Help CenterPrivacy & Security

Privacy-friendly analytics checklist

Last updated 2026-04-28

If you run a website, you need to know what your analytics tool is doing with visitor data. This is a quick audit checklist — works whether you use HitCounters, GA4, Plausible, Fathom, Statcounter, or anything else.

For each item, check ✅ yes, ❌ no, or ❓ not sure. The more "yes"es, the better off you (and your visitors) are.

Data collection

  • ☐ I know which fields my analytics tool collects (IP, user-agent, referrer, page URL, etc.).
  • ☐ My analytics tool does not collect personally identifiable information (real names, emails, phone numbers) from URLs or page content.
  • ☐ Visitor IPs are either not stored, anonymized, or stored only for the site owner's view (not shared with third parties).
  • ☐ The tool documents what data is collected and where it's stored.

Cookies and storage

  • ☐ I know whether my analytics tool sets cookies.
  • ☐ If it does set cookies, I know whether they're first-party only (scoped to my domain) or third-party (shared across sites).
  • ☐ I have a privacy policy entry for any cookies the analytics tool sets.
  • ☐ If my analytics tool requires a cookie banner, I have one in place.
  • ☐ If my analytics tool does not require a cookie banner (e.g. uses no cookies, or only first-party non-tracking cookies), I've confirmed this with the tool's documentation.

Cross-site tracking

  • ☐ My analytics tool does not use shared third-party identifiers across multiple sites.
  • ☐ My analytics tool does not sync data with advertising networks.
  • ☐ My analytics tool does not participate in fingerprinting that could re-identify visitors across sites.

Visitor controls

  • ☐ Visitors can opt out of analytics via a documented mechanism (URL flag, browser setting, account toggle).
  • ☐ My analytics tool respects Do Not Track or Global Privacy Control headers (or has a clear policy that it doesn't).
  • ☐ My privacy policy tells visitors how to opt out.

Data location and retention

  • ☐ I know where my analytics data is stored geographically (US, EU, etc.).
  • ☐ For EU visitors: my analytics tool either stores data in the EU or has a valid Data Processing Agreement (DPA) and Standard Contractual Clauses for transfers.
  • ☐ I know how long raw visitor data is retained.
  • ☐ I have a way to delete a specific visitor's data on request (right to be forgotten).

Disclosure and consent

  • ☐ My privacy policy names the analytics tool I use.
  • ☐ My privacy policy explains what data is collected and why.
  • ☐ My privacy policy includes a last-updated date and is reviewed at least once a year.
  • ☐ For California visitors (CCPA): I have a "Do Not Sell My Personal Information" link if my analytics tool's data flows could be considered a sale.

Site-owner privacy

  • ☐ I can exclude my own visits from my own analytics (so my testing doesn't inflate stats).
  • ☐ I can exclude team members or staff who shouldn't be counted as visitors.
  • ☐ My analytics dashboard requires authentication (no public-by-default exposure of visitor logs).
  • ☐ If I share reports with clients, the shared view does not leak raw visitor IPs or per-session detail.

Operations

  • ☐ My tracking script is loaded over HTTPS on every page.
  • ☐ My tracking script is async and doesn't block page rendering.
  • ☐ My Content Security Policy (if any) explicitly allows the analytics domain.
  • ☐ I have a way to verify the tracker is installed on every page that should have it.

How HitCounters scores

If you're using HitCounters, here's how it does on this list out of the box:

  • ✅ Collected fields are documented in our privacy policy.
  • ✅ No personally identifiable info collected from URLs (we strip query strings on entry pages where you ask).
  • No cookies on tracked sites — we use scoped first-party localStorage.
  • ✅ No third-party identifiers, no advertising sync, no cross-site tracking.
  • ✅ Visitor opt-out via ?hc_optout=1 URL flag (sticky per browser).
  • ✅ Site-owner own-visit exclusion via IP block + per-device flag (guide).
  • ✅ Authenticated dashboard. Shareable reports are aggregate-only — no raw visitor logs leak.
  • ✅ HTTPS-only async tracker, <25 KB.
  • ✅ Verify-installation flow built in.

Where we're still working: EU data residency (currently US-hosted), DNT/GPC header support, in-dashboard CCPA "Do Not Sell" toggle. These are on the roadmap.

Related articles

Still need help? Send us a message — we reply within 24 hours.