Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Countly is a product analytics platform available in two flavours: an open source self hosted Community Edition and an Enterprise Edition that can be self hosted or used as a managed SaaS. It tracks sessions, views, events, crashes and user properties for web and mobile apps, with strong support for privacy controls (no cookie mode, IP anonymisation, consent gating, automatic data deletion). For EU sites it can be deployed as a fully self hosted, GDPR friendly alternative to Google Analytics.
Countly is an open source product analytics platform developed by Count Ly Ltd (UK) and Count Ly Inc. (USA). It collects sessions, views, custom events, crashes, performance metrics and user properties for web and mobile applications. Countly is available as an open source Community Edition (self hosted under AGPL) and as a paid Enterprise Edition (self hosted or managed SaaS). Compared to Google Analytics, Countly was designed with privacy controls in mind: consent gating, no cookie mode, automatic IP anonymisation, configurable retention and per user data deletion are all built in.
By default the web SDK collects session start and end, page views, screen size, locale, referrer, custom events and crashes. It generates a device identifier stored in localStorage (cly_id) or in a first party cookie if the developer enables it. Without explicit configuration Countly does not set third party cookies; localStorage values can be cleared by the visitor. Countly''s no cookie mode disables persistent identifiers and uses a session only random ID. IP addresses can be truncated or removed on ingestion at the server level.
In default mode, Countly stores data on the visitor''s device (localStorage), which triggers Article 5(3) of the ePrivacy Directive: consent is required because the identifier is not strictly necessary for the requested service. In no cookie mode with anonymised IPs and short retention, several EU DPAs (CNIL French audience measurement exemption, BfDI guidance, Norwegian and Danish DPAs) recognise the lawful basis as legitimate interest under Article 6(1)(f) GDPR. Countly''s Consent API can gate the entire SDK behind a consent decision and even remove specific feature streams (events, crashes, user properties).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In default mode with persistent identifiers, yes. In hardened mode (no cookie, no localStorage, IP anonymisation, no shared data with third parties, short retention, self hosted in the EU), Countly can be used without consent under the audience measurement exemption that several EU DPAs publish. The Countly documentation explicitly supports both flows and exposes a Consent API to switch between them.
In self hosted Community or Enterprise mode, no data leaves the customer''s chosen infrastructure. With Countly SaaS, Count Ly Inc. (USA) and Count Ly Ltd (UK) act as processors. EU customers can ask for the EU region. Count Ly Inc. relies on the EU US Data Privacy Framework for transfers to certified entities and SCCs for any remaining flows. The DPA is publicly available.
For maximum compliance, self host Countly Community in an EU region, enable no cookie mode and IP anonymisation, configure retention to a few weeks, and either rely on legitimate interest with a clear notice or wire Countly behind a consent banner using the Consent API. Update the privacy policy with the Countly deployment details and reference the AGPL license for transparency. Document the integration in the Article 30 record.
Websites using Countly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is rarely triggered by Countly itself, especially in self hosted mode where the controller fully owns the stack. For Countly SaaS with US region or for enterprise deployments combining Countly with extensive user profiling, document the integration in a DPIA covering the lawful basis, the recipients and the retention.
Sample consent text
We use Countly for product analytics. By default, no Countly cookies are set and your IP address is anonymised. You can change your preferences at any time.
Third-party domains contacted
count.lytry.count.lyapi.count.ly<your-countly-server>cdn.jsdelivr.net (when loading the SDK from a CDN)Cookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cly_id (localStorage) | first party (localStorage) | Until cleared | Device identifier stored in localStorage by the Countly Web SDK to recognise the same browser across sessions. Not technically a cookie but qualifies as storage on the device under Article 5(3) ePrivacy. |
| cly_session (localStorage) | first party (localStorage) | Session | Marks an active Countly session in the browser; cleared when the session ends. |
| cly_event (localStorage) | first party (localStorage) | Until cleared | Holds queued events that have not yet been sent to the Countly server (used for batched delivery and offline reliability). |
| cly_token (optional first party cookie) | first party | 1 year | Optional first party cookie set when the developer enables cookie based identification instead of localStorage. |
Countly collects user analytics data — you legally need a consent banner. Try FlowConsent free.
By default Countly stores a device identifier in localStorage (cly_id) and a few preference keys (cly_session, cly_event). It does not set third party cookies. In no cookie mode none of this is stored; only a session ID lives in memory for the page lifetime.
In default mode yes, because localStorage values qualify as storing information on the device under Article 5(3) of the ePrivacy Directive. In hardened mode (no cookie, IP anonymisation, short retention, self hosted EU) Countly can fit the audience measurement exemption in France, Germany, Norway and other EU jurisdictions.
Consent under Article 6(1)(a) GDPR for default mode. Legitimate interest under Article 6(1)(f) for hardened mode when the supervisory authority recognises the audience measurement exemption.
Not in self hosted mode if the server is in the EU. In Countly SaaS, Count Ly Inc. (USA) and Count Ly Ltd (UK) are processors; transfers rely on the EU US Data Privacy Framework and SCCs in the Countly DPA.
Rarely. Self hosted hardened mode is low risk and well documented. Document the integration in the Article 30 record. Include Countly in a wider DPIA when combined with extensive A/B testing, behavioural segmentation or large scale user profiling.
Self host the Community Edition in an EU region, enable no cookie mode (Countly.add_consent only the categories you need), anonymise IP at ingest, configure retention to the minimum, and document the deployment in your privacy policy with a reference to the AGPL license.
Matomo (self hosted), Plausible (self hosted or EU SaaS), Fathom Analytics (EU mode), Umami (self hosted), PostHog (self hosted), Piwik PRO (EU SaaS), and the EU based Pirsch Analytics. All can be configured for GDPR friendly audience measurement.
For default mode, list cly_id and any first party cookies under Analytics with provider, purpose, retention and the legal basis (consent). For no cookie mode, mention Countly in the privacy policy under analytics with no cookie storage and rely on legitimate interest with the exemption.