Prooflytics
Integrations · Prooflytics Pixel

Stop losing source data at the front door.

A single-script tag that captures every visitor touchpoint — UTM, referrer, click-IDs from 14 ad platforms — and feeds it into your Prooflytics workspace. Hosted on our infrastructure. No build step, no maintenance, no third-party dependency.

What it captures

UTM + referrer + organic source

utm_source, utm_medium, utm_campaign, utm_content, utm_term — preserved across SPA navigation. Referrer classified as organic-search / social / referral / direct using the same rules as GA4.

Click IDs from 14 ad platforms

gclid, gbraid, wbraid, dclid (Google), fbclid (Meta), ttclid (TikTok), msclkid (Bing), li_fat_id (LinkedIn), twclid (X), rdt_cid (Reddit), sccid (Snapchat), epik (Pinterest), yclid (Yandex), _kx (Klaviyo).

Touchpoint chain across visits

Up to 50 deduplicated touchpoints per visitor stored in first-party cookies — the raw data your attribution model reads on the backend.

SPA-aware

Hooks into history.pushState / replaceState / popstate. Single-page apps (React, Vue, Next.js, etc.) fire pageview events on internal route changes without manual wiring.

Consent Mode v2 ready

Auto-detects Cookiebot, OneTrust, Axeptio, Didomi, and Termly. When consent is denied: no first-party cookies written; events still POST with minimal payload so consentless analytics still works.

PII never leaves the browser

When you call identify({ email, phone }), values are SHA-256 hashed in the browser before any payload is sent. Raw email and phone are never transmitted off the user's device.

Install in 30 seconds

  1. 1.

    Generate a tag in your Prooflytics admin

    Sign in, go to Admin → Source Tags, click Generate new tag, name it after the property you are installing on ("Marketing site", "Pricing page", etc.). You will get a unique public key.

  2. 2.

    Add one script tag to your site

    <!-- Bootstrap shim — placed BEFORE the async load -->
    <script>
      window.prooflyticsPixel = window.prooflyticsPixel || function(){
        (window.prooflyticsPixel.q = window.prooflyticsPixel.q || []).push(arguments)
      }
    </script>
    
    <!-- Tag itself — replace YOUR_PUBLIC_KEY with the value from admin -->
    <script async src="https://tag.prooflytics.io/v1/YOUR_PUBLIC_KEY.js"></script>

    Place both snippets in your <head> as early as possible — that gives the pixel the fastest opportunity to see UTM parameters before any single-page-app router rewrites the URL.

  3. 3.

    Verify and start tracking custom events

    Open your site, then check Admin → Source Tags. The tag's Last event column should update within seconds. Send custom events from your code:

    // Lead form submission
    prooflyticsPixel('track', 'lead_submit', { value: 199, currency: 'USD' })
    
    // User identification — email + phone are SHA-256 hashed before send
    prooflyticsPixel('identify', { email: 'user@example.com', userId: 'u_42' })
    
    // Manual pageview (rare — pageviews fire automatically on init + SPA route change)
    prooflyticsPixel('page', { custom_property: 'value' })
  4. 4.

    Cross-subdomain stitching (optional override)

    By default the pixel auto-detects your root domain and writes cookies to it, so funnels like marketing.foo.com → app.foo.com are tracked as one visitor automatically. For unusual TLDs or when marketing and app live on different root domains, pin the cookie scope explicitly BEFORE the async tag loads:

    <script>
      window.prooflyticsConfig = { cookieDomain: '.foo.com' }
    </script>
    <script async src="https://tag.prooflytics.io/v1/YOUR_PUBLIC_KEY.js"></script>

    Leading dot makes the cookie readable on every subdomain. Set this once in your shared layout and the visitor ID assigned on any subdomain becomes immediately available on every other — no double counting across the funnel.

Privacy and data handling

First-party cookies only. All persistence (visitor ID, session, touchpoint chain, click IDs) lives in cookies on your domain. We do not set third-party cookies and we do not load any external library at runtime.

Consent-aware. When the visitor's CMP signals "denied", we do not write cookies. Events still POST so consentless analytics works for compliant aggregate reporting, but the payload contains no first-party identifiers.

PII handling. Email and phone you pass to identify() are SHA-256 hashed in the browser using window.crypto.subtle. The hashes (not the raw values) are forwarded to our ingest endpoint. We never receive raw PII from this tag.

Data retention. Cookies expire after 90 days of inactivity. Server-side, raw events land in our ingest pipeline and are governed by your workspace's standard data retention policy.

See /security for SOC 2 status, data residency, and audit details.

Want clean data flowing on day 1?

Request beta access. We'll review your fit and, on approval, install the Source Tag on a non-production page of your site together, show you live events arriving in your workspace, and walk through how to wire it into your CRM hidden fields.

Request beta access