Trust & Product Privacy

Our role: Processor, not Controller

When you deploy the NEXT90 measurement tag on your website, you are the Data Controller under GDPR (and the equivalent under other privacy frameworks). NEXT90 acts as your Data Processor. We collect and process visitor data on your behalf, according to your instructions, and for your purposes.

This means:

• You decide whether and how the tag runs on your site
• You are responsible for disclosing the tag in your privacy policy and obtaining any required consent from your visitors
• We process the data to provide you with measurement and analytics
• We do not share your source data with other customers or sell it to third parties
• We retain the right to use anonymized, aggregated data — with no individual customer or visitor identifiable — to improve our models and the Platform (see "Your data, our intelligence" below)

What the tag collects on your site

The following is a complete list of what the NEXT90 tag collects when deployed on your website.

Client-side collection (in the visitor's browser)

• Pageview data — URL, page title, referrer, and marketing parameters from a fixed allowlist: UTM tags (source, medium, campaign, content, term), Google Click ID (gclid), Meta Click ID (fbclid), Microsoft Click ID (msclkid), TikTok Click ID (ttclid), LinkedIn (li_fat_id), DoubleClick (dclid), Twitter (twclid), The Trade Desk (ttdimp), Beeswax (auction_id), Tradedoubler (tduid), and generic ref/source/campaign parameters. No other URL query parameters are captured.
• Click tracking — for every click on the page, we record: a CSS selector identifying the element, the x and y coordinates of the click, up to 50 characters of the element's visible text, and the link destination URL (if the clicked element is a link). We do not capture text from clicks on or inside sensitive form inputs (password, email, phone, SSN, or credit card fields).
• Scroll depth — we record when the visitor scrolls past 25%, 50%, 75%, 90%, and 100% of the page.
• Time on page — we track how long the browser tab is actively focused and record cumulative active time. We also record tab focus, blur, and visibility change events.
• Device identifier — we generate a single hash (FNV-1a) from ten technical characteristics of the visitor's browser: (1) a canvas rendering fingerprint, (2) graphics card vendor and model via WebGL, (3) screen dimensions, color depth, and pixel ratio, (4) which fonts from a fixed list of 13 common fonts are installed, (5) timezone, (6) browser language settings, (7) operating system platform and the first 100 characters of the user agent string, (8) touch capability and touch point count, (9) CPU core count, and (10) device memory size. These signals are combined into a single hash string — we do not store the individual components. The hash connects visits from the same browser.
• Conversion events — if your site explicitly fires a named conversion event through our API (for example, a form submission or phone call), we record the event name, an optional numeric value, and optional metadata. Conversion events are rate-limited to prevent abuse (10 burst, 1 per second refill).

Third-party identifiers the tag reads

If other marketing tools are also running on the page, our tag checks for their identifiers so we can connect measurement data to those platforms for cross-platform analysis:

• Google Analytics client ID — read from the _ga cookie if present
• HubSpot user token — read from the hubspotutk cookie if present
• Facebook Pixel ID — read from the Facebook Pixel's in-page state if present

We do not set or modify these identifiers. We read them on a best-effort basis. If the relevant tool is not present on the page, nothing is read.

Server-side enrichment (in our backend)

When the visitor's browser sends measurement events to our backend (a Cloudflare Worker), the backend adds the following before storing the data:

• IP address handling — the visitor's IP address is used at the moment of the request to derive geographic context and a household-level identifier, then discarded. We do not store IP addresses with measurement data. For security and fraud prevention, IP addresses are retained in separate server logs for 7 days and then automatically deleted.
• Geographic location — derived from the IP at request time by Cloudflare: latitude and longitude, city, region, country, postal code, metro code, timezone, continent, EU membership status, and the visitor's internet provider (ASN and organization name). This geographic data is stored with the measurement events. The IP address is not.
• Household identifier — we compute a household-level identifier by running the IP address, postal code, and metro code through a one-way hash function (SHA-256 with a secret salt). This groups visits that likely come from the same home. The hash cannot be reversed to recover the IP address, and the raw IP is discarded after this computation.
• User agent string — the full User-Agent header from the visitor's browser.
• Bot detection — each request is scored for bot likelihood based on the user agent and device identifier. Bot traffic is flagged but still stored.
• Source attribution — we categorize the traffic source (organic search, social, paid, referral, direct) based on the referrer and any marketing parameters present on the pageview.

