Past Projects

A selection of recent projects - anonymised where required. The same problems show up across sectors: tracking that doesn’t reconcile, consent that quietly leaks data, ad platforms underperforming because the signal they’re getting is patchy or wrong. Here’s some of what fixing that has looked like.

GA4 & GTM Compliance Audit - 23 Findings

TIMELINE  February – March 2026

SECTOR  Ecommerce (WooCommerce)

PLATFORMS  GA4 · Google Tag Manager · WooCommerce · Consent Mode v2

  • A WooCommerce ecommerce business with active ad spend across multiple platforms wanted independent confirmation that their tracking and consent setup was actually working, and actually compliant. They suspected gaps, but couldn’t see where.

  • A full audit of the GA4 property, the GTM container and live-site tracking behaviour. Tag-by-tag review of what was firing, when, and under what consent conditions. Cookie inventory and privacy policy checked against what was actually being tracked. Ecommerce event coverage verified against real purchase flows.

    • 23 distinct issues across consent compliance, ecommerce tracking, data quality and container health

    • 3 critical GDPR risks, including third-party scripts bypassing consent management entirely, and Consent Mode misconfigured for EU and UK regions

    • The entire ecommerce purchase funnel was invisible to GA4, despite an active WooCommerce store doing real revenue

    • Tag firing order, consent gating and deduplication logic all needing attention

  • A prioritised 17-point action plan with specific technical recommendations for each finding - sorted into immediate (critical / compliance), short-term (data quality) and longer-term (optimisation) buckets. Written so the dev team could action it directly without further interpretation.

View the deliverable (anonymised)

Meta Ads → Pipedrive Lead Pipeline

TIMELINE  March 2026

SECTOR  Lead Generation

PLATFORMS  Meta Graph API · Pipedrive · Google Apps Script · Gravity Forms · Zapier

  • A client running Meta Lead Ads was losing time, and arguably losing quality leads, to a manual handover process. Submissions trickled into a spreadsheet, then got dragged into Pipedrive by hand, with full campaign context disappearing somewhere along the way. They needed leads in the CRM, attributed properly, fast.

  • A custom automated pipeline that pulls leads from Meta Lead Ad forms via the Graph API and pipes them into Pipedrive within 15 minutes of submission. Built on Google Apps Script, with authentication handled directly against Meta’s API, deduplication logic, full campaign attribution preserved (ad name, ad set, campaign), logging to Google Sheets for visibility, and onward delivery to Pipedrive via Zapier webhooks.

    A second parallel pipeline was built for Gravity Forms submissions, running through the same flow so all lead sources land in the CRM the same way.

    • Leads from Meta arriving in Pipedrive within 15 minutes, with full campaign attribution preserved

    • Gravity Forms submissions routed through the same pipeline - one consistent flow for all lead sources

    • A central Google Sheets log of every lead, deduplicated, with manual control and sync monitoring via a custom spreadsheet menu

    • A reusable architecture - other lead sources can be plugged into the same pipeline as they come up

View the deliverable (anonymised)

Google Ads Conversion & Data Audit

TIMELINE  2026

SECTOR  Local Services

PLATFORMS  Google Ads · Google Analytics · Conversion Tracking

  • A local services business with active Google Ads spend wanted an independent sanity check on their conversion tracking and account health. A focused 1-hour consultation audit - surface the biggest issues, find out whether the spend was being optimised against the right outcomes.

  • A targeted review of the account: conversion configuration, the actions Google was being asked to optimise around, campaign structure and match types, call tracking, attribution model, and the broader strategic setup (Performance Max behaviour, experiments, new-vs-returning customer signal).

    • Button clicks ("Click on Book Online") were being counted as primary conversions - so Google was optimising towards button clicks rather than completed bookings

    • Once the soft conversions were stripped out, ROAS landed around 1.0–1.5x with 5–10 meaningful conversions in 30 days, cleaner data, not worse news, and much easier to scale from

    • Phone tracking was click-to-call only, with no visibility on whether calls were actually answered or how long they lasted

    • Performance Max was running without tight conversion priorities — at risk of optimising on the wrong signals

    • No Experiments framework - every change being made blind, with no way to tell signal from noise

    • No new-vs-returning customer signal flowing back, so Google had no way of optimising for genuinely new acquisition

    • Good foundations underneath: data-driven attribution enabled, sensible match types, non-brand conversions performing

  • A prioritised set of recommendations - starting with rebuilding the conversion set so optimisation aligns with real business outcomes (completed bookings and meaningful calls), then enabling proper call tracking with duration thresholds, then bringing Performance Max under controlled experiments. Once the foundations are clean, the account becomes scalable rather than guesswork.

View the deliverable (anonymised)

Website Consent & GDPR Compliance Audit

TIMELINE February – March 2026

SECTOR Legal Services

PLATFORMS CookieYes · Google Tag Manager · GA4 · WordPress

  • A WordPress-based site running CookieYes for consent management wanted an independent audit against UK GDPR and PECR. They suspected gaps but needed certainty on where they were exposed, specifically around consent behaviour, tracking script firing, the privacy policy, and the data being collected via newsletter signup forms.

  • A full compliance audit covering five fronts: the CookieYes CMP configuration and banner behaviour, every third-party script loading on the site (tag-by-tag review of what fires and when), the privacy policy against actual data processing, the newsletter signup form against consent requirements, and the cookie inventory itself.

    Conducted in a fresh browser session with all cookies cleared, with network monitoring active before any page load, so we caught what was actually loading before the user had made a choice.

    • Critical: Multiple tracking scripts (Google Tag Manager, GA4, AddThis) were firing before consent was given. Consent Mode v2 was partially configured, the consent state flag was being passed to Google, but the scripts themselves weren't being blocked. So Google was being told "no consent" while simultaneously being sent data.

    • Critical: The CookieYes banner offered only "Accept All" and "Cookie Settings" on the initial layer, "Reject All" was buried one click deep. Direct breach of the ICO's "as easy to reject as accept" principle.

    • Critical: The newsletter signup form (collecting full name, company, position, city, email) had no consent checkbox, no link to the privacy policy, and no retention statement.

    • Google Fonts were being loaded from googleapis.com on every page, transmitting user IPs to Google. Following the 2022 Munich Regional Court ruling, this is a GDPR breach in the EU, and the ICO takes a similar position under UK GDPR.

    • Three cookies (YouTube-origin) were classified under "Others" with descriptions marked as "currently not available", undermining the validity of any consent obtained.

    • The privacy policy was dated May 2018 and hadn't been updated since, referencing EEA rather than UK post-Brexit, listing only Google Analytics generically (no mention of YouTube, AddThis, CookieYes, or reCAPTCHA), and providing no specifics on international data transfer mechanisms.

  • A prioritised report split into Immediate (Critical), Short-Term (within 30 days) and Medium-Term (within 90 days) actions. Each finding paired with a specific technical resolution, including the exact CookieYes-to-GTM consent integration steps, the Contact Form 7 [acceptance] tag syntax, self-hosting instructions for Google Fonts, and the privacy policy clauses requiring updates. Written so the WordPress developer could action it directly.

View the deliverable (anonymised)

See yourself in any of these?

Whether you’ve got an audit-shaped problem, a CRM-shaped problem, or something that doesn’t quite fit either box, get in touch. I’ll tell you honestly whether what you need is what I do.