Export Allowlist
Control exactly which event types can be sent to ad platforms in HIPAA mode
Export Allowlist
In Healthcare Mode, Atribu uses an allowlist — not a blocklist — to control which conversion events are sent to ad platforms. If an event type is not on the allowlist, it is blocked from export. Period.
Why allowlist, not blocklist
A blocklist says "send everything except these." An allowlist says "send nothing except these." For healthcare data, the allowlist model is the only safe approach because:
- New event types are blocked by default until explicitly reviewed
- You cannot accidentally expose PHI by forgetting to add something to a blocklist
- The mental model is simple: if you didn't check it, it doesn't go out
Blocklist fields are hidden in HIPAA mode
When Healthcare Mode is active, the blocklist fields (event path blocklist, parameter blocklist) are completely hidden from the UI. They are mutually exclusive with the allowlist — you cannot have both.
Default allowlist
When you first enable HIPAA mode, two event types are pre-approved:
| Event Type | Why It's Safe |
|---|---|
| Payment Received | Revenue data with hashed identifiers. No health condition information in the payload. |
| Lead Created | Contact submission with hashed email/phone. PII is stripped; no diagnosis or treatment context. |
Everything else — including appointment_booked, closed_won, checkout_started, order_placed, and any custom events — is blocked by default.
Configuring the allowlist
- Go to Conversion Sync > Privacy & Compliance
- In Healthcare Mode, the allowlist section shows checkboxes for each conversion definition
- Check the event types you want to allow for export
- Uncheck any you want to block
- Click Save
Each checkbox corresponds to a conversion_key in your profile's conversion definitions. The allowlist is stored in privacy_config.healthcare_export_allowlist.
What happens to blocked events
Blocked events are:
- Still stored internally — attribution, dashboards, and reports are unaffected
- Recorded in the export ledger — with status
skippedand reasonhealthcare_allowlist_blocked - Visible in the Conversion Sync feed — you can see exactly which events were blocked and why
- Not sent to any ad platform — Meta, Google Ads, or any future destination
Pipeline stage transitions
Pipeline stage transitions (CRM pipeline changes like "Qualified" or "Booked") are always blocked in Healthcare Mode, regardless of the allowlist. They cannot be checked or unchecked.
Why: Stage transitions often contain pipeline names, deal descriptions, or stage labels that could reveal health conditions (e.g., "Dental Implant Consultation — Qualified").
Per-event-type review guide
Before adding an event type to the allowlist, ask:
| Question | If Yes... |
|---|---|
| Could the event name or payload reveal a health condition? | Do not add to allowlist |
| Does the event include free-text fields (notes, descriptions)? | Do not add to allowlist |
| Does the event include appointment type or service name? | Do not add — may reveal treatment |
| Is the event purely financial (amount + currency)? | Generally safe to add |
| Is the event a simple form submission (email/phone only)? | Generally safe — PII is hashed before export |
Interplay with PII stripping
Even for events on the allowlist, Healthcare Mode still strips:
- Client IP address
- User agent string
- HTTP referrer
- Page title
- External IDs (fbclid, gclid, fbc, fbp)
- URL path (reduced to origin only)
- Meta LDU flags injected
The allowlist controls which event types go out. PII stripping controls what fields are in those events. Both layers work together.