What the tag does NOT collect

• Text from sensitive form inputs — password, email, phone, SSN, and credit card fields are excluded from click tracking
• Arbitrary URL query parameters — only known marketing identifiers from a fixed allowlist of specific parameter names
• Form field contents — we do not read or store what visitors type into forms
• Cookies set by other tools — we read existing identifiers from GA, HubSpot, and Facebook but do not set or modify them
• Sensitive personal data — race, health, religion, sexual orientation, financial information, or government identifiers
• Cross-site browsing history — the cross-domain iframe bridge (described below) persists visitor and session identifiers across sites where the tag is deployed, but does not record what pages visitors view on other websites

Browser storage

Our tag uses localStorage and IndexedDB — not cookies — to maintain session and visitor identity:

• Visitor ID — a random UUID stored in localStorage (key: n90_user_uuid), used to recognize return visits from the same browser
• Session ID — a random UUID stored in localStorage, expires after 30 minutes of inactivity (sliding window — the timer resets with each interaction)
• Campaign fingerprint — a string identifying which marketing campaign brought the visitor here, stored in localStorage. A new session starts if the visitor arrives from a different campaign.
• Event queue — an IndexedDB database (n90_events) that temporarily holds measurement events before they are sent to our server, and buffers them if the visitor's connection drops. Events in the queue expire after 24 hours. If IndexedDB is unavailable, an in-memory queue is used instead (up to 500 events, lost when the tab closes).

Cross-domain iframe bridge

To maintain consistent visitor identity across domains where our tag runs, we embed a hidden, zero-pixel iframe that loads from our tracking domain (embed.n90.co). This iframe stores the visitor ID, session ID, and campaign fingerprint in localStorage on our domain and communicates with the parent page via postMessage.

The iframe only reads and writes keys prefixed with n90_. It does not access any other data in the visitor's browser. If the iframe fails to load or times out (2 seconds), the tag falls back to using localStorage on your site directly.

Why it exists: The iframe bridge allows a single visitor who interacts with your brand across multiple domains (for example, your main site and a landing page on a different domain) to be recognized as the same visitor for measurement purposes.

Disabling it: Visitors can prevent the iframe bridge from operating by blocking third-party storage in their browser settings. If blocked, the tag operates normally using first-party localStorage only — cross-domain identity continuity is lost, but all other measurement continues.

Your data, our intelligence

You maintain all intellectual property rights in your source data — the customer records, campaign information, and business outcomes you provide to the Platform. You have full access to your measurement results for the duration of your active subscription.

NEXT90 retains all intellectual property rights in the Platform, its algorithms, aggregate analysis, and derived insights. NEXT90 uses anonymized and aggregated data across its customer base — with no individual customer or visitor identifiable — to improve models, develop audience segments, and enhance the Platform. This includes onboarding anonymized identifiers to data platforms for audience development and lookalike modeling.

Your source data is never shared with other customers or sold to third parties (except the sub-processors listed below, which process data solely to deliver our service to you). The aggregate intelligence derived from all customers' data collectively belongs to NEXT90.

Access and termination

You have full access to your measurement results for the duration of your active subscription. Upon termination, we will provide a data export in a standard format upon request and delete your source data within 90 days unless a longer retention period is required by law or agreed in your service agreement.

How we handle your data

• Encryption in transit — all data sent from the tag to our backend travels over HTTPS (TLS 1.2+). The collection endpoint validates the origin of incoming requests against your configured allowed domains.
• Encryption at rest — measurement data stored in our analytical database and object storage is encrypted at rest.
• Access controls — access to your measurement data is restricted to authenticated users within your organization and NEXT90 personnel who need access to provide support. We do not provide other customers access to your data.
• Data retention — measurement data is retained for up to 5 years by default to support longitudinal analysis of advertising effectiveness. This retention period is configurable per customer. Aggregated and anonymized data may be retained longer. Server logs containing IP addresses are retained for 7 days only.
• Data deletion — you can request deletion of your measurement data at any time by contacting legal@n90.co.

