Every visit shows a country, region, city, and ISP. Here's how we figure that out and what the limits are.
How we determine location
We look up the visitor's IP address against the MaxMind GeoLite2 database. Country accuracy is ~99%, city accuracy is ~70-80% for desktop, lower for mobile (carrier IPs are less precise).
What you'll see in reports
- Top Countries on the Summary page — flag, country name, sessions, % of total.
- Reports → Locations — countries, states/regions, cities, and ISPs, each ranked by sessions. Click into any row to drill down (where supported).
- Per-visit in the Visitor Activity log: city + region + country, plus the ISP name.
Why a visitor sometimes shows the wrong location
- VPN or proxy. If they're using a VPN, we see the VPN's exit IP — not the user's actual location.
- Mobile carrier. Cellular IPs often resolve to the carrier's regional NOC, not the actual tower the user is on.
- Corporate proxies. Big companies route traffic through central proxies, so a visitor from the Tokyo office might appear from headquarters in California.
The country is almost always right; city is best-effort.
Datacenter / VPN flagging
We separately flag visits coming from datacenter IPs (hosting providers, cloud regions, known VPN services). These visits get a "datacenter" warning icon in the visitor activity log and a slight quality-score penalty, since they're often bots or technically savvy users with unusual traffic patterns.
ISP / ASN data
We also enrich each visit with the ASN organization (e.g. "Comcast Cable Communications", "Hetzner Online GmbH", "Amazon.com Inc."). This is useful for spotting:
- Bot traffic from cloud providers (AS14618 = AWS, AS396982 = Google Cloud, AS16509 = Amazon).
- Concentrated traffic from a single ISP (could be a corporate visitor, could be an outage in their region).
- Known bad-actor ASNs — we maintain an internal blocklist that contributes to bot detection.
Privacy
We store the IP address with the session, but it's only ever shown to you (the site owner) in your visitor logs. We don't share it with third parties, sell it, or surface it on shareable reports. If a visitor opts out via ?hc_optout=1, we don't record their visit at all.