Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Ackee is a privacy first open source web analytics platform developed by German indie developer Tobias Reich. It is designed for self hosting, ships under the MIT license and explicitly avoids cookies, persistent identifiers and fingerprinting. Visitor counts are derived from a daily one way hash that resets every 24 hours, making it one of the simplest GDPR friendly alternatives to Google Analytics for small and medium websites.
Ackee is a self hosted, open source web analytics platform created by Tobias Reich (Berlin, Germany). It is distributed under the MIT license and aimed at developers, designers and small site owners who want a simple Google Analytics replacement without the privacy baggage. Ackee runs as a Node.js application backed by MongoDB and is typically deployed with Docker on a small VPS in the EU. It has no central SaaS: every Ackee instance is operated by the customer. The dashboard exposes views, durations, top pages, events, referrers, devices, browsers, languages, screen sizes and OS, all aggregated daily.
Each page view sends an event to the Ackee GraphQL API containing the URL, referrer, language, device, OS and screen size. Ackee does not store the raw IP address: it derives a daily one way hash from IP + User Agent + a server side salt that rotates daily, which makes it impossible to follow a visitor across days or to reverse the hash. No cookies and no localStorage are used. Optional events (button clicks, form submissions) can be tracked but always with the same anonymous identifier.
Because Ackee writes nothing on the visitor''s device, Article 5(3) of the ePrivacy Directive does not apply. Because the daily salt makes the hash non reversible, the data is effectively anonymous from a single day perspective. The CNIL French audience measurement exemption, the BfDI guidance on Reichweitenmessung and the Norwegian datatilsynet position on cookieless analytics all align: tools like Ackee can be used without consent under legitimate interest. The customer fully controls retention and deletion.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In its default configuration, no. Ackee can run without a consent banner and without an entry in the cookie policy because it sets no cookies and uses no localStorage. If the administrator switches to the detailed visitor mode that keeps the IP hash for 24 hours, a privacy notice should be displayed but consent is still not generally required. The Tracker.with() options allow disabling specific data points (referrer, language, screen) to further minimise the dataset.
None outside the customer''s own infrastructure. Ackee is self hosted: there is no project run SaaS. EU customers typically deploy on Hetzner, Scaleway, OVHcloud or any EU friendly Kubernetes platform. The privacy notice does not need to mention any third country recipient. Sub processors of the chosen hosting provider remain part of the picture and should be referenced separately.
Self host Ackee on an EU server, configure a strong daily salt, keep the data retention to the minimum that matches your reporting needs (default is unlimited but you can purge older records), document Ackee in your privacy policy with the legal basis (legitimate interest) and the data minimisation features, and verify with browser dev tools that no Ackee cookies are set. Consider Plausible, Fathom EU or Matomo with cookie free configuration as well known alternatives in the same family.
Websites using Ackee must obtain user consent under GDPR regulations.
DPIA considerations
Ackee is almost never a DPIA trigger: no third party transfer, no persistent identifiers and no special category data. Document it briefly in the Article 30 register as a first party server side analytics tool. A wider DPIA may include Ackee only as one of several measurement tools.
Sample consent text
We use Ackee, a self hosted privacy first analytics tool, to count page views. No cookies are set and no personal data leaves our servers.
Third-party domains contacted
<your-ackee-server>github.com/electerious/Ackeehub.docker.com (only for image pull, not at runtime)Cookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies set | none | N/A | Ackee is designed without cookies. It does not write anything on the visitor's browser; the daily anonymous ID lives only on the Ackee server and is derived from a salted hash that rotates every 24 hours. |
Ackee collects user analytics data — you legally need a consent banner. Try FlowConsent free.
No. Ackee does not set cookies and does not use localStorage. It only sends a single event per page view to the self hosted Ackee server, which is computed without any persistent client side identifier.
No. Article 5(3) of the ePrivacy Directive only triggers when information is stored or read on the user device. Ackee writes nothing on the device. The French CNIL audience measurement exemption and similar guidance in Germany, Norway and Spain align with this analysis.
Legitimate interest under Article 6(1)(f) GDPR. The processing is strictly aggregated, first party, non shared and on the customer's own infrastructure, which fits within the conditions set by EU DPAs for audience measurement exemptions.
Not by Ackee itself. Ackee is self hosted: no SaaS is operated by the project. As long as you deploy on EU infrastructure, no cross border transfer takes place. Only your hosting provider remains in the picture as a sub processor.
Almost never. The risk to data subjects is minimal because the processing is aggregated, cookieless and first party. Document Ackee briefly in your Article 30 register and move on.
Deploy Ackee in an EU region (Docker on Hetzner, Scaleway, OVHcloud), set a strong unpredictable daily salt, expose the dashboard only to authenticated administrators, retain raw events for the shortest period needed, and add a short paragraph in your privacy policy explaining the legitimate interest basis.
Plausible Analytics (EU SaaS or self hosted), Fathom Analytics with EU isolation, Matomo Analytics in cookie free mode, Umami (self hosted), Pirsch (EU SaaS, Germany), GoatCounter (open source). All can be configured for cookieless audience measurement.
Strictly speaking no, because no cookies are set. You can still add a short mention in the privacy policy explaining that Ackee is the audience measurement tool, that it is self hosted in the EU and that no cookies or persistent identifiers are used. This transparency is appreciated by privacy regulators.