Appearance
Privacy
Krafter Analytics is built with privacy as a core design principle, not an afterthought. No cookies, no fingerprinting, no personal data stored. This page explains exactly how visitor privacy is protected.
No Cookies
Krafter Analytics does not set, read, or require any cookies. There are no first-party cookies, no third-party cookies, and no tracking cookies of any kind. Because no cookies are used, no cookie consent banner is needed.
No Fingerprinting
The tracker does not collect or combine browser attributes for fingerprinting. There is no canvas fingerprinting, no WebGL fingerprinting, no font enumeration, and no audio context fingerprinting.
Visitor Identification
Visitor identification uses a SHA-256 hash of three inputs:
- The visitor's IP address
- The visitor's User-Agent string
- A daily rotating salt generated by the server
visitor_id = SHA-256(ip + user_agent + daily_salt)INFO
The daily salt rotates at midnight UTC. This means the same visitor gets a new hash every day, making it impossible to track individuals across days. Yesterday's visitor cannot be linked to today's visitor.
This approach provides accurate same-day unique visitor counts without storing any personally identifiable information (PII).
No PII Stored
The analytics database stores only aggregated and anonymized data:
- No IP addresses
- No User-Agent strings (only parsed device/browser/OS labels)
- No visitor IDs persisted beyond the daily aggregation window
- No email addresses, names, or account identifiers
Data is stored in ClickHouse with privacy-safe aggregation, ensuring that raw visitor data cannot be reconstructed.
Do Not Track
Krafter Analytics respects navigator.doNotTrack. If a visitor has enabled the Do Not Track setting in their browser, the tracker script will not collect or send any data. The script checks this setting on every page load.
WARNING
Do Not Track is a browser-level setting. Visitors who enable it will not appear in your analytics at all. This is by design.
No Cross-Site Tracking
Each site key is scoped to a single domain. Visitor hashes are domain-specific, meaning the same visitor on two different sites tracked by Krafter Analytics cannot be correlated across sites.
Bot Detection
The tracker includes built-in bot detection that filters out:
- Common web crawlers and search engine bots
- Monitoring services and uptime checkers
- Headless browsers and automated tools
- Known bot User-Agent patterns
Bot traffic is discarded before it reaches the analytics database, keeping your data clean and accurate.
Host Validation
The tracking endpoint validates the Origin or Referer header against the domain registered for each site key. Tracking requests from unauthorized domains are rejected. This prevents third parties from injecting fake data into your analytics.
GDPR Compliance
Krafter Analytics is GDPR compliant by design:
| GDPR Requirement | How We Comply |
|---|---|
| Lawful basis | Legitimate interest -- no PII collected |
| Data minimization | Only page URL, referrer, screen width, and parsed device info stored |
| Storage limitation | Daily salt rotation prevents long-term visitor tracking |
| No consent required | No cookies or persistent identifiers used |
| Right to erasure | No PII exists to erase |
| Data portability | Aggregate data can be exported via the Stats API |
TIP
Because Krafter Analytics does not process personal data as defined by GDPR, you do not need to add it to your privacy policy's cookie section or show a consent dialog. You may still wish to mention its use in your privacy policy for transparency.
Summary
| Feature | Status |
|---|---|
| Cookies | None |
| Fingerprinting | None |
| PII storage | None |
| Cross-site tracking | Not possible |
| Do Not Track | Respected |
| Bot filtering | Active |
| Host validation | Active |
| GDPR consent needed | No |
Next Steps
- Quickstart -- get started with Krafter Analytics
- Tracker reference -- see what data the tracker collects
- Stats API -- query your aggregated analytics data