Tag Security & Data Disclosure

1. What the Tag Collects

The ClickLens tag collects the minimum set of signals needed to distinguish real humans from bots and automated click fraud. Everything collected is for fraud detection — nothing is used for advertising, profiling, or cross-site tracking.

Browser & Device Signals

• User agent string, browser language, and platform
• Screen resolution, colour depth, and device pixel ratio
• Hardware concurrency and device memory
• Timezone and timezone offset
• Connection type, network round-trip time, and downlink speed
• Font enumeration count (count only, not font names)
• Speech synthesis voice count (count only, not voice names)
• JavaScript engine detection
• Navigation performance timing (DNS and connection latency)
• WebGL maximum texture size

Fingerprint Hashes

• Canvas fingerprint — a hash (not the raw image) of how the browser renders a hidden canvas element
• Canvas stability verification — whether re-rendering produces an identical hash
• WebGL renderer and vendor strings
• Audio context fingerprint hash

These hashes are used to detect repeat visitors within a session window. They cannot be reversed to identify an individual. We do not store the raw rendered data — only the one-way hash.

Behavioural Signals

• Mouse movement patterns
• Click positions and count
• Scroll depth (how far down the page the visitor scrolled)
• Keystroke count and timing patterns
• Paste event count
• Time on page and page visibility changes

Keystroke content is never captured. We measure typing patterns to distinguish human input from automated input — we do not record which keys were pressed or any text that was typed.

Raw coordinates are never stored. Mouse positions, click coordinates, and scroll positions are processed in real time to compute statistical summaries (means, standard deviations, entropy). Only these aggregated metrics are persisted — the raw coordinate arrays are discarded after processing and cannot be reconstructed.

Automation Markers

The tag checks for indicators commonly associated with automated browsers and bot frameworks. These checks help identify non-human traffic without affecting legitimate visitors.

Navigation Context

• Landing page URL and referrer
• UTM parameters (source, medium, campaign, content, term) and ad platform click identifiers (Google gclid, Facebook fbclid, Microsoft msclkid, TikTok ttclid)
• Navigation type (direct, reload, back-forward)

2. Server-Side Enrichment

When the tag sends its data to our servers, we enrich it with server-side signals that the tag itself does not collect:

• IP address — extracted from the request, not collected by client-side JavaScript
• Geolocation — approximate location (country, region, city) derived from the IP address
• Network type — whether the IP belongs to a residential ISP, data centre, VPN, or proxy
• Network operator — the organisation that owns the IP range
• Threat intelligence — abuse confidence scoring from threat intelligence services (AbuseIPDB) to identify known-malicious IPs
• TLS fingerprint (JA4) — when provided by the reverse proxy (e.g. Cloudflare), the TLS handshake fingerprint is used to detect browser/TLS mismatches indicative of automation
• HTTP header analysis — presence of Accept-Language and Accept-Encoding headers (values are not stored)

IP addresses are stored to enable IP-based exclusion lists. They are not shared with third parties except where you explicitly connect a Google Ads account for automated exclusion syncing.

3. What the Tag Does NOT Collect

The ClickLens tag is designed with a strict data minimisation principle. It does not:

• Set cookies. Session identity uses temporary browser storage that is automatically cleared when the tab closes. No persistent identifiers are left behind.
• Track across sites. There is no cross-origin communication, no third-party cookie, and no shared identifier between different websites using ClickLens.
• Capture personal information. No names, email addresses, phone numbers, or any other PII.
• Read form inputs. The tag has no access to what visitors type into forms, search boxes, or any input fields. It measures typing patterns without reading any content.
• Access persistent storage. No cookies, no localStorage, no IndexedDB. Only ephemeral session-scoped storage is used.
• Make third-party requests. The tag communicates only with your ClickLens endpoint. It does not load external scripts, pixels, or resources from any other domain.
• Capture page content. No DOM scraping, no screenshot capture, no reading of page text or images.
• Record browsing history. Only the landing page URL and referrer are captured — no navigation beyond that.

4. Script Integrity (SRI)

Every ClickLens tag snippet includes a Subresource Integrity hash. This is a cryptographic fingerprint (SHA-384) of the exact script your visitors will download.

