← Back to Blog

Why We Never Store Your IP Address (And What We Do Instead)

There’s a recurring debate on Reddit and Hacker News that goes something like this: someone recommends a “privacy-friendly” analytics tool. Someone else points out that the tool hashes IP addresses. A third person says hashing makes it anonymous. Then a privacy lawyer shows up and explains why they’re all wrong.

Let’s settle this once and for all.

IP addresses are personal data. Full stop.

Under GDPR, an IP address is personal data. Article 4(1) defines personal data as “any information relating to an identified or identifiable natural person.” The Court of Justice of the European Union ruled in Breyer v. Germany (C-582/14) that even dynamic IP addresses qualify, because an ISP can link them back to a subscriber.

This isn’t ambiguous. If your analytics tool receives an IP address — even if it immediately hashes it and throws the original away — it has processed personal data. The GDPR applied the moment that IP hit your server.

Most of the popular “privacy-first” analytics tools work this way. They hash your IP address along with your User-Agent and a daily salt. Some use a rotating key instead. They all argue this is privacy-friendly because the raw IP isn’t stored. And compared to Google Analytics, they’re absolutely right — it’s a massive improvement.

But calling it anonymous? That’s where things get legally shaky.

Pseudonymous is not anonymous

GDPR Article 4(5) defines pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” A hash derived from an IP address fits this definition exactly. You’ve obscured the original data, but you derived the output from personal data. The result is pseudonymous.

The European Data Protection Board makes this explicit in their guidance on securing personal data: pseudonymised data is still personal data and is still subject to GDPR. Pseudonymisation is a security measure, not an exemption. It reduces risk, but it doesn’t eliminate your obligations.

Anonymous data, by contrast, is data that was never derived from personal data in the first place — or has been processed to the point where re-identification is impossible by any reasonable means. Recital 26 of the GDPR explicitly excludes anonymous data from the regulation’s scope. If your data is truly anonymous, GDPR doesn’t apply to it at all.

The distinction matters enormously in practice. Pseudonymous data means you still need a legal basis for processing (most tools rely on Article 6(1)(f), legitimate interest). You still need to mention it in your privacy policy. You may still need a Data Processing Agreement with your analytics provider. And depending on how strict your local DPA is, you might still need a consent banner.

Anonymous data means none of that applies. No legal basis needed. No privacy policy mention required for the analytics data. No DPA. No consent banner. It’s not that you found a loophole — it’s that the regulation was never designed to cover data that can’t identify anyone.

How INSG counts unique visitors

When we built INSG, we asked a simple question: what if we could count unique visitors accurately without storing any identifier at all — not an IP, not a hash, nothing?

Here’s what happens when someone visits a site running INSG:

The tracking script fires a single request to our edge server. We record the page URL, the referrer, the country (derived from the edge location, not the IP), the browser family, and the device type. The visitor’s data is processed transiently in server memory — the same way every web server processes every HTTP request — and fed into an irreversible anonymization pipeline that produces a compact statistical summary. That summary can answer one question: “approximately how many distinct visitors?” Individual visitor records don’t exist in the output. It is mathematically impossible to recover any individual’s data from what we store.

Everything identifiable is discarded immediately and permanently. Only the summary is stored. You can’t extract who visited, can’t reverse-engineer identities, can’t correlate entries across time periods. The accuracy is within a few percent of exact counts — for most sites, you’ll never notice the difference.

We don’t set cookies. We don’t fingerprint the browser. No personal data is stored anywhere in the pipeline.

The result: the data INSG stores is genuinely anonymous. Not pseudonymous-but-we-call-it-anonymous. Actually anonymous. GDPR doesn’t apply to the analytics data because there’s nothing in it that could identify a person, directly or indirectly. No consent banner needed. No DPA needed.

How sessions work without fingerprinting

But wait — if you can’t identify visitors, how do you track page flows and funnels?

INSG uses random session tokens. When a visitor opens your site, the tracker generates a random token in the browser. This token links pageviews within one tab — /blog → /pricing → /checkout — enabling session flows, funnel tracking, bounce detection, and time on site.

The token is random (not derived from IP or any personal data), ephemeral (dies when the tab closes), not a cookie (different legal treatment under ePrivacy), and not linkable across sessions or devices. Under GDPR, data that cannot identify or single out a natural person is not personal data. A random token that expires on tab close meets this standard.

Revenue attribution without tracking people

INSG also captures UTM attribution data when visitors land from campaigns. When the visitor converts, your checkout code calls insg.getAttribution() and passes the result to Stripe as metadata. When the payment clears, INSG matches revenue to the original traffic source.

You see: Twitter Ads → 12 conversions → $96 MRR. Google Organic → 8 conversions → $64 MRR.

The attribution data describes the traffic source, not the person. It’s campaign metadata, not user identity. Other major privacy analytics tools can’t do this. We can, without storing a single piece of personal data.

The bottom line

The privacy analytics market has a credibility problem. Tools market themselves as “GDPR-compliant” and “anonymous” while hashing IP addresses by default — which, under the letter of the law, is processing personal data. They’re vastly better than Google Analytics, no question. But the marketing often overstates the legal reality.

INSG takes a different position. We never store IP addresses, hashes, or any personal identifier. Unique visitors are counted with an irreversible anonymization pipeline — it is mathematically impossible to extract individual visitor data from what we store. Sessions are tracked with random tokens that die on tab close. Revenue is attributed through campaign metadata, not user tracking.

The data we store is irreversibly anonymous — not pseudonymous, not “we delete it after 24 hours,” anonymous. GDPR doesn’t apply because there’s nothing that could identify anyone.

Other tools make IP hashing the default and tell you not to worry about it. We made a system where there’s genuinely nothing to worry about. That’s what “privacy-first” should actually mean.

INSG is free to start, with all tracker modules included on every plan. Learn more about how our privacy works →

Try INSG free

Privacy-first analytics for your website. No cookies, no consent banners, under 2 KB.

Get Started Free