The market for Google Analytics alternatives is crowded. There's Plausible, Ahrefs web analytics, onedollarstats.com, PostHog, Matomo, Unami, Grafana, Microsoft Clarity (free at any scale), and so many others. Despite minor differences these products all compete for the same users (e.g. if someone is a PostHog customer they probably won't be using Ahref web analytics) yet most of these companies offer generous free tiers while rybbit only a free trial.
How do products like rybbit.io stay competitive without a similar free tier or major differentiation? Is rybbit generating revenue for its hosted plan?
As a founder in this space, it not as bad as you think. There are niches in this crowded yet broad space.
Plausible - good for self-hosting, but their SaaS is very expensive and FOSS vs SaaS offering differ.
Ahrefs - they will use your traffic to improve your competitor research, you really should use them cautiously.
Matomo - feature rich but can be overwhelming.
Posthog - its SaaS is US based so dismissed early by EU customers.
Clarity, like GA has serious privacy issues.
Our product, Wide Angle Analytics, has its own gotchas compared to competitors - its opinionated and there are folks who do not agree with our opinions, but the landscape of websites is so vast that you find your client nevertheless.
That said, we are still in business after 4 years, and we saw few competitors disappear or get acquired and extinguished.
So, all the best to the OP. Hope you find your niche :)
It is US company. Does not matter where server resides. If server is in EU but under US jurisdiction (US company) that can be (needs checking) treated as International Data Transfer.
What's your sales strategy? Is cold calling companies with google analytics installed on their websites more effective than the blog? Have you been able to retain Next.js users after Vercel released Web Analytics?
This is pretty spot on. There's a couple of dimensions the major players sit on, and there's enough combinations that there's plenty of space for smaller players to survive in.
I'm not super familiar with all of these products, so some of these ratings will be based on vibes
1-----------------10
OSS <-> Proprietary
Small business <-> Enterprise
Simplicity <-> Complexity
Web analytics <-> Product analytics
Privacy <-> No privacy
# Rybbit (me) - just launched $0
OSS/Proprietary - 2
I use AGPL 3.0 which isn't as permissive as MIT
Small business/Enterprise - 5
I definitely want enterprises to use Rybbit, but it's hard to target them at this stage
Simplicity/Complexity - 6.5
I think Rybbit is going to end up as one of the more feature-rich OS analytics tools, but I hope it stays easy to use (famous last words)
Web analytics/Product analytics - 4
Want to target both eventually, but my product analytics is weaker relatively
Privacy/No privacy - 3
Can be as GDPR compliant as others, but can also be configured to be a bit more invasive
# Posthog - ~15M ARR
OSS/Proprietary - 4
Have a bunch of enterprise licensed parts of their repo and they tell people in their docs to not self-host it because it's too difficult.
Small business/Enterprise - 8
Seems like they hook startups in with generous free tiers and then milk the unicorns that come out
Simplicity/Complexity - 10
The scope of Posthog is awe inspiring. They are literally 10 startups in 1
Web analytics/Product analytics - 8
I believe product analytics was their first feature
Privacy/No privacy - 7
I think they use cookies?
# Google Analytics
OSS/Proprietary - 10
Small business/Enterprise - 9
Free for everyone but it's clear they don't care about regular users that want to track their small site
Simplicity/Complexity - 8
If there was a dimension for usability it would be 11/10 totally unusable
Web analytics/Product analytics - 6
Not too sure about this one
Privacy/No privacy - 9
i mean it's google
# Mixpanel - $200m ARR
I'm the least familiar with this one
OSS/Proprietary - 9
Small business/Enterprise - 8
Simplicity/Complexity - 8
Web analytics/Product analytics - 9
Privacy/No privacy - 7
# Umami - unknown ARR (maybe 500K?)
OSS/Proprietary - 1
MIT license, no enterprise only features from what I see
Small business/Enterprise - 5
Seem to have some big names on their site
Simplicity/Complexity - 4
Web analytics/Product analytics - 5
Privacy/No privacy - 5
They claim GDPR compliance but I've self hosted it and they clearly fingerprint users without any obvious opt out.
# Plausible - ~2m ARR
OSS/Proprietary - 4
AGPL v3 and some a some enterprise features the community version doesn't have. Also they use Elixir so i doubt anyone actually reads it/s
Small business/Enterprise - 6
Have to be selling to enterprises with that ARR
Simplicity/Complexity - 3
Tool is very simple at the surface, but there's a lot of config options under the hood
Web analytics/Product analytics - 3
Mostly just web analytics
Privacy/No privacy - 2
This is a big focus for them
# Simple Analytics ~500k ARR
OSS/Proprietary - 8
Closed source, but they are an open startup that shares their financials
Small business/Enterprise - 3
They show some big names, but the creator is an indie hacker
Simplicity/Complexity - 2
Self explanatory
Web analytics/Product analytics - 2
Privacy/No privacy - 2
Very GDPR compliance focused
If this was a multi-dimensional vector, I'm trying to fill the space between something like Posthog and Plausible, where we are as open source as either of them and fill the missing space between extreme simplicity and extreme complexity.
Is it possible to use it server-side only, with no JavaScript required? I currently use Umami like that - it has an API, so I can send it page view events and custom events from server-side code. That means analytics can't be disabled by uBlock or the like, or by disabling JavaScript.
I also have my own analytics service on serverside, and it is sooo vastly different from the client-side analytics. The client side only sees ~5-10% of what I see on the server side -- even after filtering out bots and the like.
An EU server isn't enough. Those EU servers should be operated and maintained by an EU subsidy that licenses the tech from the US company. In other words, even if the US company wanted the data served by the EU company, they couldn't get to it.
It would be quite funny to reply to an NSA request by saying "Oh yeah, I have that data and can access it but its on a server in the EU. I can get it, but I won't."
I genuinely don't know how they would proceed, but it'd be interesting to watch.
Member states have spy agencies, but they also signed treaties to join the EU. Having your spy agency violate international treaties isn’t something most governments allow.
If the company or individual is in a country, expect they can be compelled to hand over everything in their possession by a court order (or it can be siezed).
If the information is stored in a country, expect that the owner of the information can be compelled to hand it over by a court order (or it can be seized).
Well the EU absolutely could do the same thing. If an EU-based company had servers in the US, I would expect the EU could compel them to hand over data despite where the data is stored.
I misspoke there, I was meaning Europe and shouldn't have put EU.
Agreed, the union doesn't have any enforcement mechanism I'm aware of that would fit, but any country in Europe could do a similar thing to companies based in their borders.
Builder of rybbit here - I will probably add a free tier in the following weeks. I didn't was because I was scared of being overloaded by an influx of free users, but that doesn't scare me anymore.
I started working on this 4 months ago and only publicly launched a few days ago.
As for monetization, I have no idea yet. I'm happy to collect stars for the time being. What do you think I should do?
Not sure, but I'm definitely interested in following your business and seeing what your strategy will become because I was building something similar but when larger teams starting releasing free solutions I couldn't think of a way to compete. Best of luck.
> if someone is a PostHog customer they probably won't be using Ahref web analytics
It's (un)surprisingly common to end up with multiple website analytics products on the same site; marketing wants these two, another department wants another. When I had ghostery show the list of things it was blocking I often saw multiple, overlapping-feature-set analytics integrations being blocked on the same site.