When you include SRI in your script tag, the browser computes the hash of the downloaded file and compares it to the expected value. If there is any mismatch — caused by a man-in-the-middle attack, CDN compromise, server-side tampering, or even a single byte change — the browser will refuse to execute the script entirely.

<script defer
  src="https://app.clicklens.com/t.js"
  integrity="sha384-[hash]"
  crossorigin="anonymous"
  data-site="YOUR_SITE_KEY"></script>

What this means for you

• Tamper detection: If anyone modifies the script between our server and your visitor's browser, it will not run.
• Deployment safety: You can verify that the script you reviewed is the exact script being served to your visitors.
• No silent updates: When we release a new version of the tag, the hash changes. Your existing snippet will block the new version until you update the hash. This means we cannot change what runs on your site without your knowledge.

Updating your SRI hash

When we release a new tag version, we will notify you in advance. The updated hash is always available in your ClickLens dashboard under Settings > Tag Installation. Simply copy the new snippet and replace the old one. If you use Google Tag Manager, the template will update the hash automatically.

5. Security

Transport

• All data is transmitted over HTTPS (TLS 1.3)
• The API and tag are served from the same origin — no third-party domains involved

Data at Rest

• Database encryption at rest
• Fingerprint data is stored as irreversible hashes, never raw browser output
• Per-account data isolation — session data is accessible only to the account that owns the site

Abuse Prevention

• Rate limiting is enforced to prevent abuse of the data collection endpoint
• The API is designed to prevent information leakage — responses do not reveal internal state or processing results

The Tag Itself

• Self-contained with no external dependencies
• Under 4 KB — small enough to read and audit manually
• SRI-verified to ensure integrity between our build and your visitors' browsers

6. Performance Impact

• Script size: Under 4 KB. The tag loads asynchronously and never blocks page rendering.
• Network requests: At most two small requests per page view — one shortly after the page loads, and one when the visitor leaves. Neither blocks navigation.
• CPU usage: Negligible. Signal collection is lightweight and behavioural tracking uses passive event listeners.
• No layout shifts: The tag is invisible. It creates no DOM elements, injects no styles, and has no visual footprint.

7. Compliance & Legal Basis

GDPR

ClickLens operates under the legitimate interest basis (Article 6(1)(f) of the GDPR) for fraud prevention and security. The data collected is technical in nature and does not constitute personal data in most cases. Where IP addresses are processed (which may be considered personal data under GDPR), the legitimate interest in preventing ad fraud and protecting advertising investment provides the legal basis.

As a ClickLens customer, you are the data controller for visitor data collected on your websites. ClickLens acts as a data processor on your behalf. We recommend disclosing the use of ClickLens in your website's privacy policy.

ePrivacy / Cookie Directive

The ClickLens tag does not set cookies or access persistent storage. It uses only ephemeral session-scoped storage that is cleared automatically when the browsing session ends. This is exempt from cookie consent requirements when used for the legitimate purpose of fraud detection.

CCPA

ClickLens does not sell visitor data. The technical signals collected do not fall under the CCPA definition of personal information in most use cases. No cross-site tracking or advertising profiles are created.

8. Data Retention & Deletion

• Session data retention is configurable: 7 days (Free plan), 30 days (Starter), 90 days (Growth), or 1 year (Pro)
• You can change your retention period at any time from the dashboard
• When you delete a site, all associated session data is permanently removed
• Account deletion removes all sites, sessions, and personal data within 30 days

9. Open Verification

We believe you should be able to verify our claims, not just trust them:

• Inspect the source: The tag is under 4 KB of minified JavaScript. You can download it, run it through a beautifier, and read every line. There are no obfuscated payloads or hidden network calls.
• Monitor network traffic: Use your browser's DevTools Network tab to see exactly what the tag sends. You will see one or two small POST requests to your ClickLens origin — nothing else.
• Verify with SRI: The integrity hash in your snippet ensures that the script your visitors download is byte-for-byte identical to the script you reviewed.
• Content Security Policy: If your site uses a CSP, you only need to allow your ClickLens origin for script loading and network requests. No other domains are required.

10. Questions & Security Reporting

If you have questions about our data practices or security measures, contact us at security@clicklens.io or visit our contact page .

If you discover a security vulnerability in the ClickLens tag or service, please report it to security@clicklens.io . We take all reports seriously and will respond within 48 hours.