How our privacy works

Most analytics tools make you choose between privacy and useful data. We don't. Here's exactly how INSG gives you full analytics — visitors, journeys, funnels, revenue attribution — without storing a single piece of personal data.

What we never store

  • IP addresses — your IP is processed transiently in memory to help count visitors, but it is never written to disk, never logged, and never stored in any database.
  • User agent strings — we extract the browser name and OS for dashboards, then the raw string is used only in transient processing and discarded.
  • Recoverable hashes of personal data — other tools hash IP + User-Agent and store that hash for 24 hours. Those hashes can be brute-forced or rainbow-tabled. We go further: personal data is hashed, then immediately destroyed by feeding it into a mathematical structure that makes reconstruction impossible (see below).
  • Cookies — none set, none read. No consent banner required.
  • Browser fingerprints — we don't canvas fingerprint, enumerate fonts, or probe APIs to identify browsers.

What we do store

  • Page URL and referrer — which pages were visited and where traffic came from.
  • Country — derived from the edge location, not from the IP address.
  • Browser family and OS — "Chrome" and "macOS", not the full user agent string.
  • Device type and screen size — desktop, mobile, or tablet.
  • UTM campaign parameters — source, medium, campaign, term, content.
  • Engagement events — scroll depth, time on page, outbound clicks, custom events you define.
  • Behavioral signals as aggregate rollups — rage clicks, dead clicks, scroll hesitations, and reading speed are stored as hourly aggregate counts, not as individual reconstructible events. You see "42 rage clicks on /pricing this hour," not a timeline of one visitor's frustration.

None of this data can identify, single out, or track a specific person. It's aggregate behavioral data about your site, not about your visitors.

How we count unique visitors

Other tools hash your IP address and store that hash to count unique visitors. That hash is derived from personal data, which makes it pseudonymous — still personal data under GDPR, still something that could be reversed with a rainbow table or brute force.

We use a fundamentally different approach. Here's what actually happens when a visitor loads a page:

1

Transient IP processing

Your IP address arrives at the edge and is held only in memory. It is never written to disk, never logged, never stored in any database.

2

Mixed with environmental signals

The IP is combined with environmental variables — browser type, language preference, screen width — and a daily rotating salt (today's date). This means even the intermediate hash changes completely every day. You cannot be correlated across days.

3

Cryptographically hashed

The combined data is run through a one-way cryptographic hash (SHA-256). This produces a fixed-length fingerprint. The IP address and all personal data are discarded at this point — they exist nowhere in the system.

4

Fed into a probabilistic counting structure

The hash is checked against a server-side dedup cache (24-hour TTL matching the daily salt rotation) to determine new vs. returning visitors. It is then fed into a compact mathematical structure that can only answer one question: "approximately how many distinct values have I seen?" This structure stores only statistical register values — not the hashes themselves. Multiple different visitors collapse into the same register slots. Behavioral signals (rage clicks, dead clicks, scroll depth, reading speed) are aggregated into hourly rollup counters — never stored as individual events. It is mathematically impossible to recover any individual hash, IP address, or identity from these structures.

5

What remains

A ~16 KB statistical summary per site per hour. It knows "about 847 unique visitors this hour." It does not know who they were, where they came from, or anything else about them. This is all we store for visitor counting.

The accuracy is within 1% of exact counts — for most sites, you won't notice the difference. What you will notice: there's nothing in our database that could ever identify your visitors, even if our servers were compromised.

Why this is irreversible — not just "hard to reverse"

A stored hash (like Plausible or Fathom use) is pseudonymous — there are only ~4 billion IPv4 addresses, so a hash of an IP can be brute-forced in seconds. Our approach is fundamentally different:

  • Information is destroyed, not hidden. The counting structure records only the statistical pattern of the data, not the data itself. Multiple visitors map to the same register slot — the structure literally cannot distinguish them.
  • It's like a turnstile counter. You can read "847 people entered today" but you cannot reconstruct who they were. That information was never recorded — it was counted and thrown away.
  • Daily salt prevents cross-day correlation. Even the intermediate hash changes completely every midnight. The same visitor produces a totally different hash tomorrow.

The key difference

Other tools

Hash your IP → Store the hash for 24h

Pseudonymous. Still personal data. Brute-forceable.

INSG

Hash your IP → Destroy the hash into a counting structure

Irreversibly anonymous. Not personal data. Mathematically unrecoverable.

How session journeys work

INSG tracks page flows within a single visit — /blog → /pricing → /checkout — so you can see funnels, detect bounces, and measure engagement. Most tools use fingerprinting or persistent identifiers to do this. We don't.

Session IDs are computed entirely server-side, derived from the same daily-rotating anonymous visitor hash described above. When a pageview arrives, the server deterministically generates a session identifier from the visitor hash — no client-side UUID, no sessionStorage, no browser-side state. The tracker writes nothing to cookies, localStorage, or sessionStorage. The only client-side storage access is a localStorage read to check for the opt-out flag (insg_ignore).