I've seen companies from the inside where those 15+ trackers were all added by one person in the span of a week.
I've also seen those trackers be added by someone who exits the organization a month later there by blessing the trackers with a protection spell making their removal unlikely for fear of breaking some metric pipeline somewhere.
You would be surprised how many companies do in fact use multiple analytics services.
Only one tool will be a 'source of truth' but a company using a combination of something like GA4 (Business source of truth), Mixpanel (product insights), and Clarity (Landing page analysis) is not unheard of.
The types of companies that use multiple services are also the types of companies that are likely spending $1,000s per month as well, so overall quite a profitable industry for many companies to operate in.
That’s a fair point — the analytics space is definitely saturated, especially on the privacy-first, open-source end. Without a standout feature or a compelling free tier, it's tough to draw developers away from proven tools like Plausible or PostHog.
I wonder if Rybbit is betting more on UX simplicity or niche use cases (e.g. very lightweight deployments, self-hosting ease, etc.). Has anyone here actually tried it? Curious how it stacks up in terms of setup time, dashboard clarity, and tracking depth.
PostHog and Plausible are both open source and not backed by big corporations but if sharing data to third parties and being open source is a concern (which seems to be the selling point rybbit.io is targeting) I would expect users to self host instead of paying for a hosted plan anyways?
Potentially yes, but depends very much on the privacy policy and data handling promises being made.
I think the instinct to distrust big companies is at least partly because many of them have already proven not to be good stewards of data which when combined with their scale has more worrisome implications.
With a smaller/newer player, at least there’s some hope that they’re not capable of the same harms at a smaller scale, and in some cases may market themselves specifically as a more private alternative.
Whether or not this turns out to be true in practice and over the long run is another thing.
Hope ain't the same thing as trust, though. A small player would need to make a pretty significant effort to suggest they wouldn't abuse your usage-patterns.
Posthog is pretty good but very pushy towards using their SaaS (understandably). Self hosting is not really advertised on their main site however is buried in their gh repo as a footnote [1] with indications of vague issues past 100K events/month. Haven’t delved into how to scale it past that though and they do provide some docs that I have yet to review.
Also the primary repo is not FOSS, and that "100% FOSS" repo is buried in yet another footnote [2].
Plausible follows in PH footsteps but is not fully faithful to open source. If you want to self host, you won’t have same set of features as their SaaS and need to rely on long term releases for their "community edition" [3]
On "Ahrefs", is there even an open source version of their product? I couldn’t easily find it (on mobile). [4]
Maybe I’ll take a look at others you mentioned later but if rybbit can remain faithful to their FOSS roots then I think there’s a real chance of it becoming huge.
For thosw that don’t want to self host (mostly corporate shitholes), rybbit can milk them with their managed SaaS product.
I think Posthog is incredible, and there's no way I (it's just been me building rybbit for the past few months) will be able to compete with them on their full scope of features for the foreseeable future.
I tried to self host Posthog for my other project as it far exceeded even the generous free tier. I have a Hetzner bare metal server with 64gb of ram https://www.hetzner.com/dedicated-rootserver/ax42/ and it was running all 16 cores at 100% and didn't end up working. So I think Posthog's stack is just way too heavy to self host effectively, and it's just not in the same category as Plausible, Umami, or Rybbit.
I'm trying to build best OSS analytics out there - and even though it's super crowded, most non-trivial websites run one so there is space for everyone to survive in.
> "Self hosting is not really advertised on their main site"
How would rybbit.io make money if they are only better at self hosting? Wouldn't the users they are targeting only self host anyways?
> "On "Ahrefs", is there even an open source version of their product? I couldn’t easily find it (on mobile)."
Not all of these companies are open source but they are still competitors because they have generous free tiers so the cost of self hosting an alternative wouldn't be justified.
Which ones are embeddable? Often I need to embed some analytic charts for users in my app e.g. blog views and very few support easy embedding+authentication.
Grafana isn't a Google Analytics alternative. You can build a lot of what you need with it (I've done that), but you still need to manage the actual Analytics part separately, Grafana only gives you the visualization.
It's okay, but I probably wouldn't choose it again. The ease of setting up Dashboards and Panels is great at first, but you pay for it with a low ceiling of what you can do (without building around it) and a "we trust everyone" approach to security.
Primarily the ease of use. You add the JS to your site and don't worry about anything else, collection is very fast (delivering data is < 30ms) and has edge-servers around the globe.
My experience is that out of my other logs/metrics (cloudflare & server logs) Umami was the only one that didn't overinflate by counting bots and crawlers.
I know the true state of my site visitors: the vast majority of legit visitor traffic is from my own home IP, and my own mobile IP. Umami was the only one to show that.
For me, the best Google analytics replacement has been nothing. Just don’t do analytics at all. Your web site will still work without it. In fact, it will work better!
> Your web site will still work without it. In fact, it will work better!
It objectively won't.
Analytics tell you where your website isn't working, so you can fix it. Buttons you thought were obvious that users are blind to. Pages where nobody scrolls because they didn't realize there was more content. Figuring out where users get stuck because they don't understand the navigation you designed. Etc etc etc.
If you have a hobby website, then sure maybe analytics don't matter. But the idea that sites work better without analytics makes as much sense as saying you'll see better when you wear dark sunglasses.
Once upon a time we did analytics and error analysis by running shell scripts executing awk, sed and grep over a apache or nginx access log or error log.
What I am trying to say is that you can still do analytics, even pretty advanced stuff with some more elaborate scripting, if you want. The only thing you need is the access log.
Something which has been largely forgotten ever since tools like Urchin became a thing :)
Except if any of your pages are cached between eyeball and your server and so your server logs don't capture everything that is going on. You can get fancy with web server logs, but depending on what you're trying to understand it may not be the data you need.
<source: did fancy things with logs over the last 25 years, including running multiple tools on the same site in parallel to do comparisons (Analog, AWStats Urchin, GA, Omniture, homegrown, etc...)>
If you control the cache layer, log it there. If you don't control the cache layer, does a read from the end user cache really count as a separate visit anyway?
There are plenty of situations where someone visiting a page once and someone repeatedly looking at that page over a period of days (even if it is pulled from their browser cache) is an important difference. Obviously it depends on what you're using the data to try to understand.
One of the greatest jobs I ever had from a technical perspective had terabytes of structured access logs hosted on prem inside of a VPN, with a few small bespoke tools to search through them (and many more pages of commands for common tasks not yet implemented in a UI).
Not a single line of tracking or analytics on the front end, we just tracked everything we cared about at the server level.
That place didn't have any European operations so no GDPR concerns¹, but for what its worth it was completely.. pseudonymous I think is the term we want? You couldn't link a server entry to an actual user account by any means² but you could group distinct server calls together as coming from the same person. These weren't "server logs" in the same of IPs or user agents or that kind of thing. More like application logs w/ scrubbed/obfuscated user data just stored in gigantic text files.
¹ To those who would say it doesn't matter, I'd say that laws aren't laws if they can't be enforced and there's no enforcement mechanism for some EU bureaucrat to fine a company with no operations outside of the US.
