Most site operators don't need cross-site visitor tracking. They want to know how many people read a post, where the traffic came from, which pages keep readers engaged, and whether a campaign worked. None of that requires building a persistent identity for every visitor — but Google Analytics, the default tool for the job, does exactly that, and shares the resulting profile with Google's advertising infrastructure.
The privacy-respecting analytics category exists because someone noticed the gap. You can answer "how is my site performing" without answering "who is this person and what other sites do they visit." The tools below are the serious entrants.
What Makes Analytics "Privacy-Respecting"
The marketing label is generous. Genuinely privacy-respecting analytics differ from conventional analytics in several technical ways — and whether a given product actually has these properties is worth checking, not assuming.
- No persistent visitor IDs. Conventional analytics drop a cookie that identifies the same visitor across sessions and sometimes across sites. Privacy-respecting tools either use no cookies at all, or use cookies that reset daily / are scoped to one site.
- No cross-site tracking. The provider does not aggregate data from multiple customer sites to build profiles of individuals.
- IP addresses anonymized or discarded. Either the IP is never logged, or it's used briefly to derive country/device info and then dropped.
- No data shared with ad networks. The analytics data feeds your dashboard and nothing else.
- GDPR-friendly by default. Because the tool collects no personal data, it typically doesn't need a cookie consent banner under EU law — though "typically" is doing work in that sentence; consult your DPO.
Plausible: The Reference Implementation
Plausible Analytics is the closest thing the category has to a reference design. The company is based in Estonia, the product is open source (AGPL), the server backend is Elixir, and the data is stored in ClickHouse. A site embeds a small (~1 KB) JavaScript snippet; the script sends a single POST per page view containing the URL, referrer, screen size, and a few derived fields. No cookies are used at all.
Unique-visitor counting is done with a daily-rotating hash of (IP address, user agent, domain, salt). The salt rotates every 24 hours, which means the same visitor on the same site appears as the same hash within a day, but as a different hash the next day, and as a different hash on a different site even on the same day. The IP address is never stored; the hash is.
This is a defensible design. The hash provides enough continuity for "unique daily visitors" math to work without storing any value that links back to a specific person. It does mean Plausible can't tell you "how many of yesterday's visitors came back today" — that question is unanswerable under their data model. For most site operators, that's a feature.
Fathom: The Polished Alternative
Fathom Analytics, based in Canada, takes a similar approach with somewhat more polish on the dashboard and a bit more marketing focus on "you can use this in the EU without a cookie banner." The technical approach is similar: no persistent cookies, hashed visitor identifiers that rotate, IP addresses processed in memory and discarded.
Fathom is closed-source — a fact worth noting in a category where Plausible, Umami, and others are open. The team has been around longer than most competitors and has a public track record of policy commitments (no data sales, no third-party trackers in their own dashboard). For users who value polish and don't need to inspect the server code, it's a reasonable choice. For users who want to self-host or audit the implementation, it isn't.
Umami: Self-Hosted, Open Source
Umami is fully open source (MIT) and self-host-first. You run it on your own infrastructure — a small VPS, a Postgres or MySQL database, a Docker container — and the analytics data never leaves a machine you control. The hosted version exists but it's secondary to the self-hosted use case.
The data model is similar to Plausible's: anonymized identifiers via hashing, no persistent cookies, no cross-site aggregation. Because you control the server, you also control what's logged and how long it's retained. Compliance questions are answered by your infrastructure choices rather than a third party's privacy policy.
Self-hosting has real costs: a database to back up, security patches to apply, a TLS certificate to renew. For an indie blog these can be unwelcome overhead; for a privacy-focused organization that already runs infrastructure, they're trivial.
GoatCounter: The Minimal Option
GoatCounter is the most minimalist of the four. Written in Go, single binary, can run with SQLite. The hosted service is free for non-commercial use; self-hosting takes minutes. The data captured is exactly what the dashboard displays — page views, referrers, screen sizes, paths, country derived from IP. No cookies, no fingerprinting, no cross-site anything.
It's also the smallest in terms of feature set. There's no funnel analysis, no goal tracking comparable to Plausible's, no team collaboration features. For a personal site or a small project that just wants to know what gets read, it's an excellent fit. For a marketing team running attribution reporting, it's underfeatured.
How They Compare
| Tool | License | Self-host? | Best for |
|---|---|---|---|
| Plausible | AGPL | Yes (or hosted) | Most general-purpose; well-balanced |
| Fathom | Proprietary | Hosted only | Polished hosted experience |
| Umami | MIT | Self-host primary | Full control, infrastructure-savvy users |
| GoatCounter | European Union Public Licence | Yes (or hosted free for non-commercial) | Personal sites, minimal needs |
What These Tools Don't Replace
Privacy-respecting analytics replace surveillance-based page view analytics. They do not replace tools designed for individual user tracking — heatmaps, session replay, conversion funnels with cross-session attribution. Those tools require visitor identity by their nature. If you need them, you're outside this category.
The honest framing: privacy-respecting analytics give you aggregate behavioral data. Marketing teams accustomed to "this specific user did X and then Y" reporting will find the limitations real. Most content sites, blogs, documentation portals, and product marketing pages do not actually need that level of granularity — they just inherited the assumption from a decade of Google Analytics being the default.
The Compliance Angle
Under GDPR, analytics tools that don't collect personal data don't trigger the consent banner requirement. This is the most-cited business reason for switching — not because compliance is the point, but because "no cookie banner needed" is a tangible product outcome with measurable conversion benefit. For sites that previously dropped a Google Analytics cookie before consent, that was almost certainly out of compliance with EU rules; the migration brings them onside while also being faster, more readable, and less complicit in the broader surveillance economy.
Several European data-protection authorities have ruled Google Analytics specifically non-compliant under the GDPR (Austrian DPA in 2022, French CNIL in 2022, Italian Garante in 2022). The argument turns on data transfers to the US and the lack of safeguards against US government access. Privacy-respecting alternatives sidestep this question entirely by either being EU-hosted or being self-hosted.
What Haven Uses
For full transparency: our public site uses self-hosted Umami, configured to retain aggregate data only. We need to know which blog posts people read and where readers come from. We do not need to know who any individual reader is, and we'd rather not have that data even if we could collect it — every piece of data we don't have is a piece of data we can't lose to a breach, hand over under subpoena, or accidentally leak.
That posture is consistent with the broader thinking behind the product: data you don't collect is data you don't have to protect. Analytics is a small instance of a general principle, but it's the most visible one on a marketing site, and getting it right matters.