Hellyeah
Tracking

Privacy

How X-Ray handles cookies, identifiers, and GDPR.

X-Ray is built for ad attribution and conversion reporting, not personal profiling. The defaults stay close to what you need to optimize a campaign and nothing more.

Cookies

The default tracker uses a single first-party identifier to distinguish visits, set on the same origin as your site. It does not set third-party cookies, fingerprint the browser, or read personal data.

Most deployments do not need a cookie banner for X-Ray's default flow. If your jurisdiction or consent policy requires opt-in for analytics, mount the SDK only after the visitor consents.

What we collect

  • Pageviews, click events, form submits, outbound links, web vitals (autocapture)
  • Custom and conversion events you send through track()
  • Click IDs (gclid, fbclid, msclkid, ttclid, li_fat_id, twclid, gbraid, wbraid) and utm_* params on first visit, retained for 90 days
  • Identifiers passed to identify(). Email and phone are SHA-256 hashed before storage, and raw contact details are not stored.

GDPR

For sites under GDPR, BIPA, or similar regimes:

  • Disclose the 90-day attribution window in your privacy notice.
  • List the categories above (events, click IDs, hashed identifiers).
  • Avoid sending personal data in custom event properties.
  • Honor consent: don't call inject() until the visitor has accepted analytics.

Data location

X-Ray events are stored in Hellyeah-managed infrastructure and used only to power your campaign reports and the conversion signals sent to ad platforms.

Reach out

Compliance questions or DPA requests: contact us via the link on hellyeahai.com.

Identify Users

Attach known user identity for reporting and conversion matching.

API Reference

X-Ray collection endpoints for the tracker script and client SDK.

On this page

CookiesWhat we collectGDPRData locationReach out