² I'm sure the technical means existed to do it especially if you already had access to the logs but the point is we weren't explicitly storing any PII or data that was linked to a real account. Just actions throughout the apps.
However, if you do this, you will still need to comply with all relevant privacy laws.
For example, in the EU, you need user consent to use server logs that include IP addresses for analytics. You also need to provide post-consent opt-outs and privacy statements and audit logs and all off a sudden you're building another analytics tool.
In the EU, IP addresses are personal data and you need a legal basis for each form of processing. You could make an argument that Fail2Ban falls under legitimate interest, but there is now precedent that analytics must have user consent and another legal basis will not be accepted.
Urchin was acquired by Google and was ultimately sunset in favor of Google Analytics. It supported local and hybrid analytics models, the later arguably evolved into Google Analytics.
That's just not realistic though. People with marketing departments need analytics. Otherwise, they atrophy and reveal to everyone they are not as necessary as led to believe. People without marketing departments probably never look at the logs like you.
True, but for personal/hobby sites you probably are just better off just not knowing. Nothing good comes of tying your self-worth to how much attention you think you're getting.
There is nothing to suggest that people who want to measure (and perhaps increase) their publishing reach are “tying [their] self-worth to how much attention [they] think [they’re] getting”.
This is sort of like assuming everyone who is taking photos at a tourist attraction is doing so to show off their holiday for social status.
If your site or content is truly valuable, it is a public good to monitor, analyze, and improve upon its reach and usability.
> Otherwise, they atrophy and reveal to everyone they are not as necessary as led to believe.
In my experience, when analytics and the related ads tracking tools break, Marketing departments are revealed to be much more important than generally believed in the business.
Product people need analytics too. You need to know how many people use each feature to make informed decisions on what needs to be invested in, what should be cut, etc.
There were a gajillion of these things before Google Analytics. Probably the best options were those that relied on log analysis rather than having a JavaScript bug on every page.
The documentation states that rybbit does not use cookies and is compliant with the GDPR. The first part is true but, looking at the code (very nice to have it available), the tracking is done by IP address, trading one piece of tracking data for another.
I realize that this is probably the only way it could work but it is not clear to me that tracking by IP address (even over a single session and shredding the data once a day) is any better from a GDPR standpoint.
People seem to occasionally post cool new solutions, though it doesn't seem like Matomo has gotten that much attention, despite being a pretty strong alternative to Google Analytics (I haven't had that many issues while self-hosting it either).
I have been using Matomo along side GA4 for a month now. The amount of useful data coming from Matomo, even anonymized, is more expansive and easier to access than GA4. Plus self-hosting was pretty easy and it keeps the data on our servers, which just feels right.
I deal with GDPR daily and the truth is that GDPR enforcement doesn't understand what is acceptable from a GDPR standpoint and that is likely why they are in the process of revamping it. You can also anonymize data and that is no longer considered personal data under GDPR so it is possible to hash an IP address and that be acceptable.
> You can also anonymize data and that is no longer considered personal data under GDPR so it is possible to hash an IP address and that be acceptable.
That's not completely true. Recital 26 of GDPR stipulates that
> “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”
Hashing does not meet this threshold. If the same IP address is hashed using the same method, the result will always be the same, meaning it can be matched. Hashing is therefore considered pseudonimization and under GDPR, pseudonymized data is still considered personal data.
Moreover, the act of anonymization itself is a form of processing and therefore falls under the scope of GDPR. So even attempting to anonymize personal data doesn't remove GDPR obligations for the anonimyzation itself.
> If the same IP address is hashed using the same method, the result will always be the same, meaning it can be matched.
The way people get around this is by using an ephemeral salt, that is deleted e.g. daily. After enough time has passed, it'd be impossible to reverse the hash as the salt would be lost.
> To summarize, I believe the EDPB has made their position very clear on this in their 2023 guidelines: Plausible's fingerprinting is subject to Article 5(3) of the ePD. Plausible has made their position very clear in their blog post, leaning in the other direction. Until this is tried out in court, I don't believe that there will be any definitive answer.
Unlike Plausible and Fathom, it looks like Rybbit is NOT salting by default ( (but that it's an option to enable per site: https://www.rybbit.io/docs/enhanced-privacy). Which is why they can offer retention reporting.
If the IP address is hashed somehow it would no longer be personally identifying while still being unique enough for analytics purposes, correct?
Does geographic grouping data depend on the IP address? If so I suppose it would need to be extracted first before hashing the IP, and I wonder how much that weakens the anonymization.
If a user can say "here's my IP address, what data do you have on me?" and you can answer that question, then that's personal data under GDPR. It's pseudynomized, but not anonymized, and pseudynomous data is personal data.
What's the minimum size of an operation before the GDPR kicks in? In other words, are all sites governed by GDPR, or are some companies considered too small to be under the GDPR regulations? I know that there are some regulations that get a pass for smaller outfits. I know nothing about GDPR as a European audience is not my target and not kowtowing for them.
GDPR does not currently have explicit business size thresholds. Its provisions are all framed as personal rights of the data subject, so its provisions are always in effect. By contrast, CCPA in California is framed as a consumer protection law so it only applies to companies of a certain size.
In practice, small fries are not an enforcement priority. Regulators in most countries are not well-funded so they have to be frugal with their enforcement actions.
The EU is currently reviewing an option to relax GDPR requirements for smaller businesses. Not remove GDPR requirements, just streamline some of the process overhead.
The jury is out on ip address vs GDPR. Hashed IP address is not anonymous, nor is last digit anonymization anonymous.
So, let's not bother with it. I can say all IP address are located in earth and someone would be offended because now we are invading their privacy by knowing which planet they are from. GDPR is not clear on IP address or IP address derived metadata. There is no case law for it, nor acceptable methodology and everyone is speculating about what are the consequences of and it is mostly just opinions from IANALs. GDPR is astrology for non-enterprise companies.
If you don't want to roll your own and don't care if its open source, I've used clicky.com for years. Simple, and shows everything I need. As others have said, it's a crowded market. Still cool though that people are launching these projects.
Check out our demo at https://demo.rybbit.io/1. We have a lot more features than Plausible, but they're still presented in a way that is intuitive to use. You shouldn't need to read pages and pages of documentation to be able to set up funnels on rybbit, for example.
Plausible, Fathom, Umami and the others all do cookie-less tracking too. Why don't you add an option to track through cookies? Most serious businesses have the consent for putting analytics cookies there, especially if it's a first-party cookie. This will differentiate you and instantly make this a more serious option for self-hosters who want simple but reliable tracking. Especially if you can set this as a serverside first-party HTTPS cookie.
Alternatively, add an identify() call and let others roll their own solution for this.
Then I would actually trust your retention numbers.
Because I like minimalist tools, onedollarstats.com looks interesting to me. I can’t find much info about their privacy posture (which prevents me from using Google Analytics). I use my own counter, but it’s got very limited features.
Is there any server side only analytics software that is open source and decent? I really don’t want to add any more JavaScript to my pages that I don’t need.
I'm going to develop server-side SDKs in the future. But many existing platforms like posthog already support this, though I don't know if they support processing raw request logs literally.
