This FAQ explains how website visitor tracking and de‑anonymization works when provided natively by our platform, and how this functionality complies with GDPR and CCPA requirements.
The explanations below are written so they can be shared directly with customers and prospects.
1. What is website visitor de‑anonymization?
Website visitor de‑anonymization is the process of enriching otherwise anonymous website traffic (for example, visits identified only by IP address or cookies) with company‑level and, where legally permitted, business contact‑level information.
The purpose of this functionality is to help businesses understand which organizations are engaging with their website and to support B2B analytics, sales intelligence, and marketing optimization.
The solution is designed for B2B use cases and does not aim to identify private individuals acting in a purely personal or household context.
2. When does IP‑based or contact‑level de‑anonymization occur?
De-anonymization occurs after a website visit and only for visitors located in the United States, and only where legally permitted.
- IP‑based identification is used to derive company‑level insights (e.g. company name, industry, company size) associated with a business IP address.
- Contact‑level identification occurs only if a visitor can be matched to an existing, permissioned business contact record within our licensed and compliant data sources.
Visitors from other regions, including the EU/EEA, are explicitly excluded from de-anonymization and contact-level enrichment.
No sensitive personal data is processed, and no attempts are made to identify consumers browsing for private purposes.
3. Does identification happen on the first visit or only on a subsequent visit?
Identification may occur on a first website visit if:
- The visitor is using a recognizable business IP address, and/or
- A valid identifier (such as a cookie) is already present.
If no identifier is available on the first visit, identification may occur on a subsequent visit once a permitted identifier exists.
4. What information will be collected from our website?
UserGems identifies website visitors using browser fingerprinting - a device-level detection method that evaluates technical attributes from the visitor's browser and network environment.
This includes a combination of indicators such as:
- Network characteristics (IP, proxy detection, etc.)
- Browser type and version
- Hardware specifications
- Operating system
- Time zone
5. What contact‑level data can be returned to SFDC, HubSpot or other CRM systems?
Where contact‑level identification is legally permitted, the following business contact data may be enriched and synced to connected CRM systems (such as HubSpot):
- First and last name
- Business email address
- Job title or role
- Company name
- Company firmographic attributes (e.g. industry, company size, revenue range)
Important:
- Only professionally sourced, B2B contact data is used.
- No sensitive or special‑category personal data is processed.
6. When in the user journey is data returned?
Data enrichment typically occurs after the website visit, not during live page views.
- Identification and enrichment are processed asynchronously.
- Once processing is complete, matched company or contact data is made available in Usergems and can be send to the connected CRM through workflows.
- As a result, enriched data may appear minutes or hours after the visit rather than in real time.
7. What cookies are used?
The tracking setup does not require any cookies.
8. How is GDPR compliance ensured?
This functionality is designed to align with GDPR requirements, including:
- Lawful basis for processing: Typically legitimate interest for B2B analytics and marketing, subject to balancing tests and local requirements.
- Data minimization: Only business‑relevant data is processed.
- Purpose limitation: Data is used exclusively for analytics, sales, and marketing intelligence.
- Transparency: Customers are required to disclose tracking and enrichment in their privacy policies.
- User rights: Data subjects may exercise rights of access, rectification, deletion, restriction, and objection.
- No sensitive data: Special‑category personal data is not processed.
9. How is CCPA compliance ensured?
For California residents, the solution supports CCPA and CPRA requirements:
- Personal data is not sold as defined under CCPA.
- Data is used strictly for business and analytics purposes.
- Rights to know, delete, and opt out are supported.
Consumers may submit privacy requests through the appropriate privacy request channels.
10. Do website visitors need to be informed?
Yes. Customers using this functionality must:
- Disclose website tracking and enrichment activities in their privacy policy.
- Implement cookie consent mechanisms where required by law.
- Provide clear information on how visitors can exercise their privacy rights.
11. How do you determine a visitor’s location?
Visitor location is inferred using standard technical signals such as IP-based geolocation. These signals are used solely to enforce geographic restrictions and compliance controls (for example, limiting de-anonymization to U.S.-based visitors).
12. What happens to visitors outside the United States?
Visitors determined to be located outside the United States, including those in the EU/EEA, are excluded from de-anonymization and contact-level enrichment. Their visits may still be counted in aggregated, anonymous website analytics.
13. How can visitors opt out of tracking or enrichment?
Visitors may opt out through cookie consent mechanisms, browser-level controls, or applicable privacy rights request processes. Customers are responsible for implementing consent and opt-out mechanisms in accordance with local law.
14. Is this tracking limited to specific pages or domains?
Yes. Tracking is limited to the domains and pages where customers have explicitly implemented the tracking code and configured consent and privacy controls.
15. Key takeaway
- De‑anonymization is focused on B2B insights, not consumer profiling.
- Identification occurs only where legally permitted and transparently disclosed.
- GDPR and CCPA principles are embedded into the design, data sourcing, and processing model.
If you have further questions about configuration, compliance wording, or documentation, please contact us.