Privacy
Flatlytics is built to measure websites without profiling the people who visit them. Here is what that means in plain language. The precise field-by-field breakdown lives on the data policy page.
No cookies, no cross-site tracking
The tracker sets no cookies and writes nothing to localStorage. There is no identifier that follows a person from one site to another, because none is ever created. That also means we can't show you cookie banners we don't need.
A visitor hash that rotates every day
To count unique visitors without cookies, we compute a hash from a daily-rotating secret salt, the site, the visitor's IP, and their user agent. The salt changes every day, so yesterday's hashes can't be linked to today's. There is no stable, long-lived identity to leak or subpoena.
A practical consequence: unique-visitor counts are per-day by design. Someone who visits on two different days is counted on each day. We don't reconstruct a person across days.
Raw IP addresses are never stored
Your visitor's IP is used only as an input to that daily hash, and is discarded immediately after. It is never written to our database and never appears in exports.
No self-serve visitor deletion (and why)
Because there is no stable identity beyond 24 hours, we can't offer visitor-level data deletion: there is nothing durable to look up a person by. This is a deliberate trade-off in favour of collecting less in the first place.
Where your data lives
Data is stored on our hosting provider's infrastructure in the region pinned at deployment. The exact location is stated on the data policy page, alongside the full list of fields we collect and how long we keep them.