Skip to main content

The problem with traditional tracking

Most analytics tools rely on browser cookies to identify returning visitors. After iOS 14.5 (April 2021), Apple’s App Tracking Transparency (ATT) framework made this approach unreliable:
  • ~65% of iPhone users opt out of cross-app tracking
  • Safari deletes first-party cookies after 7 days (ITP)
  • Ad blockers block the tracking pixels entirely
  • Incognito mode clears cookies on every session
The result: platforms like Meta and Google underreport conversions by 30-60%, leading to poor ROAS data and suboptimal bidding.

How NSM works differently

NSM uses server-side first-party fingerprinting — a privacy-safe technique that identifies devices without relying on cookies.

Step 1 — Device fingerprinting

When a visitor lands on your store, the NSM tracking script collects stable browser signals across multiple categories:
Signal typeExamples
HardwareScreen resolution, CPU cores, device memory, pixel ratio
RenderingWebGL renderer, canvas fingerprint, audio context
SoftwareInstalled fonts, browser plugins, language, timezone
SystemOS platform, color depth, touch support
These signals are hashed together into a unique device fingerprint. The hash cannot be reversed to identify a person — it’s just a number that represents “this device.”

Step 2 — Identity matching

NSM’s Similarity Engine compares new fingerprints against your store’s visitor history using a weighted scoring system to determine if a new visitor has visited before. The engine is calibrated per browser type to maximize accuracy across all major environments — including Safari, Chrome, incognito sessions, and mobile browsers.

Step 3 — Attribution matching

When an order is placed, NSM:
  1. Looks up the visitor’s fingerprint to find their session history
  2. Finds the most recent ad click (gclid, fbclid, ttclid, or UTM) in their journey
  3. Applies your chosen attribution model to assign credit
  4. Writes the result to your attribution dashboard
This happens via Shopify order webhooks — server-to-server, no browser involvement.

What data is collected?

NSM is designed to minimize personal data collection. Here’s exactly what is and isn’t stored.
Data typeWhat we storeRetention
Device fingerprintSHA-256 hash (non-reversible)30 days, then deleted
IP addressCIDR /24 block hash only (not the full IP)30 days
Email addressSHA-256 hash for cross-device matchingUntil GDPR deletion request
Order dataOrder ID, revenue, channel, UTM params2 years
Raw PIINever stored

Performance impact

The tracking script is designed to have zero impact on your store’s performance:
  • Loads asynchronously — does not block page rendering
  • Served from a global CDN (Cloudflare edge nodes)
  • Size: ~8KB gzipped (smaller than a single product image)
  • Heavy signals (WebGL, audio) collected in the background after page load
  • Total fingerprinting time: well under 200ms on average
NSM respects your store’s consent settings:
  • Integrates with Shopify’s Customer Privacy API
  • Supports all major CMP platforms (Cookiebot, OneTrust, Complianz, CookieYes)
  • When a visitor declines analytics tracking, NSM stops fingerprinting immediately
  • Visitors can opt out at any time via NSM_optOut() in the browser console
See Privacy & GDPR for full compliance details.