Alpha Insights is designed with privacy and security as core principles. This guide explains what data is collected, how it's protected, GDPR compliance considerations, security measures, and how to configure privacy settings.
Also see: FAQ: What Data Does Alpha Insights Collect for a user-friendly overview of data collection.
Key privacy principles:
| Data Type | What's Collected | Purpose | Personal Data? |
|---|---|---|---|
| Session ID | Unique identifier (hash) | Link events to sessions | No |
| IP Address | Visitor's IP address | Session identification, bot detection | Yes (can be personal) |
| Landing Page | Full URL with query parameters | Attribution, campaign tracking | No (unless URL contains PII) |
| Referrer URL | Where visitor came from | Traffic source classification | No |
| User ID | WordPress user ID (if logged in) | Link to user account | Yes (links to user) |
| Device Type | Mobile, desktop, tablet | Device analysis | No |
| Browser | Chrome, Safari, Firefox, etc. | Browser compatibility | No |
| Operating System | Windows, Mac, iOS, Android | Platform analysis | No |
| User Agent | Full user agent string | Bot detection, device parsing | No (technical data) |
| Timestamps | Session start/end times (GMT) | Session duration, analysis | No |
| Data Type | What's Collected | Purpose | Personal Data? |
|---|---|---|---|
| Event Type | page_view, add_to_cart, etc. | Behavior tracking | No |
| Page URL | Full URL of page | Navigation tracking | No (unless URL contains PII) |
| Product ID | WooCommerce product ID | Product analytics | No |
| Event Value | Monetary amount (if applicable) | Revenue tracking | No |
| Form Metadata | Form ID, action, method | Form tracking | No |
| Timestamp | When event occurred (GMT) | Timing analysis | No |
| Meta Key | What's Stored | Purpose |
|---|---|---|
| _wpd_ai_landing_page | Landing URL with query params | Order attribution to campaign |
| _wpd_ai_referral_source | Referrer URL | Traffic source tracking |
| _wpd_ai_meta_campaign_id | Facebook campaign ID | Facebook Ads profit tracking |
| _wpd_ai_google_campaign_id | Google campaign ID | Google Ads profit tracking |
Note: This data is attached to WooCommerce orders, which already contain personal data (name, email, address).
| Cookie Name | What's Stored | Duration | Personal Data? |
|---|---|---|---|
| wpd_ai_session_id | Random hash (session identifier) | 10 minutes | No |
| wpd_ai_landing_page | Landing URL | 10 minutes | No (unless URL contains PII) |
| wpd_ai_referral_source | Referrer URL | 10 minutes | No |
For privacy and security:
Form tracking security:
// Password fields explicitly filtered
var formData = $form.serializeArray().filter(function(field) {
return !field.name.toLowerCase().includes('password');
});Only form metadata is tracked (form ID, action, method) - NO field values.
This section covers GDPR compliance for website tracking. For information on how sessions and cookies work, see the Session Management guide.
Key GDPR principles relevant to analytics:
✅ GDPR-Friendly Features:
⚠️ GDPR Considerations:
It depends on your interpretation and jurisdiction:
Arguments FOR consent requirement:
Arguments AGAINST consent requirement:
Recommendation:
✅ Steps to ensure compliance:
Website Analytics
We use Alpha Insights, a first-party analytics solution, to understand how visitors use our website and improve your shopping experience. This system collects:
- Pages you visit on our website
- How long you spend on each page
- Products you view or add to your cart
- How you arrived at our site (search engines, social media, direct visits)
- Your device type, browser, and operating system
- Your IP address (for session identification)
All data is stored on our own servers and is never shared with third parties. We use this information solely to improve our website and understand which marketing channels are most effective.
We use first-party cookies with a 10-minute expiration to track your session. These cookies do not contain personal information and are used only for analytics purposes.
If you wish to opt-out of tracking, please contact us at [email] and we can exclude your user account from analytics.
We retain analytics data for [X days/months] for reporting purposes, after which it is automatically deleted. Order-related data is retained as part of our business records in accordance with legal requirements.
Current implementation:
REMOTE_ADDR, HTTP_X_FORWARDED_FOR)If you need to anonymize IPs for GDPR:
// Add to your theme's functions.php or custom plugin
add_filter('wpd_session_data_before_storage', function($session_data) {
if (isset($session_data['ip_address'])) {
// IPv4 anonymization (remove last octet)
if (strpos($session_data['ip_address'], ':') === false) {
$parts = explode('.', $session_data['ip_address']);
$parts[3] = '0';
$session_data['ip_address'] = implode('.', $parts);
}
// IPv6 anonymization (remove last 80 bits)
else {
$parts = explode(':', $session_data['ip_address']);
$session_data['ip_address'] = implode(':', array_slice($parts, 0, 2)) . '::';
}
}
return $session_data;
});Example:
Original IP: 192.168.1.100
Anonymized: 192.168.1.0
Original IPv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Anonymized: 2001:0db8::Trade-offs:
Protection: Prevents spam, abuse, and DDoS attacks
For complete technical details on rate limiting implementation, see the Technical Architecture guide.