Can the creator /user/bill_yang explain this contradiction in the readme? It claims to support tracking unique users, but then immediately afterwards claims not to track users. Do you mean that you don't do any user tracking by default?
> Key Features
> - All key web analytics metrics including sessions, unique users, pageviews, bounce rate, session duration
> - No cookies or user tracking - GDPR & CCPA compliant
the industry has decided that unique users can be done without being tracking. you can decide differently. Often times how they do it is some combination of
- Hashing IPs with other data to form a non-reversible UUID
- Not tracking across multiple host domains
- Not setting cookies or storing any information in the browser
so many takes here tbh, i always end up just picking the simplest tool and hoping for the best - you think real privacy or just ease of use is what ends up mattering more long-term?
Thank you. I am using https://globe.gl/ which wraps three.js. The page realtime page is still pretty slow to load so though.
I'm using Next.js but I'm using all client-side components. The tooling around SPA client side state is just really good so I don't see a huge reason to go full SSR, especially when SEO doesn't matter for the actual app.
I'm hosting my blog on cloudflare pages, it's analytics show 80 or so uniques every day consistently even though I barely write there. Installed Umami - 0 visitors. None. Internet is just LLM crawlers hungry for content now?
We passed the tipping point where bot traffic outnumbered human traffic fifteen years ago. LLMs are an order of magnitude worse by most first-hand accounts, but it's just a continuation of a very long trend.
A couple of days ago I was researching website analytics and GDPR/cookie law, and it seems clear that you need user consent even if IP addresses are only processed or temporarily stored before being discarded.
Arguing otherwise is like claiming it’s legal to steal from a store as long as you return the goods the next day - it’s legal fantasy.
I don’t think the EU is eager to go after these “ethical” analytics companies or their users, since they have bigger fish to fry. But if you think you’re legally in the clear using these solutions without user consent, you’re fooling yourself.
I see, I was confused because you mentioned GDPR but it has everything to do with ePD and I wasn't aware of this issue, thanks for sharing!
> Arguing otherwise is like claiming it’s legal to steal from a store as long as you return the goods the next day - it’s legal fantasy.
That said, this strongly implies that these privacy-focused analytics platforms are unquestionably breaking the GDPR and behaving in an unethical way, but that seems like a huge overstatement.
I've read the linked blog post and it seems like the analysis hinges on the precise wording of the ePD rather than GDPR. By their own admission, these analytics solutions seem to be in line with both the letter and the spirit of GDPR. The author even agrees that the wording of the ePD should be addressed and notes:
> Unfortunately I came to the rather demotivating conclusion that there simply isn’t any way to implement web analytics without running afoul of the ePrivacy Directive.
> This was a surprising conclusion at the time. Morally we can go very far: we can put a lot of smart stuff together and create a system that can’t be used to track individual users. But legally, that doesn’t particularly matter. The ePrivacy Directive is written as it is.
> Even the EU Data Protection Working Party decries this. In their 2012 opinion they write:
> the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. […] In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes.
So it's not that these companies are doing anything inherently immoral or unethical as far as their handling of personal data goes, but they might be behaving unethically by making claims that run afoul of other legislation (ePD) that clashes with the GDPR.
The market for Google Analytics alternatives is crowded. There's Plausible, Ahrefs web analytics, onedollarstats.com, PostHog, Matomo, Unami, Grafana, Microsoft Clarity (free at any scale), and so many others. Despite minor differences these products all compete for the same users (e.g. if someone is a PostHog customer they probably won't be using Ahref web analytics) yet most of these companies offer generous free tiers while rybbit only a free trial.
How do products like rybbit.io stay competitive without a similar free tier or major differentiation? Is rybbit generating revenue for its hosted plan?
As a founder in this space, it not as bad as you think. There are niches in this crowded yet broad space.
Plausible - good for self-hosting, but their SaaS is very expensive and FOSS vs SaaS offering differ.
Ahrefs - they will use your traffic to improve your competitor research, you really should use them cautiously.
Matomo - feature rich but can be overwhelming.
Posthog - its SaaS is US based so dismissed early by EU customers.
Clarity, like GA has serious privacy issues.
Our product, Wide Angle Analytics, has its own gotchas compared to competitors - its opinionated and there are folks who do not agree with our opinions, but the landscape of websites is so vast that you find your client nevertheless.
That said, we are still in business after 4 years, and we saw few competitors disappear or get acquired and extinguished.
So, all the best to the OP. Hope you find your niche :)
Just for the record, I use PostHog in my Europe-based startup. They have a EU region so it’s not a problem for us.
There are some indications that this may soon no longer be sufficient.
It is US company. Does not matter where server resides. If server is in EU but under US jurisdiction (US company) that can be (needs checking) treated as International Data Transfer.
There's a bunch more listed here as well https://github.com/oxnr/awesome-analytics
What's your sales strategy? Is cold calling companies with google analytics installed on their websites more effective than the blog? Have you been able to retain Next.js users after Vercel released Web Analytics?
Surprised no ones talked about Fathom Analytics. My alternative of choice.
Why do you prefer Fathom?
I'm using Clarity and was under the impression it was better than GA
What are the privacy issues with GA and Clarity?
What about Amplitude?
This is pretty spot on. There's a couple of dimensions the major players sit on, and there's enough combinations that there's plenty of space for smaller players to survive in.
I'm not super familiar with all of these products, so some of these ratings will be based on vibes
1-----------------10
OSS <-> Proprietary
Small business <-> Enterprise
Simplicity <-> Complexity
Web analytics <-> Product analytics
Privacy <-> No privacy
# Rybbit (me) - just launched $0
OSS/Proprietary - 2
I use AGPL 3.0 which isn't as permissive as MIT
Small business/Enterprise - 5
I definitely want enterprises to use Rybbit, but it's hard to target them at this stage
Simplicity/Complexity - 6.5
I think Rybbit is going to end up as one of the more feature-rich OS analytics tools, but I hope it stays easy to use (famous last words)
Web analytics/Product analytics - 4
Want to target both eventually, but my product analytics is weaker relatively
Privacy/No privacy - 3
Can be as GDPR compliant as others, but can also be configured to be a bit more invasive
# Posthog - ~15M ARR
OSS/Proprietary - 4
Have a bunch of enterprise licensed parts of their repo and they tell people in their docs to not self-host it because it's too difficult.
Small business/Enterprise - 8
Seems like they hook startups in with generous free tiers and then milk the unicorns that come out
Simplicity/Complexity - 10
The scope of Posthog is awe inspiring. They are literally 10 startups in 1
Web analytics/Product analytics - 8
I believe product analytics was their first feature
Privacy/No privacy - 7
I think they use cookies?
