Data Transparency
BackNova PII-0 Architecture — What we collect, what we don't, and how to verify.
Zero Personally Identifiable Information
BackNova is designed from the ground up to make decisions without ever seeing, storing, or processing personal data. All identifying information is hashed client-side before transmission.
What We Collect
BackNova collects 47 behavioral and technical signals to evaluate lead quality. None of these are personally identifiable.
Behavioral Signals (15)
| Signal | Description | PII? |
|---|---|---|
time_on_site_sec | Seconds spent on page | ✓ No |
scroll_depth_pct | How far user scrolled (%) | ✓ No |
page_views | Number of pages viewed | ✓ No |
mouse_distance | Total mouse movement (px) | ✓ No |
clicks | Number of clicks | ✓ No |
rage_clicks | Frustration click patterns | ✓ No |
form_completion_sec | Time to fill form | ✓ No |
form_changes_count | Form field edits | ✓ No |
engaged | User engagement flag | ✓ No |
returning_visitor | Has visited before | ✓ No |
fast_scroll | Bot-like scroll pattern | ✓ No |
keystrokes | Keyboard activity count | ✓ No |
paste_events | Copy-paste usage | ✓ No |
tab_switches | Tab focus changes | ✓ No |
touch_events | Mobile touch count | ✓ No |
Technical Signals (10)
| Signal | Description | PII? |
|---|---|---|
user_agent | Browser identification string | ✓ No |
browser | Browser name (Chrome, Firefox) | ✓ No |
device_type | desktop / mobile / tablet | ✓ No |
screen_resolution | Screen size (1920x1080) | ✓ No |
viewport_size | Browser window size | ✓ No |
language | Browser language (en-US) | ✓ No |
timezone | Timezone (Europe/London) | ✓ No |
platform | OS (Windows, macOS) | ✓ No |
cookies_enabled | Cookie support flag | ✓ No |
do_not_track | DNT header status | ✓ No |
Traffic Source Signals (8)
| Signal | Description | PII? |
|---|---|---|
utm_source | Traffic source (google, facebook) | ✓ No |
utm_medium | Traffic medium (cpc, email) | ✓ No |
utm_campaign | Campaign name | ✓ No |
utm_term | Search keyword | ✓ No |
utm_content | Ad content variant | ✓ No |
click_id | Tracker click ID for postback matching | ✓ No |
referrer | Previous page URL | ✓ No |
url | Current page URL | ✓ No |
Hashed Identifiers (4)
| Signal | Description | PII? |
|---|---|---|
session_id | Random session identifier | ✓ No |
browser_fingerprint | SHA-256 hash of browser config | ✓ No |
email_hash | SHA-256 hash of email (for AI learning) | ✓ No* |
ip_hash | SHA-256 hash of IP (for fraud detection) | ✓ No* |
* Email and IP are hashed for AI learning and fraud detection. We also extract email domain and GEO (country) — these are not PII.
What We NEVER Collect
| ✗ Plain text email addresses |
| ✗ Plain text phone numbers |
| ✗ Names (first, last, full) |
| ✗ Physical addresses |
| ✗ Credit card or payment information |
| ✗ Social security numbers |
| ✗ Government IDs |
| ✗ Passwords or credentials |
| ✗ Any other personally identifiable information |
How Data Flows
1. Lead Data → Directly to Your PP
When a user submits a form, their lead data (name, email, phone) goes directly to your PP/broker via the route URL you configured. BackNova never stores this raw data.
2. Hashes for AI Learning
For AI to learn from conversion patterns, we store SHA-256 hashes of email and IP. These cannot be reversed to reveal the original data.
3. Your Tracker Data Stays Private
We only capture click_id from your tracker URL. Your sub IDs, pub IDs and other tracking parameters stay in your tracker — we don't see or store them.
4. Open Source SDK
Our SDK source code is publicly available. You can inspect exactly what data is collected and how it's processed.
View SDK Source Code →Verify Yourself
Open your browser's Developer Tools (F12) → Network tab → Filter by "backnova" or "decision" to see exactly what data is being sent.
Real-time Data Inspector
If you have BackNova SDK installed, run this in your browser console:
This will show you exactly what data is collected and confirm PII-0 compliance.
Compliance
- GDPR: No personal data processing — no consent required for analytics
- CCPA: No sale of personal information — behavioral data only
- ePrivacy: Essential for service operation — legitimate interest basis
Third-Party Audits
We welcome independent security audits of our SDK and infrastr