Implementation:
How it works:
Request 1-60: Allowed (counter increments)
Request 61+: Blocked (returns error)
After 60s: Counter resets, requests allowed again
If repeatedly exceeded: IP banned for 24 hoursTransient keys:
wpd_ai_rate_limit_{ip_hash} - Request counter (60 sec expiry)
wpd_ai_ip_banned_{ip_hash} - IP ban flag (24 hour expiry)Automatic banning for:
Ban duration: 24 hours (automatic expiry)
During ban:
Unban options:
delete_transient('wpd_ai_ip_banned_' . md5($ip));Purpose: Prevent bot traffic from polluting analytics data
Detection method:
When bot detected:
Performance benefit: Reduces unnecessary database writes by 20-40% (depending on bot traffic)
All inputs sanitized before database insertion:
// Example sanitization
$data['session_id'] = sanitize_text_field($data['session_id']);
$data['ip_address'] = sanitize_text_field($data['ip_address']);
$data['landing_page'] = sanitize_url($data['landing_page']);
$data['referral_url'] = sanitize_url($data['referral_url']);
$data['user_id'] = (int) $data['user_id'];
$data['event_type'] = sanitize_text_field($data['event_type']);
$data['event_value'] = (float) $data['event_value'];
$data['product_id'] = (int) $data['product_id'];Additional validation:
Rejected requests:
Error codes returned:
403 Forbidden - Security validation failed400 Bad Request - Invalid data format429 Too Many Requests - Rate limit exceededREST API validation:
// Referer must match site domain
$referring_url = wp_parse_url($referer, PHP_URL_HOST);
$site_url = wp_parse_url(get_site_url(), PHP_URL_HOST);
if ($referring_url != $site_url) {
return new WP_REST_Response(['message' => '403 Forbidden'], 403);
}No authentication required WHY?
Location: Alpha Insights → Settings → General Settings → Alpha Analytics & Event Tracking
Setting: "Exclude These Roles From Tracking"
What it does:
Recommended exclusions:
Why exclude admins:
Location: Alpha Insights → Settings → General Settings → Alpha Analytics & Event Tracking
Setting: "Enable WooCommerce Event Tracking" = False
What it does:
Recommended setup:
// Automatically delete old sessions (add to cron or manual script)
function wpd_cleanup_old_sessions() {
global $wpdb;
$days_to_keep = 365; // 1 year
// Delete old session data
$wpdb->query(
$wpdb->prepare(
"DELETE FROM wp_wpd_ai_session_data
WHERE date_created_gmt < DATE_SUB(NOW(), INTERVAL %d DAY)",
$days_to_keep
)
);
// Delete events without sessions (orphaned)
$wpdb->query(
"DELETE e FROM wp_wpd_ai_events e
LEFT JOIN wp_wpd_ai_session_data s ON e.session_id = s.session_id
WHERE s.session_id IS NULL"
);
}
// Schedule monthly cleanup
if (!wp_next_scheduled('wpd_cleanup_old_sessions')) {
wp_schedule_event(time(), 'monthly', 'wpd_cleanup_old_sessions');
}
add_action('wpd_cleanup_old_sessions', 'wpd_cleanup_old_sessions');1. Access Request (What data do you have about me?):
// Find user's data by email or user_id
SELECT * FROM wp_wpd_ai_session_data
WHERE user_id = [USER_ID] OR ip_address = '[IP]'
ORDER BY date_created_gmt DESC;
SELECT * FROM wp_wpd_ai_events
WHERE user_id = [USER_ID]
ORDER BY date_created_gmt DESC;
// Check order meta for attribution data
SELECT post_id, meta_key, meta_value
FROM wp_postmeta
WHERE meta_key IN ('_wpd_ai_landing_page', '_wpd_ai_referral_source')
AND post_id IN (SELECT ID FROM wp_posts WHERE post_author = [USER_ID]);2. Deletion Request (Right to be forgotten):
// Delete user's session and event data
DELETE FROM wp_wpd_ai_session_data WHERE user_id = [USER_ID];
DELETE FROM wp_wpd_ai_events WHERE user_id = [USER_ID];
// Anonymize IP addresses in existing data
UPDATE wp_wpd_ai_session_data
SET ip_address = '0.0.0.0'
WHERE user_id = [USER_ID];
UPDATE wp_wpd_ai_events
SET ip_address = '0.0.0.0'
WHERE user_id = [USER_ID];
// Remove attribution from orders (optional - may want to keep for business records)
DELETE FROM wp_postmeta
WHERE meta_key IN ('_wpd_ai_landing_page', '_wpd_ai_referral_source')
AND post_id IN (SELECT ID FROM wp_posts WHERE post_author = [USER_ID]);Important: Consider legal requirements for retaining business records (orders, transactions) vs privacy rights.
meta_cid parameter in URLs (first-party tracking)gclid (Google's auto-tagging) or google_cidImportant: Alpha Insights is entirely separate from Facebook Pixel or Google Analytics. It doesn't send your customer data to third parties.
✅ Complete these steps for full compliance: