Let's Talk

Privacy Policy

For visitors to n90.co the website. For how the NEXT90 Platform handles customer data, see Trust & Product Privacy.

Last updated: April 9, 2026

The short version

  • We run our own measurement tag, Google Analytics 4, and Google Ads conversion tags on this site
  • Our tag collects page visit data, engagement behavior (clicks, scroll depth, time on page), and generates a device identifier by hashing your browser's technical characteristics
  • Our server-side backend uses your IP address to derive geographic location and a household-level identifier, then discards the IP. We do not store your IP address with measurement data.
  • We use browser storage (localStorage and IndexedDB) — not cookies — for session and visitor identity, including a cross-domain iframe bridge for identity persistence
  • If you're in the EU, UK, or California, we ask for your consent before any non-essential measurement runs
  • Your data is not sold, rented, or traded to third parties
  • If you're in the EU or UK, you have full GDPR rights — access, correction, deletion, portability, objection
  • Email legal@n90.co for any privacy request

Who we are

NEXT90, LLC ("NEXT90," "we," "us") is a Missouri limited liability company and the data controller for the personal data described on this page.

Contact: legal@n90.co · 314-742-9090
167 Lamp & Lantern Village, Suite 253, Chesterfield, MO 63017

EU and UK visitors: NEXT90 does not currently have an in-EU representative under GDPR Article 27. If you are in the EU or UK and need to exercise your rights or file a complaint, email legal@n90.co directly. This page will be updated when a representative is appointed.

What we collect when you visit n90.co

Things you give us

  • If you fill out a contact form: your name, work email, company, and whatever message you send
  • If you sign up for updates: your email address

Things our measurement tag collects (client side)

The NEXT90 measurement tag runs on n90.co. It collects the following in your browser:

  • Pageview data — URL, page title, referrer, and marketing parameters from a fixed allowlist: UTM tags (source, medium, campaign, content, term), Google Click ID (gclid), Meta Click ID (fbclid), Microsoft Click ID (msclkid), TikTok Click ID (ttclid), LinkedIn (li_fat_id), DoubleClick (dclid), Twitter (twclid), The Trade Desk (ttdimp), Beeswax (auction_id), Tradedoubler (tduid), and generic ref/source/campaign parameters. We do not capture any other URL query parameters.
  • Click tracking — for every click on the page, we record: a CSS selector identifying the element, the x and y coordinates of the click, up to 50 characters of the element's visible text, and the link destination URL (if the clicked element is a link). We do not capture text from clicks on or inside sensitive form inputs (password, email, phone, SSN, or credit card fields).
  • Scroll depth — we record when you scroll past 25%, 50%, 75%, 90%, and 100% of the page.
  • Time on page — we track how long the browser tab is actively focused and record cumulative active time. We also record tab focus, blur, and visibility change events.
  • Device identifier — we generate a single hash (FNV-1a) from ten technical characteristics of your browser. The full list: (1) a canvas rendering fingerprint, (2) your graphics card vendor and model via WebGL, (3) screen width, height, color depth, and pixel ratio, (4) which fonts from a fixed list of 13 common fonts are installed, (5) your timezone, (6) your browser language settings, (7) your operating system platform and the first 100 characters of your browser's user agent string, (8) whether your device supports touch and how many touch points, (9) your CPU core count, and (10) your device memory size. These signals are combined into a single hash string — we do not store the individual components. The hash connects visits from the same browser.
  • Conversion events — if our code explicitly fires a named conversion event (for example, a form submission), we record the event name and optional metadata. Conversion events are rate-limited to prevent abuse.

