How Pulsora Works#

Pulsora is a privacy-first analytics platform that tracks visitors, events, and revenue without cookies, personal data, or invasive tracking. This guide explains how every piece of the system works together to give you complete analytics while respecting user privacy.

Overview: The Complete Data Flow#

When someone visits your site, here's what happens:

1. Browser loads tracking script - Lightweight ~2KB JavaScript loads asynchronously
2. Pageview sent to server - IP + User Agent + URL sent to Pulsora backend
3. Server generates fingerprint - Backend creates anonymous identifier using SHA256
4. Session tracking begins - Visitor's journey tracked across pages
5. Events recorded - Custom events (clicks, form submissions) captured
6. Revenue attribution - Purchases linked to visitor's first-touch & last-touch sources

Key principle: Everything happens server-side. No cookies stored, no device fingerprinting, no personal data collected.

Server-Side Visitor Identification#

Pulsora creates anonymous visitor identifiers entirely on the server. No client-side fingerprinting techniques (Canvas, WebGL, Audio context) are used.

The Algorithm#

When a visitor loads your site, Pulsora's backend generates a fingerprint using:

fingerprint = SHA256(IP_Address + User_Agent + Website_ID + Salt)

Components#

• IP Address - The visitor's IP address
• User Agent - The browser's user agent string
• Website ID - Your website's unique identifier
• Salt - A random string that rotates automatically

Why Server-Side?#

Privacy Benefits:

• No invasive client-side tracking (no Canvas, WebGL, Audio context)
• No device fingerprinting or browser enumeration
• Transparent algorithm - you know exactly what's used
• Automatic expiration through salt rotation

Technical Benefits:

• Deterministic - same visitor = same fingerprint (within rotation window)
• Works with ad blockers (no client-side script blocking)
• No performance impact on your website
• Simple to understand and audit

Attribution Windows#

The attribution window determines how long a visitor can be tracked across sessions. This is controlled by your salt rotation interval:

Available Windows#

• 24 hours - Maximum privacy, same-day attribution only
• 3 days (72 hours) - Short sales cycles
• 7 days (168 hours) - Recommended for most businesses
• 14 days (336 hours) - Longer consideration periods
• 30 days (720 hours) - Maximum attribution, B2B, high-ticket items

How to Configure#

To set your attribution window:

1. Navigate to Website Settings

   • Go to your Pulsora dashboard
   • Click on your website
   • Go to Settings tab

2. Choose Attribution Window

   • Find the "Attribution Window" dropdown
   • Select your preferred duration (24h, 3d, 7d, 14d, or 30d)
   • Click "Save changes"

3. Immediate Effect

   • When you change the window, the salt rotates immediately
   • All current visitors get new identifiers
   • New attribution window takes effect right away

Salt Rotation#

The salt rotates automatically based on your configured interval:

Automatic Rotation#

The salt rotates automatically on a schedule based on your attribution window:

• A background job runs every hour
• Checks if it's time to rotate (based on your chosen interval)
• Generates a new random salt
• Updates the rotation timestamp

What happens when salt rotates:

• All visitors get new fingerprints on their next visit
• Previous fingerprints become invalid
• Attribution history restarts from zero

Manual Rotation#

You can manually rotate the salt anytime from your website settings:

1. Go to Website Settings → Settings tab
2. Find "Rotate Now" button next to the countdown timer
3. Click "Rotate Now"
4. Confirm the action (you'll see a warning dialog)

When to use manual rotation:

• Starting fresh attribution
• Privacy compliance requests
• After security concerns

Session Management#

Sessions group multiple pageviews from the same visitor into a single browsing session. This helps you understand user journeys and conversion paths.

How Sessions Work#

• Session starts when a visitor first loads your site
• Session continues as they navigate between pages
• Session ends after 30 minutes of inactivity
• New session starts if visitor returns after 30+ minutes

What's Tracked in a Session#

Each session records:

• All pageviews (URLs, referrers, timestamps)
• Custom events (button clicks, form submissions, video plays)
• UTM parameters (source, medium, campaign, content, term)
• First-touch attribution data (initial referrer/source)
• Last-touch attribution data (most recent referrer/source before conversion)

Session Continuity#

Sessions are tied to the visitor fingerprint. This means:

• Same visitor = same session (within 30-minute window)
• Works across multiple tabs/windows
• No cookies required
• Survives page refreshes

Important: After salt rotation, all existing fingerprints become invalid. Visitors will start new sessions on their next visit.

Revenue Attribution#

Pulsora uses visitor fingerprints to connect revenue back to marketing sources. When a visitor makes a purchase, you pass their fingerprint to Pulsora, which automatically attributes the revenue to:

• First-touch source: The original referrer/campaign that brought the visitor
• Last-touch source: The most recent referrer/campaign before purchase

This happens entirely server-side with no additional configuration needed.

Learn more: See the Revenue Attribution Guide for complete implementation details including Stripe/Paddle webhook integration.

Privacy & Compliance#

What Makes This GDPR Compliant?#

1. No Personal Data - IP + UA are hashed, never stored raw
2. Anonymous Identifiers - Fingerprints can't be reversed to individuals
3. Automatic Expiration - All identifiers expire via salt rotation
4. No Cookies - No browser storage or tracking cookies
5. Transparent - Simple algorithm, fully documented

GDPR Article 4(1) - Pseudonymization#

"...the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information..."

Pulsora's fingerprints meet this standard:

• Hashed with a rotating salt (additional information)
• Salt is discarded after rotation (additional information destroyed)
• Cannot link back to individuals without the salt

Legitimate Interest#

Most businesses can use Pulsora under legitimate interest (GDPR Article 6(1)(f)):

• Used for anonymous analytics
• Improves service quality
• Minimal privacy impact
• Automatic expiration

Recommendation: Include in your privacy policy as "Anonymous Analytics" and explain the server-side fingerprinting approach.

Comparison to Client-Side Fingerprinting#

Why This Approach?#

Pulsora's server-side fingerprinting strikes a balance between analytics utility and user privacy:

Pros:

• ✅ Anonymous by design - no personal data stored
• ✅ Automatic expiration via salt rotation
• ✅ Transparent and auditable algorithm
• ✅ Works with ad blockers (server-side processing)
• ✅ No performance impact on your website
• ✅ GDPR/CCPA compliant without consent banners

Trade-offs:

• ⚠️ Visitor counts may be slightly inflated (VPN changes, salt rotation)
• ⚠️ Can't track users indefinitely (attribution window limit)
• ⚠️ No cross-device tracking (different devices = different fingerprints)

We believe these trade-offs are worth it for respecting user privacy while still providing valuable analytics.

Next Steps#

• Revenue Attribution Guide - Complete attribution setup
• Webhook Integration - Connect payment processors
• Privacy & Compliance - GDPR, CCPA compliance details
• Architecture & Security - Infrastructure and data residency

Note: Pulsora never stores raw IP addresses or user agents. Only the hashed fingerprint is retained, and it expires automatically through salt rotation.