# Google Analytics
OSS/Proprietary - 10
Small business/Enterprise - 9
Free for everyone but it's clear they don't care about regular users that want to track their small site
Simplicity/Complexity - 8
If there was a dimension for usability it would be 11/10 totally unusable
Web analytics/Product analytics - 6
Not too sure about this one
Privacy/No privacy - 9
i mean it's google
# Mixpanel - $200m ARR
I'm the least familiar with this one
OSS/Proprietary - 9
Small business/Enterprise - 8
Simplicity/Complexity - 8
Web analytics/Product analytics - 9
Privacy/No privacy - 7
# Umami - unknown ARR (maybe 500K?)
OSS/Proprietary - 1
MIT license, no enterprise only features from what I see
Small business/Enterprise - 5
Seem to have some big names on their site
Simplicity/Complexity - 4
Web analytics/Product analytics - 5
Privacy/No privacy - 5 They claim GDPR compliance but I've self hosted it and they clearly fingerprint users without any obvious opt out.
# Plausible - ~2m ARR
OSS/Proprietary - 4
AGPL v3 and some a some enterprise features the community version doesn't have. Also they use Elixir so i doubt anyone actually reads it/s
Small business/Enterprise - 6
Have to be selling to enterprises with that ARR
Simplicity/Complexity - 3
Tool is very simple at the surface, but there's a lot of config options under the hood
Web analytics/Product analytics - 3
Mostly just web analytics
Privacy/No privacy - 2
This is a big focus for them
# Simple Analytics ~500k ARR
OSS/Proprietary - 8
Closed source, but they are an open startup that shares their financials
Small business/Enterprise - 3
They show some big names, but the creator is an indie hacker
Simplicity/Complexity - 2
Self explanatory
Web analytics/Product analytics - 2
Privacy/No privacy - 2
Very GDPR compliance focused
If this was a multi-dimensional vector, I'm trying to fill the space between something like Posthog and Plausible, where we are as open source as either of them and fill the missing space between extreme simplicity and extreme complexity.
This really does look like a great project!
Is it possible to use it server-side only, with no JavaScript required? I currently use Umami like that - it has an API, so I can send it page view events and custom events from server-side code. That means analytics can't be disabled by uBlock or the like, or by disabling JavaScript.
I also have my own analytics service on serverside, and it is sooo vastly different from the client-side analytics. The client side only sees ~5-10% of what I see on the server side -- even after filtering out bots and the like.
I'm going to add an API soon!
> Posthog - its SaaS is US based so dismissed early by EU customers.
Posthog has had an EU server for years. I'm not sure what you mean by this.
An EU server isn't enough. Those EU servers should be operated and maintained by an EU subsidy that licenses the tech from the US company. In other words, even if the US company wanted the data served by the EU company, they couldn't get to it.
It is US company. It does not matter where the servers are physically located.
It would be quite funny to reply to an NSA request by saying "Oh yeah, I have that data and can access it but its on a server in the EU. I can get it, but I won't."
I genuinely don't know how they would proceed, but it'd be interesting to watch.
Probably randomly find 3kg of cocaine on your person.
Some not-so-friendly men in suits will show up at your house. Afterwards you will most certainly comply.
I mean if you can even refuse that, this is national agency we talking about
They can physically tap global internet cable just because they can
ok if that possible, what makes EU agency not doing the same to EU base company then???
EU doesn’t have that kind of agency.
Member states have spy agencies, but they also signed treaties to join the EU. Having your spy agency violate international treaties isn’t something most governments allow.
If the company or individual is in a country, expect they can be compelled to hand over everything in their possession by a court order (or it can be siezed).
If the information is stored in a country, expect that the owner of the information can be compelled to hand it over by a court order (or it can be seized).
The EU doesn't have something like the CLOUD Act, so they wouldn't be able to do that.
Well the EU absolutely could do the same thing. If an EU-based company had servers in the US, I would expect the EU could compel them to hand over data despite where the data is stored.
The EU doesn’t do law enforcement. That is a national concern. But a legal request from one country to another may well happen.
I misspoke there, I was meaning Europe and shouldn't have put EU.
Agreed, the union doesn't have any enforcement mechanism I'm aware of that would fit, but any country in Europe could do a similar thing to companies based in their borders.
Niche markets always allow good products to survive.
Builder of rybbit here - I will probably add a free tier in the following weeks. I didn't was because I was scared of being overloaded by an influx of free users, but that doesn't scare me anymore.
I started working on this 4 months ago and only publicly launched a few days ago.
As for monetization, I have no idea yet. I'm happy to collect stars for the time being. What do you think I should do?
Not sure, but I'm definitely interested in following your business and seeing what your strategy will become because I was building something similar but when larger teams starting releasing free solutions I couldn't think of a way to compete. Best of luck.
> if someone is a PostHog customer they probably won't be using Ahref web analytics
It's (un)surprisingly common to end up with multiple website analytics products on the same site; marketing wants these two, another department wants another. When I had ghostery show the list of things it was blocking I often saw multiple, overlapping-feature-set analytics integrations being blocked on the same site.
Yes, I have seen organizations with websites that had 15+ trackers because every person in the company had their favourite tool.
I've seen companies from the inside where those 15+ trackers were all added by one person in the span of a week.
I've also seen those trackers be added by someone who exits the organization a month later there by blessing the trackers with a protection spell making their removal unlikely for fear of breaking some metric pipeline somewhere.
You would be surprised how many companies do in fact use multiple analytics services.
Only one tool will be a 'source of truth' but a company using a combination of something like GA4 (Business source of truth), Mixpanel (product insights), and Clarity (Landing page analysis) is not unheard of.
The types of companies that use multiple services are also the types of companies that are likely spending $1,000s per month as well, so overall quite a profitable industry for many companies to operate in.
That’s a fair point — the analytics space is definitely saturated, especially on the privacy-first, open-source end. Without a standout feature or a compelling free tier, it's tough to draw developers away from proven tools like Plausible or PostHog.
I wonder if Rybbit is betting more on UX simplicity or niche use cases (e.g. very lightweight deployments, self-hosting ease, etc.). Has anyone here actually tried it? Curious how it stacks up in terms of setup time, dashboard clarity, and tracking depth.
Are these open source and locally hosted? Or you must share your data with a big corporation to use them?
PostHog and Plausible are both open source and not backed by big corporations but if sharing data to third parties and being open source is a concern (which seems to be the selling point rybbit.io is targeting) I would expect users to self host instead of paying for a hosted plan anyways?
Is sharing your data with a startup or small company any better than sharing it with a big corporation?
Potentially yes, but depends very much on the privacy policy and data handling promises being made.
I think the instinct to distrust big companies is at least partly because many of them have already proven not to be good stewards of data which when combined with their scale has more worrisome implications.
With a smaller/newer player, at least there’s some hope that they’re not capable of the same harms at a smaller scale, and in some cases may market themselves specifically as a more private alternative.
Whether or not this turns out to be true in practice and over the long run is another thing.
Hope ain't the same thing as trust, though. A small player would need to make a pretty significant effort to suggest they wouldn't abuse your usage-patterns.
Startup have high chance being acquired. The new owner will get all your data, no matter you trust them or not.
Yeah, that’s the big issue and what I was alluding to in the last paragraph.
It’d be nice to have products that aren’t created with the aim of being acquired, and/or companies that remain committed to their original mission.
It's open source and locally hosted, you don't have to share your data with anyone.
> Or you must share your data with a big corporation to use them?
I'm choking on the irony
Posthog is pretty good but very pushy towards using their SaaS (understandably). Self hosting is not really advertised on their main site however is buried in their gh repo as a footnote [1] with indications of vague issues past 100K events/month. Haven’t delved into how to scale it past that though and they do provide some docs that I have yet to review.