Why this isn't personal data

  • Derived from an anonymous hash — the session ID is computed from the same irreversible visitor hash, not from any personal information.
  • Server-side only — no tokens are stored in the browser. Zero client-side storage writes.
  • Daily rotation — the underlying visitor hash changes every day, so sessions cannot be correlated across days.
  • Not linkable — you can't connect two sessions from the same person across visits or devices.

Under GDPR, data that cannot identify or single out a natural person is not personal data. A server-computed session ID derived from an irreversible anonymous hash, with no client-side persistence, meets this bar.

How revenue attribution works

When a visitor lands on your site from a UTM-tagged link or referrer, INSG captures that attribution data in the browser. When the visitor converts and your checkout code runs, it can call insg.getAttribution() to get the original traffic source. You pass this to Stripe (or any payment provider) as metadata.

When the payment completes, INSG matches the revenue to the traffic source. Your dashboard shows: Twitter Ads → 12 conversions → $96 MRR. You see exactly which channels make you money.

All of this happens without storing personal data. The attribution data (UTM parameters, referrer URL, landing page) describes the traffic source, not the person. It's marketing campaign metadata, not user identity.

Event data sanitization

All event data undergoes automatic server-side sanitization before storage, preventing accidental collection of personal information even if it appears in URLs, form data, or page content:

  • Email pattern stripping — any string matching an email pattern is automatically removed from event data before storage.
  • URL query string removal — form action URLs, outbound links, and file download URLs are stripped to hostname and path only. Query strings (which often contain personal data like email, tokens, or IDs) are never stored.
  • DOM snapshot text redaction — when DOM snapshots are captured for heatmaps, all visible text is replaced with block characters. Snapshots are further limited to elements explicitly opted in via data-hm-paths attributes.
  • Copy-text truncation — text copied by visitors is limited to 20 characters with email pattern redaction applied, preventing accidental capture of personal data from clipboard events.

AI traffic detection

INSG automatically detects and labels traffic from AI assistants and AI-powered search engines — including ChatGPT, Perplexity, Claude, and others. This lets you see how much of your traffic comes from AI-driven sources and how those visitors behave differently. This detection is based on user-agent string analysis (the same data we already extract browser names from) and does not involve any additional data collection.

GDPR, ePrivacy, and EU compliance

Because INSG stores no personal data, GDPR does not apply to the analytics data itself. Recital 26 of the GDPR explicitly excludes anonymous data from the regulation's scope.

  • No consent banner needed — no cookies or personal data processing to consent to.
  • No DPA required — no personal data is shared with or processed by INSG.
  • No privacy policy mention needed — though you're welcome to mention you use INSG for analytics.
  • Edge processing — all data is processed on our global edge network, close to where your visitors are.

This isn't a loophole or a creative legal interpretation. When there's no personal data, GDPR simply doesn't apply to that data. That's how the regulation was designed.

Global compliance

Every major privacy law in the world shares the same principle: they regulate personal data. When no personal data is collected, stored, or shared, these laws simply don't apply to the analytics data. INSG was designed from the ground up to stay outside that scope entirely.

EU / EEA

GDPR

Anonymous data excluded under Recital 26. No consent, DPA, or privacy policy mention required.

EU / EEA

ePrivacy Directive

No cookies set or read. No persistent storage accessed. No consent banner required.

UK

UK GDPR & PECR

Same anonymous data exclusion as EU GDPR. No cookies means PECR doesn't apply.

US

CCPA / CPRA (California)

No personal information collected. Nothing to sell or share. No "Do Not Sell" link needed.

Canada

PIPEDA

No personal information collected. Consent obligations do not apply.

Brazil

LGPD

Anonymous data excluded, same framework as GDPR. No legal basis or consent required.

Australia

Privacy Act 1988

No personal information collected. Australian Privacy Principles do not apply.

South Africa

POPIA

Anonymous data excluded from scope. No registration or consent required.

Singapore

PDPA

No personal data collected or processed. Consent and notification obligations do not apply.

Japan

APPI

No personal information handled. Obligations under the Act do not apply to anonymous data.

Why this works everywhere

Privacy laws differ in scope, enforcement, and terminology — but they all regulate the same thing: personal data. When analytics data is irreversibly anonymous and contains nothing that could identify, single out, or track a specific person, it falls outside the scope of these regulations entirely. INSG doesn't rely on exemptions, consent frameworks, or legal workarounds. We simply don't collect the data these laws were written to protect.

What you still get

Privacy doesn't mean giving up data. Here's everything INSG provides without storing a single piece of personal information:

Traffic

  • Unique visitors (high accuracy)
  • Pageviews and bounce rate
  • Real-time visitor count
  • Time on page and attention time

Sources

  • Referrer tracking
  • UTM campaign attribution
  • Revenue per traffic source
  • Conversion rates by channel

Behavior

  • Session journeys and page flows
  • Funnel conversion tracking
  • Scroll depth and reading speed
  • Rage clicks and dead clicks

Technical

  • Web Vitals (LCP, CLS, INP)
  • Browser, OS, device breakdown
  • Country-level geography
  • Custom events and goals

Full analytics. Zero personal data. No compromise.

Start Free