A practical, scannable checklist for churches: audit trackers on your homepage and sensitive pages, scope ad pixels off giving and prayer pages, check forms and embeds, and confirm your on-site assistant is anonymous by default.
Set aside 30 minutes, open your church website, and walk this list. Most of what you find won't be a problem you created on purpose, but you can't decide what to keep until you've looked.
When we scanned 507 church homepages in June 2026, 72% carried at least one third-party tracker, and most churches had added them without meaning to. A website builder default, an old event-promotion campaign, a volunteer who pasted in a snippet two years ago. This checklist helps you see what's on your own site and decide, page by page, what stays.
You don't need a developer for the first pass. Open a page, view the source (Cmd+U on a Mac, Ctrl+U on Windows), then use Find (Cmd/Ctrl+F) and search for a few names:
If you'd rather see it visually, open your browser's developer tools (DevTools), go to the Network tab, and reload the page. Outside domains show up in the list as the page loads.
Do this on the homepage, then do it again on your giving, prayer, contact, and any counseling pages. Inner pages often carry more than the front page. In our scan, the Facebook pixel showed up on 21.3% of homepages but on 26.8% of the giving pages we could reach.
The Facebook pixel is the one to look at hardest. It's an advertising and identity tracker, and it can report what a visitor did on a page back to Facebook, tied to that person's profile. On a sermon archive, that's ordinary web marketing. On a giving page, a prayer request form, or a counseling page, it means an outside ad company can see who came looking for help.
Presence isn't proof of misuse. But a giving or prayer page is exactly where you'd want to remove or limit that tracking. A web admin can usually take a pixel off specific pages or remove it entirely. Trackers like this are typically added in one of three places: Google Tag Manager, your website builder's "integrations" or "marketing" settings, or a script pasted into the site's header. Check all three.
Google Analytics is lower-stakes. It counts traffic and is common across the web. It's still a third party seeing your visitors, so it's worth knowing it's there, but it's not the urgent one.
Session-recording tools like Hotjar can replay what a visitor typed and clicked. About 5% of the homepages we scanned carried one. On a prayer request box or a contact form, a replay can capture something a person typed in confidence before they even hit submit. If you find session recording anywhere near a form, that's a fast candidate to take down.
While you're in there, list every third-party embed on your site: a video player, a giving widget, a calendar, a chat box, a map. Each one can load its own tracking. You don't have to rip them out. Just know what each one is and whether it belongs on a sensitive page.
Two quick ones to close out:
This is the standard we hold for the AskMyChurch assistant on your own site: it's anonymous by default. No accounts, no names, no device tracking. It builds no profile of the person asking. Care needs surface to your team as themes, never as named individuals, and it doesn't sell or broker anyone's data. If you want the longer version of how on-site assistants can quietly do the opposite, that's covered in our look at what church apps do with member data.
Run this once a year and after any website redesign or builder change, since those are the moments trackers tend to reappear. None of this requires throwing out your tools. It requires knowing what's on the page so you can choose.
Not for the first pass. Open a page, view its source with Cmd+U (Mac) or Ctrl+U (Windows), then use Find to search for names like connect.facebook.net, fbevents, hotjar, googletagmanager, and google-analytics. Check your giving, prayer, and contact pages too, since they often carry more than the homepage. You'd bring in a web admin only when it's time to remove or scope something.
Probably not on purpose. In our June 2026 scan of 507 church homepages, most trackers were added unintentionally through a website builder default or an old ad campaign. Presence isn't proof of misuse. But a giving page is exactly where you'd want to scrutinize it, because the pixel can report visitor activity back to Facebook tied to a person's profile. A web admin can remove it from that page or take it off the site.
They're usually added in one of three places: Google Tag Manager, your website builder's integrations or marketing settings, or a script pasted into the site header. Check all three. A web admin can remove a tracker entirely or scope it so it doesn't load on sensitive pages like giving, prayer, or counseling.
It's lower-stakes than an advertising pixel. Analytics counts traffic and is common across the web. It's still a third party seeing your visitors, so it's worth knowing it's there, but it isn't the urgent one. Save your attention for the Facebook pixel and any session-recording tool near a form.
A prayer or counseling question is sensitive the moment someone types it, so the assistant shouldn't build a profile of the person asking. The AskMyChurch standard is anonymous by default: no accounts, no names, no device tracking, no data sold or brokered. Care needs reach your team as themes rather than named individuals.
Updated 2026-06-26 · AskMyChurch by Vision Genesis · Knoxville, TN
See it answer — try a live demo →