Also the primary repo is not FOSS, and that "100% FOSS" repo is buried in yet another footnote [2].
Plausible follows in PH footsteps but is not fully faithful to open source. If you want to self host, you won’t have same set of features as their SaaS and need to rely on long term releases for their "community edition" [3]
On "Ahrefs", is there even an open source version of their product? I couldn’t easily find it (on mobile). [4]
Maybe I’ll take a look at others you mentioned later but if rybbit can remain faithful to their FOSS roots then I think there’s a real chance of it becoming huge.
For thosw that don’t want to self host (mostly corporate shitholes), rybbit can milk them with their managed SaaS product.
[1] https://github.com/PostHog/posthog?tab=readme-ov-file#self-h...
[2] https://github.com/PostHog/posthog?tab=readme-ov-file#open-s...
[3] https://github.com/plausible/analytics?tab=readme-ov-file#ca...
[4] https://ahrefs.com/
I think Posthog is incredible, and there's no way I (it's just been me building rybbit for the past few months) will be able to compete with them on their full scope of features for the foreseeable future.
I tried to self host Posthog for my other project as it far exceeded even the generous free tier. I have a Hetzner bare metal server with 64gb of ram https://www.hetzner.com/dedicated-rootserver/ax42/ and it was running all 16 cores at 100% and didn't end up working. So I think Posthog's stack is just way too heavy to self host effectively, and it's just not in the same category as Plausible, Umami, or Rybbit.
I'm trying to build best OSS analytics out there - and even though it's super crowded, most non-trivial websites run one so there is space for everyone to survive in.
> "Self hosting is not really advertised on their main site"
How would rybbit.io make money if they are only better at self hosting? Wouldn't the users they are targeting only self host anyways?
> "On "Ahrefs", is there even an open source version of their product? I couldn’t easily find it (on mobile)."
Not all of these companies are open source but they are still competitors because they have generous free tiers so the cost of self hosting an alternative wouldn't be justified.
Which ones are embeddable? Often I need to embed some analytic charts for users in my app e.g. blog views and very few support easy embedding+authentication.
It's open source, why would you also need a free tier for hosting?
Self hosting would cost more money than free tier for most companies.
> more than 90% of companies use PostHog for free.
https://posthog.com/pricing
Grafana isn't a Google Analytics alternative. You can build a lot of what you need with it (I've done that), but you still need to manage the actual Analytics part separately, Grafana only gives you the visualization.
It's okay, but I probably wouldn't choose it again. The ease of setting up Dashboards and Panels is great at first, but you pay for it with a low ceiling of what you can do (without building around it) and a "we trust everyone" approach to security.
> actual Analytics
I've never used google analytics before. What's the marginal value over statsd?
Primarily the ease of use. You add the JS to your site and don't worry about anything else, collection is very fast (delivering data is < 30ms) and has edge-servers around the globe.
its crowded but only for web, I still searching the one for desktop and mobile (posthog still the best imo)
Clarity is more of a Hotjar competitor, right?
Yes, it's very much like HotJar, focused on session capture & heatmap.
It also tracks page views, referrers, geographic location, and other analytics common to rybbit
Umami works for me. I just want that dopamine kick that someone clicked on my page so I dont feel lonely on the internet.
Would you be interested in a service that occasionally reads your page and sends you thoughtful comments?
It was only a bot, but if it makes you feel better... :)
My experience is that out of my other logs/metrics (cloudflare & server logs) Umami was the only one that didn't overinflate by counting bots and crawlers.
I know the true state of my site visitors: the vast majority of legit visitor traffic is from my own home IP, and my own mobile IP. Umami was the only one to show that.
For me, the best Google analytics replacement has been nothing. Just don’t do analytics at all. Your web site will still work without it. In fact, it will work better!
> Your web site will still work without it. In fact, it will work better!
It objectively won't.
Analytics tell you where your website isn't working, so you can fix it. Buttons you thought were obvious that users are blind to. Pages where nobody scrolls because they didn't realize there was more content. Figuring out where users get stuck because they don't understand the navigation you designed. Etc etc etc.
If you have a hobby website, then sure maybe analytics don't matter. But the idea that sites work better without analytics makes as much sense as saying you'll see better when you wear dark sunglasses.
Once upon a time we did analytics and error analysis by running shell scripts executing awk, sed and grep over a apache or nginx access log or error log.
What I am trying to say is that you can still do analytics, even pretty advanced stuff with some more elaborate scripting, if you want. The only thing you need is the access log.
Something which has been largely forgotten ever since tools like Urchin became a thing :)
Except if any of your pages are cached between eyeball and your server and so your server logs don't capture everything that is going on. You can get fancy with web server logs, but depending on what you're trying to understand it may not be the data you need.
<source: did fancy things with logs over the last 25 years, including running multiple tools on the same site in parallel to do comparisons (Analog, AWStats Urchin, GA, Omniture, homegrown, etc...)>
If you control the cache layer, log it there. If you don't control the cache layer, does a read from the end user cache really count as a separate visit anyway?
There are plenty of situations where someone visiting a page once and someone repeatedly looking at that page over a period of days (even if it is pulled from their browser cache) is an important difference. Obviously it depends on what you're using the data to try to understand.
This is how you end up with no-cache assets on pages so they can keep track of actual traffic.
One of the greatest jobs I ever had from a technical perspective had terabytes of structured access logs hosted on prem inside of a VPN, with a few small bespoke tools to search through them (and many more pages of commands for common tasks not yet implemented in a UI).
Not a single line of tracking or analytics on the front end, we just tracked everything we cared about at the server level.
And most likely a compliance and legal nightmare waiting to drop on a DPO one day.
That place didn't have any European operations so no GDPR concerns¹, but for what its worth it was completely.. pseudonymous I think is the term we want? You couldn't link a server entry to an actual user account by any means² but you could group distinct server calls together as coming from the same person. These weren't "server logs" in the same of IPs or user agents or that kind of thing. More like application logs w/ scrubbed/obfuscated user data just stored in gigantic text files.
¹ To those who would say it doesn't matter, I'd say that laws aren't laws if they can't be enforced and there's no enforcement mechanism for some EU bureaucrat to fine a company with no operations outside of the US.
² I'm sure the technical means existed to do it especially if you already had access to the logs but the point is we weren't explicitly storing any PII or data that was linked to a real account. Just actions throughout the apps.
However, if you do this, you will still need to comply with all relevant privacy laws.
For example, in the EU, you need user consent to use server logs that include IP addresses for analytics. You also need to provide post-consent opt-outs and privacy statements and audit logs and all off a sudden you're building another analytics tool.
How exactly does that work? You need consent for server logs? Am I able to run fail2ban without consent?
In the EU, IP addresses are personal data and you need a legal basis for each form of processing. You could make an argument that Fail2Ban falls under legitimate interest, but there is now precedent that analytics must have user consent and another legal basis will not be accepted.
No, logs don't require consent in that case, see recital 49.
> Urchin
Urchin was acquired by Google and was ultimately sunset in favor of Google Analytics. It supported local and hybrid analytics models, the later arguably evolved into Google Analytics.