Things our measurement backend collects (server side)

When your browser sends measurement events to our backend (a Cloudflare Worker), the backend adds the following before storing the data:

  • IP address — your IP address is used at the moment of your visit to derive geographic context and a household-level identifier, then discarded. We do not store your IP address with your measurement data. For security and fraud prevention, IP addresses are retained in separate server logs for 7 days and then automatically deleted.
  • Geographic location — derived from your IP at request time by Cloudflare: latitude and longitude, city, region and region code, country, postal code, metro code, timezone, continent, EU membership status, and your internet provider's ASN and organization name. This geographic data is stored with your measurement events. Your IP address is not.
  • Household identifier — we compute a household-level identifier by running your IP address, postal code, and metro code through a one-way hash function (SHA-256 with a secret salt). This groups visits that likely come from the same home. The hash cannot be reversed to recover your IP address, and the raw IP is discarded after this computation.
  • User agent string — the full User-Agent header from your browser.
  • Bot detection — we score each request for bot likelihood based on the user agent and device identifier. Bot traffic is flagged but still stored.
  • Source attribution — we categorize the traffic source (organic search, social, paid, referral, direct) based on the referrer and any marketing parameters present on the pageview.

Third-party identifiers we read

If other marketing tools are also running on the page, our tag checks for their identifiers so we can connect our measurement data to those platforms. Specifically:

  • Google Analytics client ID — read from the _ga cookie if present
  • HubSpot user token — read from the hubspotutk cookie if present
  • Facebook Pixel ID — read from the Facebook Pixel's in-page state if present

We do not set these identifiers or modify them. We read them on a best-effort basis to enable cross-platform analysis. If the relevant tool is not present on the page, nothing is read.

Things Google Analytics 4 collects

We also run GA4 for industry-standard site analytics. GA4 uses its own cookies — see Google's cookie policy for details. GA4 data is subject to Google's privacy policy.

Google Ads conversion tags

If you arrive at n90.co through a Google Ads campaign, a Google conversion tag may fire to measure the effectiveness of that ad. This uses Google's own cookies and is subject to Google's privacy policy.

Browser storage and cross-domain identity

Our measurement tag uses localStorage and IndexedDB — not cookies — to maintain your session and visitor identity:

  • Visitor ID — a random UUID stored in localStorage (key: n90_user_uuid), used to recognize return visits from the same browser
  • Session ID — a random UUID stored in localStorage, expires after 30 minutes of inactivity (sliding window — the timer resets with each interaction)
  • Campaign fingerprint — a string identifying which marketing campaign brought you here, stored in localStorage. A new session starts if you arrive from a different campaign.
  • Event queue — an IndexedDB database (n90_events) that temporarily holds measurement events before they are sent to our server, and buffers them if your connection drops. Events in the queue expire after 24 hours. If IndexedDB is unavailable, an in-memory queue is used instead (up to 500 events, lost when you close the tab).

Cross-domain iframe bridge

To maintain consistent visitor identity across domains where our tag runs, we embed a hidden, zero-pixel iframe that loads from our tracking domain (embed.n90.co). This iframe stores your visitor ID, session ID, and campaign fingerprint in localStorage on our domain and communicates with the parent page via postMessage. The iframe only reads and writes keys prefixed with n90_. If the iframe fails to load or times out (2 seconds), the tag falls back to using localStorage on the site you're visiting directly. You can prevent this by blocking third-party storage in your browser settings.

You can clear all locally stored data at any time through your browser's "Clear site data" settings.

Consent and when measurement runs

Our intended consent posture depends on where you are:

  • EU, UK, and California: We will ask for your explicit consent before any non-essential measurement runs. If you decline, no measurement tag will load, no device identifier will be generated, no data will be stored, and no events will be sent.
  • US states with privacy legislation: Measurement will run by default, but you will be able to manage your preferences through privacy controls accessible from every page.
  • Everywhere else: Measurement will run by default. Privacy controls will be available if you want to opt out.

If you want to prevent measurement, you can block JavaScript from our tracking domain or clear site data through your browser settings.

