impact.com applies HMAC encryption to user identifiers you send us to safeguard your customers' personal information and prevent fraudulent network use. This hash is applied even when the data you send us is already encrypted.

Where does the hashing apply?

Additional HMAC encryption is applied to values you send us in the following fields.

Method	Field
UTT	`customerEmail`
Conversions API	`customerEmail`
Advocate REST API and GraphQL	`userId` and `accountId`

Note: If you have an Advocate program and want to use custom, non-email identifiers, then you can request that additional hashing be turned off. However, turning it off will result in reduced functionality for your program. Reach out to our support team if you have any questions.

How does this affect data I send to impact.com?

The additional hashing doesn't affect your implementation with impact.com. However, keep in mind the following when calling endpoints:

For GET endpoints, the response will include the HMAC hashed value for the customerEmail, userId and accountId instead of the value you originally sent us.
For creation and retrieval endpoints, including upsert and lookup actions, you can send any of the following values for the fields:
- The original ID value you sent us, e.g., their raw email address
- The SHA-1 hashed value
- The HMAC value