Such a product will work fantastic until you get your first user.
That's just not realistic though. People with marketing departments need analytics. Otherwise, they atrophy and reveal to everyone they are not as necessary as led to believe. People without marketing departments probably never look at the logs like you.
True, but for personal/hobby sites you probably are just better off just not knowing. Nothing good comes of tying your self-worth to how much attention you think you're getting.
There is nothing to suggest that people who want to measure (and perhaps increase) their publishing reach are “tying [their] self-worth to how much attention [they] think [they’re] getting”.
This is sort of like assuming everyone who is taking photos at a tourist attraction is doing so to show off their holiday for social status.
If your site or content is truly valuable, it is a public good to monitor, analyze, and improve upon its reach and usability.
I think most people are talking about for business websites
Why would you jump to the conclusion that any of it is about "self-worth"?
Maybe you're writing for an audience and you want to see what resonates most with them.
Sometimes popularity is a good thing to measure, not for your ego, but by how much you are helping others.
It is sad when people assume metrics are about vanity, rather than about how much we're helping others.
> Otherwise, they atrophy and reveal to everyone they are not as necessary as led to believe.
In my experience, when analytics and the related ads tracking tools break, Marketing departments are revealed to be much more important than generally believed in the business.
Product people need analytics too. You need to know how many people use each feature to make informed decisions on what needs to be invested in, what should be cut, etc.
I can't imagine someone trying to run a web business with no analytics.
this is some kinda joke right? analytics are necessary for 10000 reasons
.. may we see them?
There were a gajillion of these things before Google Analytics. Probably the best options were those that relied on log analysis rather than having a JavaScript bug on every page.
The documentation states that rybbit does not use cookies and is compliant with the GDPR. The first part is true but, looking at the code (very nice to have it available), the tracking is done by IP address, trading one piece of tracking data for another.
I realize that this is probably the only way it could work but it is not clear to me that tracking by IP address (even over a single session and shredding the data once a day) is any better from a GDPR standpoint.
It doesn't have that much in the way of fancy UI, but I found that Matomo allows you to both choose whether to use cookies / IP or maybe to cut off parts of the IP as well: https://matomo.org/faq/general/configure-privacy-settings-in...
People seem to occasionally post cool new solutions, though it doesn't seem like Matomo has gotten that much attention, despite being a pretty strong alternative to Google Analytics (I haven't had that many issues while self-hosting it either).
I have been using Matomo along side GA4 for a month now. The amount of useful data coming from Matomo, even anonymized, is more expansive and easier to access than GA4. Plus self-hosting was pretty easy and it keeps the data on our servers, which just feels right.
I deal with GDPR daily and the truth is that GDPR enforcement doesn't understand what is acceptable from a GDPR standpoint and that is likely why they are in the process of revamping it. You can also anonymize data and that is no longer considered personal data under GDPR so it is possible to hash an IP address and that be acceptable.
> You can also anonymize data and that is no longer considered personal data under GDPR so it is possible to hash an IP address and that be acceptable.
That's not completely true. Recital 26 of GDPR stipulates that
> “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”
Hashing does not meet this threshold. If the same IP address is hashed using the same method, the result will always be the same, meaning it can be matched. Hashing is therefore considered pseudonimization and under GDPR, pseudonymized data is still considered personal data.
Moreover, the act of anonymization itself is a form of processing and therefore falls under the scope of GDPR. So even attempting to anonymize personal data doesn't remove GDPR obligations for the anonimyzation itself.
Disclaimer: IANAL
> If the same IP address is hashed using the same method, the result will always be the same, meaning it can be matched.
The way people get around this is by using an ephemeral salt, that is deleted e.g. daily. After enough time has passed, it'd be impossible to reverse the hash as the salt would be lost.
Plausible uses the same algorithm and they have a page written by a lawyer claiming this is GDPR compliant: https://plausible.io/blog/legal-assessment-gdpr-eprivacy
Edit: Found more discussion here: https://github.com/plausible/analytics/discussions/1963#disc...
> To summarize, I believe the EDPB has made their position very clear on this in their 2023 guidelines: Plausible's fingerprinting is subject to Article 5(3) of the ePD. Plausible has made their position very clear in their blog post, leaning in the other direction. Until this is tried out in court, I don't believe that there will be any definitive answer.
Unlike Plausible and Fathom, it looks like Rybbit is NOT salting by default ( (but that it's an option to enable per site: https://www.rybbit.io/docs/enhanced-privacy). Which is why they can offer retention reporting.
This seems incompatible with ePD.
So IP is considered personal information?
Yes, that is what case C-582/14 concluded.
If the IP address is hashed somehow it would no longer be personally identifying while still being unique enough for analytics purposes, correct?
Does geographic grouping data depend on the IP address? If so I suppose it would need to be extracted first before hashing the IP, and I wonder how much that weakens the anonymization.
You can hash every IPV4 for a rainbow table. Needs some salt.
According to the author, Rybbit hashes IPs with a daily rotating salt.
https://www.reddit.com/r/selfhosted/comments/1kgytl4/i_built...
Okay, but that doesn't mean the concept is bad.
Yes it does.
If a user can say "here's my IP address, what data do you have on me?" and you can answer that question, then that's personal data under GDPR. It's pseudynomized, but not anonymized, and pseudynomous data is personal data.
Even if you can't answer that question, if it can be answered, that's still personal data.
What's the minimum size of an operation before the GDPR kicks in? In other words, are all sites governed by GDPR, or are some companies considered too small to be under the GDPR regulations? I know that there are some regulations that get a pass for smaller outfits. I know nothing about GDPR as a European audience is not my target and not kowtowing for them.
GDPR does not currently have explicit business size thresholds. Its provisions are all framed as personal rights of the data subject, so its provisions are always in effect. By contrast, CCPA in California is framed as a consumer protection law so it only applies to companies of a certain size.
In practice, small fries are not an enforcement priority. Regulators in most countries are not well-funded so they have to be frugal with their enforcement actions.
The EU is currently reviewing an option to relax GDPR requirements for smaller businesses. Not remove GDPR requirements, just streamline some of the process overhead.
The jury is out on ip address vs GDPR. Hashed IP address is not anonymous, nor is last digit anonymization anonymous.
So, let's not bother with it. I can say all IP address are located in earth and someone would be offended because now we are invading their privacy by knowing which planet they are from. GDPR is not clear on IP address or IP address derived metadata. There is no case law for it, nor acceptable methodology and everyone is speculating about what are the consequences of and it is mostly just opinions from IANALs. GDPR is astrology for non-enterprise companies.
> GDPR is not clear on IP address or IP address derived metadata. There is no case law for it,
There is, see C-582/14 which concludes that IP address, even dynamic, are personal data.
If people insist on tracking users with analytics, the least folks can do is use something other than google to do it.
If you don't want to roll your own and don't care if its open source, I've used clicky.com for years. Simple, and shows everything I need. As others have said, it's a crowded market. Still cool though that people are launching these projects.
+1. And it's dirty cheap. I pay about $200/m for 800k daily events.
Well, obvious question: How does it compare to Plausible and all the other open source analytics.
