God Mode Telemetry: De-anonymizing Behavioral Data

The Limits of Google Analytics

Standard web analytics platforms provide high-level averages: bounce rates, page views, and generic geographic data. For an enterprise platform like Effective Solutions, averages are useless. We needed to know exactly which authenticated users were reading specific API documentation, how far they were scrolling through our legal playbooks, and how they were swiping on mobile interfaces.

We needed "God Mode" visibility, but it had to remain strictly within SOC2 data compliance boundaries.

The Global Telemetry Beacon

We architected a custom component injected natively into the Next.js 15 RootLayout. Unlike traditional useEffect fetch calls that are easily cancelled if a user rapidly closes a tab, our engine relies on the browser's native navigator.sendBeacon() API. This guarantees that the final interaction payload is reliably dispatched to our ingestion endpoints even during the browser's unload event lifecycle.

High-Fidelity Interaction Tracking

Our beacon tracks granular interactions:

• Dwell Time: Calculated via performance.now() deltas.
• Scroll Depth: Continuously tracking the window.scrollY ratio against the document height.
• Swipe Gestures: By binding touchstart and touchend event listeners, we calculate the X/Y pixel deltas to determine intentional swipe interactions on mobile carousels.

JWT De-anonymization

The true power of this system is identity resolution. Rather than relying on anonymous browser cookies, the beacon actively scans the browser's localStorage for platform-specific authentication tokens (acm_access_token, dau_token).

If a token is detected, a lightweight client-side JWT decoder extracts the user's UUID (sub) and binds it to the telemetry payload. When a user transitions from the public marketing site to an authenticated portal, their anonymous session is instantly "De-anonymized." The Growth Terminal System (GTS) Admin dashboard now correlates every marketing page visited with a specific enterprise lead.

Strict SOC2 Sanitization

With great visibility comes immense compliance risk. If a user visits a password reset URL containing a secure token (?token=xyz), recording that URL in our telemetry database would constitute a catastrophic PII leak.

To enforce SOC2 compliance, the beacon executes a strict sanitization protocol on the client side:

1const rawUrl = new URL(window.location.href);
2rawUrl.search = ''; // Strip all query parameters
3rawUrl.hash = ''; // Strip all fragment identifiers
4const sanitizedUrl = rawUrl.toString();

By aggressively stripping query parameters and hashes before the payload ever hits the network wire, we guarantee that no sensitive session data, search terms, or PII can ever pollute our telemetry ledger. We achieved "God Mode" visibility without sacrificing a single byte of security.