Tech docs
Integration Docs
Privacy Considerations

Privacy Considerations

When using our tracking code, you may need to be aware of privacy considerations surrounding's data collection approach.

By default, collects standard web browser information about a reader, the uses of which are described below:

  • ip_address: IP address of the user; used for bot detection and geographic segments
  • user_agent: Identifier for the user's device; used for device analytics (mobile vs desktop)
  • first_party_uuid: Site-specific identifier (UUID) for user; used in loyalty analytics (new vs returning)
  • third_party_uuid: Network unique identifier (UUID) for user; used for deduped cross-domain visitor counts

To comply with Personally Identifiable Information (PII) restrictions in certain geographic regions, as well as the privacy policies of individual publishers, can selectively disable the tracking of two of these pieces of information (individually for a specific site or API key). These are ip_address and third_party_uuid. An example implementation is here. has also exposed the ability to disable the tracking of these two pieces of information on a per-visitor basis when using our standard javascript tracker. This can be especially useful with maintaining GDPR compliance.

#What does disabling ip address tracking mean?

When you disable ip_address tracking for a specific site, API key, or visitor we perform a hashing algorithm on the original ip address that removes any PII while maintaining enough information to perform reasonably accurate geographic segmentation.

#Is the first_party_uuid a form of PII?

No. The way we generate the first_party_uuid for web browsers uses server-side crytographic randomness. In the case of our mobile SDKs, we generate the first_party_uuid within the app itself, leveraging Java and ObjC/Swift APIs. The UUID is a unique identifier that can only be used to analyze single-domain or single-app user sessions. does not link the first_party_uuid with any personal information about the web visitor; from's standpoint, each UUID is an anonymous content-viewing device or user.

Our terms of use prevent customers from overriding the first_party_uuid field with any PII data. We state in our terms of use:

Customer will not: (a) provide, or cause to be provided, any PII to; or (b) configure or otherwise cause any cookie, pixel tag, or other code to capture or transmit any PII to

#Effect of disabling fields

Disabling ip_address tracking will prevent from being able to do bot blocking and various forms of bot detection for your site, but may lead to better compliance with strict privacy policies that consider IP addresses to be PII.

Disabling ip_address also makes our geographic segmentation feature slightly less accurate. It is often used with our audience segmentation feature.

Disabling third_party_uuid will prevent from being able to do cross-domain deduped visitor counts, especially in our Data Pipeline product for customers who own and operate several domains.

We treat third party UUIDs as a data sample anyway, since it's powered by a third-party cookie set at the domain, which are inaccurate in many user agents, such as Apple iOS's Safari browser. Disabling third_party_uuid does not disable our loyalty analytics, which is derived exclusively from first_party_uuid.

To disable one or both of these fields, simply contact us at and one of our integration engineers can help.

#How and where is visitor data securely stored? uses a stateless distributed DNS and CDN infrastructure, which is spread across several geographic regions for redundancy and performance.

However, data is immediately capture/ingested in a distributed infrastructure located in several data centers in the United States (located in the states of Virginia and Oregon), where it is archived and stored long-term.

All data is stored on secure Linux servers, which are regularly patched and upgraded. These servers are behind a virtual private cloud networking setup. Because we rely on public cloud infrastructure, physical security of our data centers are handled by Amazon Web Services, who has public documentation on cloud security, as well as ISO 27001 compliance for their infrastructure.

Data is also backed up to a cloud distributed data store with 99.999999999% durability, and is only accessible by authorized systems using secure keys. This distributed data store is spread across several data centers clustered geographically in the state of Virginia in the United States.

#Do you have a public privacy policy?

Yes. publishes its privacy policy here. Some discussion of our data storage is also included in our product terms of use.

#How is data aggregated and anonymized? aggregates and anonymizes customer data for the purpose of studying the web-wide attention data. For example, aggregated and anonymized data is used for our data studies which are published to inform media industry trends for customers and the press.

#How does handle EU-US Privacy Shield?

We are Privacy Shield certified; our certification page is here. The principles for EU-US Privacy Shield are covered here. Our public privacy policy discusses these points throughout.

#How does handle GDPR?

The General Data Protection Regulation (aka GDPR) is a new data regulation designed by the EU to safeguard the rights of consumers in the European Union, increasing the requirements for data security and privacy beyond the Data Protection Directive, which is the current EU regulation governing the right of consumer privacy.

More information on and GDPR can be found here.

#Example implementation of disabling PII tracking per visitor

To disable PII tracking on a per visitor basis you should define a PARSELY object with an onload function prior to the code for the default implementation. The onload function should call PARSELY.setConfigOptions and pass it an object with the keys and values you'd like to overwrite for this visitor. Currently, the only valid keys are track_ip_addresses and track_third_party_cookies. The only valid values are true or false.

<script type="application/javascript">
function shouldTrackPII () {
    // returns true if we should track PII for this visitor

window.PARSELY = window.PARSELY || {
    onload: function () {
            track_ip_addresses: shouldTrackPII(),
            track_third_party_cookies: shouldTrackPII()
<!-- Normal integration code goes here -->
rocket emoji