Plausible is too needlessly expensive as one grows and it essentially punishes you for growing.
And some features aren't available 1:1 with the CE version of Plausible either.
Yea, funnels are not open source for Plausible
Check out our demo at https://demo.rybbit.io/1. We have a lot more features than Plausible, but they're still presented in a way that is intuitive to use. You shouldn't need to read pages and pages of documentation to be able to set up funnels on rybbit, for example.
I keep recommending it, but you can check out https://european-alternatives.eu/category/web-analytics-serv... for a more complete list of EU based web analytic services.
I'm one of the co-founders of Pirsch, and a bit worried because the space is getting really crowded :D
I love it, too bad the author of that project seems to have become overwhelmed with the requests for updates/additions.
Why not Matomo?
Upvote for matomo!
This project here looks interesting, but is quite new. Lets see how it evolves in the future.
Matomo is an evolution of Piwik which was first released in 2007. So not 'quite new'.
Im talking about the project OP posted, not matomo.
There are at least 60 alternatives : https://umami.is/blog/a-mega-list-of-google-analytics-altern...
Hey I built this! I was meaning to launch Rybbit on show HN tomorrow morning but I guess you beat me to it haha.
Plausible, Fathom, Umami and the others all do cookie-less tracking too. Why don't you add an option to track through cookies? Most serious businesses have the consent for putting analytics cookies there, especially if it's a first-party cookie. This will differentiate you and instantly make this a more serious option for self-hosters who want simple but reliable tracking. Especially if you can set this as a serverside first-party HTTPS cookie.
Alternatively, add an identify() call and let others roll their own solution for this.
Then I would actually trust your retention numbers.
Great stuff though! Impressive launch.
Is GeoLite2 reliable?
https://github.com/rybbit-io/rybbit/blob/master/server/GeoLi...
Because I like minimalist tools, onedollarstats.com looks interesting to me. I can’t find much info about their privacy posture (which prevents me from using Google Analytics). I use my own counter, but it’s got very limited features.
Is there any server side only analytics software that is open source and decent? I really don’t want to add any more JavaScript to my pages that I don’t need.
I have some static websites on S3 and CloudFront. I use https://goaccess.io/ to parse the logs and generate a html report.
As mentioned elsewhere in the thread, there is a lot of bot activity there, that using JS might cleanup a bit.
If you are interested, I have a write up of my setup here, with the report generation down at the bottom: https://gamestrut.com/Blog/2022-06-08-static-site-hosting-on...
Umami has an API, so it can be used server-side, without any JavaScript (I use it like that).
GoAccess?
Is there anything that can work with the request logs instead of the usual transparent pixels and/or script inclusions?
I'm going to develop server-side SDKs in the future. But many existing platforms like posthog already support this, though I don't know if they support processing raw request logs literally.
It'd be great. Posthog is a bit too heavy for just that.
This seems, very similar to Umami. Is this a fork from them? TypeScript / Next.JS and similar design?
I wrote this fully written from scratch. Similar stack to Umami though.
Good luck. It is looking the best out of all the alternatives so far.
Probably one of the coolest logos I've seen so far. How did you come up with it?
Can the creator /user/bill_yang explain this contradiction in the readme? It claims to support tracking unique users, but then immediately afterwards claims not to track users. Do you mean that you don't do any user tracking by default?
> Key Features
> - All key web analytics metrics including sessions, unique users, pageviews, bounce rate, session duration
> - No cookies or user tracking - GDPR & CCPA compliant
the industry has decided that unique users can be done without being tracking. you can decide differently. Often times how they do it is some combination of
- Hashing IPs with other data to form a non-reversible UUID
- Not tracking across multiple host domains
- Not setting cookies or storing any information in the browser
so many takes here tbh, i always end up just picking the simplest tool and hoping for the best - you think real privacy or just ease of use is what ends up mattering more long-term?
very nice demo. I saw that you are using threejs but when i checked network logs its not downloading it which is great. Are you doing SSR?
Thank you. I am using https://globe.gl/ which wraps three.js. The page realtime page is still pretty slow to load so though.
I'm using Next.js but I'm using all client-side components. The tooling around SPA client side state is just really good so I don't see a huge reason to go full SSR, especially when SEO doesn't matter for the actual app.
I'm hosting my blog on cloudflare pages, it's analytics show 80 or so uniques every day consistently even though I barely write there. Installed Umami - 0 visitors. None. Internet is just LLM crawlers hungry for content now?
We passed the tipping point where bot traffic outnumbered human traffic fifteen years ago. LLMs are an order of magnitude worse by most first-hand accounts, but it's just a continuation of a very long trend.
"Internet is just LLM crawlers hungry for content now?"
its been that way for a few years, real users using mobile app and access social media now
the percentage internet user who "surfing" on the web is dwindling and more likely diminish in near future
I see this too on my CF Pages-hosted blog.
Analytics only work if the agent runs JS. CF on the other hand counts file fetches, which can't be circumvented.
There's always a baseline of bot traffic.
ah, that explains it, I think. I expected them to sessionize the file transfers under one unique somehow still, even without JS.
A couple of days ago I was researching website analytics and GDPR/cookie law, and it seems clear that you need user consent even if IP addresses are only processed or temporarily stored before being discarded.
Arguing otherwise is like claiming it’s legal to steal from a store as long as you return the goods the next day - it’s legal fantasy.
I don’t think the EU is eager to go after these “ethical” analytics companies or their users, since they have bigger fish to fry. But if you think you’re legally in the clear using these solutions without user consent, you’re fooling yourself.
> it seems clear that
Can you elaborate?
The logic is simple, as soon as you collected and/or processed IP addresses, you need user consent as it is personal data.
You don’t get to “undo” this requirement by discarding the IP address afterwards, the law doesn’t care.
Others have come to the same conclusion: https://github.com/plausible/analytics/discussions/1963
I see, I was confused because you mentioned GDPR but it has everything to do with ePD and I wasn't aware of this issue, thanks for sharing!
> Arguing otherwise is like claiming it’s legal to steal from a store as long as you return the goods the next day - it’s legal fantasy.
That said, this strongly implies that these privacy-focused analytics platforms are unquestionably breaking the GDPR and behaving in an unethical way, but that seems like a huge overstatement.
I've read the linked blog post and it seems like the analysis hinges on the precise wording of the ePD rather than GDPR. By their own admission, these analytics solutions seem to be in line with both the letter and the spirit of GDPR. The author even agrees that the wording of the ePD should be addressed and notes:
> Unfortunately I came to the rather demotivating conclusion that there simply isn’t any way to implement web analytics without running afoul of the ePrivacy Directive.
> This was a surprising conclusion at the time. Morally we can go very far: we can put a lot of smart stuff together and create a system that can’t be used to track individual users. But legally, that doesn’t particularly matter. The ePrivacy Directive is written as it is.
> Even the EU Data Protection Working Party decries this. In their 2012 opinion they write:
> the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. […] In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes.
So it's not that these companies are doing anything inherently immoral or unethical as far as their handling of personal data goes, but they might be behaving unethically by making claims that run afoul of other legislation (ePD) that clashes with the GDPR.
[dead]
[dead]
[dead]
[dead]
Interesting!