Enhanced Conversions / both] to attribute conversions to our ad campaigns. No third-party cookies are used. Growthsynth LLP processes this data as our data processor under a Data Processing Agreement. For details, see Zephra's Privacy Policy.

Our legal basis for this processing is [our legitimate interest in measuring advertising effectiveness / your consent, given via our cookie banner].

3.3 Cookie Banner Disclosure

If you operate under GDPR or PECR (UK) and your legal basis for sdk.js tracking is consent, your cookie banner should mention server-side tracking and include Zephra as a named tool in your cookies list. Example cookie category entry:

3.4 Responding to Visitor Data Requests

If one of your website visitors exercises their right to access or erasure regarding data collected by sdk.js, email hello@zephraai.com with subject "DSR Request — [your account email] — [visitor reference]" and we will provide or delete the relevant data within 72 hours to assist your response.

If you are a visitor to a website using Zephra tracking and wish to limit data collection:

For tracking on zephraai.com itself: Use the "Cookie Preferences" link in the footer of our website to manage your consent for GA4 and Clarity analytics on our own website.

For technically inclined readers, here is how sdk.js works architecturally:

  1. Script loads: sdk.js is loaded from the website owner's server or CDN. It initialises a first-party client_id if one does not exist.
  2. Events are queued: Page view and conversion events are collected in the browser and sent via HTTPS POST to Zephra's server endpoint.
  3. Server-side processing: Zephra's server receives the event, extracts geolocation from the IP, zeroes the IP's last octet, and logs the pseudonymised event.
  4. Forwarding to ad platforms: The event is forwarded to Meta CAPI and/or Google Ads Enhanced Conversions as configured by the website owner, using the platform APIs (server-to-server, not browser-to-server).
  5. Storage: Pseudonymised event data is stored in Neon PostgreSQL (AES-256 encrypted at rest, SSL in transit) for 90 days, then deleted.
  6. No cross-site identity: Zephra does not merge client_ids across different customer websites. Each website's tracking data is isolated.

Why server-side? Browser-based ad tracking (pixel cookies) is increasingly blocked by browsers and ad blockers, causing significant attribution gaps for advertisers. Server-side tracking gives advertisers better attribution accuracy while giving visitors more privacy: no third-party cookies, no cross-site tracking identifiers, and IP pseudonymisation before any forwarding.

If you have questions about Zephra's tracking, data handling, or this disclosure, contact us:

For Zephra platform customers, additional documentation is available in your account dashboard under Settings → Compliance.

Entity: Growthsynth LLP · © 2026 · Effective: April 2026 · Version 2.0