Sub-processors

These are the only third-party vendors that touch your visitor data as part of the NEXT90 Platform:

Vendor	What they do	Where
Cloudflare	Edge compute (Workers), object storage (R2) — runs the tag backend, processes measurement events, validates origins, enriches events with geographic data, transports events to our analytical database	Global edge, US-based company
Google Cloud Platform	Infrastructure services	US/EU
Amazon Web Services	Infrastructure services	US/EU
ClickHouse	Analytical database — stores measurement data for querying and analysis (self-hosted by NEXT90 on the infrastructure above)	Self-hosted by NEXT90

We will notify you before adding any new sub-processor and give you the opportunity to object.

What you need to disclose in your privacy policy

When you deploy the NEXT90 tag on your website, you are the Data Controller. Your privacy policy should inform your visitors about the data collection described on this page. At minimum, we recommend disclosing:

• That you use a third-party measurement service (NEXT90) to analyze advertising effectiveness and website engagement
• That this service collects pageview data, click behavior, scroll depth, time on page, and a device identifier generated from browser characteristics
• That the service uses the visitor's IP address at the time of the visit to derive geographic location and a household-level identifier, and that the IP address is discarded after this derivation — it is not stored with measurement data
• That the service uses browser localStorage and IndexedDB (not cookies) for session and visitor identity, including a cross-domain iframe for identity persistence across your domains
• That measurement data is processed by NEXT90, LLC (Missouri, USA) and its sub-processors (Cloudflare for edge compute and transport, ClickHouse self-hosted by NEXT90 for analytics)
• That data may be transferred to and processed in the United States
• How visitors can exercise their rights (access, deletion, objection) — you can direct them to your own privacy contact, and we will fulfill those requests on your behalf

Data Processing Agreement (DPA)

A Data Processing Agreement is available on request. Contact legal@n90.co to request a DPA for your organization.

Security overview

• HTTPS everywhere — all data transmission between the tag, our edge backend, and our storage infrastructure uses TLS encryption
• Origin validation — our collection endpoint validates the origin of every incoming request against your configured allowed domains. Requests from unauthorized origins are silently rejected and quarantined for analysis.
• Encrypted storage — data at rest is encrypted in both our object storage layer (Cloudflare R2) and our analytical database (ClickHouse)
• Access controls — role-based access to measurement data. Your data is logically isolated from other customers.
• IP address handling — IP addresses are used ephemerally for geographic derivation and household hashing, then discarded. Server logs containing IP addresses are retained for 7 days for security purposes and then deleted.
• Incident response — in the event of a data breach affecting your visitor data, we will notify you promptly and work with you on remediation

Consent integration

The NEXT90 tag does not include a built-in consent gate. When the tag script loads, it begins collecting data immediately.

If your visitors require consent before measurement (for example, under GDPR or ePrivacy rules), you must gate the loading of the tag script yourself. The most common approach is to use your existing consent management platform (CMP) to conditionally load the NEXT90 script only after the visitor grants consent. If you use Google Tag Manager, you can control when the tag fires through GTM's consent mode or trigger configuration.

If the tag script is not loaded, no data is collected, no device identifier is generated, no browser storage is written, and no events are sent. The tag has no "partial" mode — it either runs fully or does not run at all.

International data transfers

NEXT90 is based in the United States. Visitor data from your website will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) with our sub-processors for these transfers, as recognized under GDPR. Details are covered in our DPA.

Contact

Privacy and legal questions: legal@n90.co
Phone: 314-742-9090
Mail: NEXT90, LLC — 167 Lamp & Lantern Village, Suite 253, Chesterfield, MO 63017

Related: Privacy Policy (for visitors to n90.co) · Terms of Use