What the tag does not collect

  • Text from sensitive form inputs (password, email, phone, SSN, and credit card fields) is excluded from click tracking
  • Sensitive personal data (race, health, religion, sexual orientation, etc.) is not collected
  • Arbitrary URL query parameters are not captured — only known marketing identifiers from a fixed allowlist
  • Cookies from other platforms (GA4, HubSpot, Facebook) are read but not set or modified
  • Data is not sold, rented, or traded to third parties

Why we collect it

Under GDPR, every collection needs a lawful basis. Ours are:

  • Consent — for measurement tags (our own + GA4 + Google Ads), device fingerprinting, cross-domain identity, third-party identifier reading, and any marketing communications. In jurisdictions that require it, we will obtain consent before these tools run.
  • Legitimate interest — responding to inquiries you send us and basic site security
  • Contractual necessity — only if you become a customer of the Platform, in which case the Platform's separate terms govern

Who we share it with

The following vendors ("sub-processors") process data as part of running the site:

Vendor What they do Where
Cloudflare Hosting (Cloudflare Pages), CDN, DDoS protection, edge compute (our measurement tag backend runs on Cloudflare Workers, event data is transported via Cloudflare R2 object storage and Queues) Global edge, US-based company
Google (GA4) Site usage analytics US/EU
Google (Ads) Ad conversion measurement US/EU

Measurement data from the NEXT90 tag is stored on infrastructure operated by NEXT90 (Cloudflare R2 for transport, ClickHouse for analysis). Form submissions and CRM data are stored on NEXT90's self-hosted infrastructure. Data is not shared with other parties unless legally required (subpoena, court order) or to protect against fraud or security incidents.

International data transfers

NEXT90 is based in the United States. If you're in the EU or UK, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) with our sub-processors for these transfers, as recognized under GDPR.

How long we keep it

  • Form submissions: kept as long as needed to respond to you and follow up. Deleted on request.
  • Our measurement data (including IP addresses and household identifiers): retained for up to 5 years for longitudinal analysis of advertising effectiveness. Aggregated and anonymized data may be retained longer.
  • GA4 data: retained per Google Analytics 4 default retention (currently 14 months unless changed)
  • Server logs: 30 days
  • Browser localStorage: persists until you clear site data. Session data expires after 30 minutes of inactivity. The offline event queue in IndexedDB expires after 24 hours.

Your rights

If you're in the EU, UK, or a similar jurisdiction

  • Access — ask for a copy of what we have
  • Correction — fix anything that's wrong
  • Deletion ("right to be forgotten") — ask us to delete your data
  • Portability — get a copy in a machine-readable format
  • Restriction — ask us to limit how we process your data
  • Objection — tell us to stop processing for legitimate-interest purposes
  • Withdraw consent — for anything we process based on consent

If you're in California

  • Right to know what personal information we've collected and the categories of sources
  • Right to delete your personal information
  • Right to opt out of the "sale" or "sharing" of personal information (we don't sell or share for cross-context behavioral advertising — but you have the right regardless)
  • Right to correct inaccurate personal information
  • Right to non-discrimination for exercising these rights

To exercise any right: email legal@n90.co. We'll respond within 30 days (45 days for complex CCPA requests, with notice). We may ask you to verify your identity to protect against fraudulent requests.

Children

n90.co is not directed at children under 16. NEXT90 does not knowingly collect data from anyone under 16. If you believe data has been collected from a child under 16, email legal@n90.co and it will be deleted.

Security

Data is protected with HTTPS for all transmission, encrypted storage, access controls, and origin validation on the collection endpoint.

Changes to this policy

This policy may be updated. The "Last updated" date at the top reflects the most recent change. Material changes will be flagged.

Filing a complaint

If you are in the EU or UK, you have the right to file a complaint with your local supervisory authority. You may also contact legal@n90.co.

Contact

Privacy questions: legal@n90.co
Phone: 314-742-9090
Mail: NEXT90, LLC — 167 Lamp & Lantern Village, Suite 253, Chesterfield, MO 63017

Related: Trust & Product Privacy (for the NEXT90 Platform) · Terms of Use