Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Hubalz is an EU based, privacy first web analytics platform aimed at SaaS founders, agencies and small to mid sized publishers who want a simple alternative to Google Analytics. The product runs cookieless by default, derives a daily session identifier from a salted hash of IP plus user agent, and stores aggregated data only. Hubalz hosts everything on EU infrastructure and does not integrate with advertising networks, which makes it one of the most compliance friendly analytics tools for European websites.
Hubalz is an EU based privacy first analytics platform built for SaaS founders, agencies and small to mid sized publishers. It ships as a lightweight JavaScript snippet, a managed back end and a clean dashboard. The product is positioned against Google Analytics 4 with the explicit goal of being deployable without a cookie banner across the EU.
Hubalz collects page views, referrer, country derived from the IP, device class, browser, screen breakpoint, time on page and custom events declared by the site owner. The session identifier is derived server side from a salted hash of IP and user agent and the salt rotates every 24 hours, so the value cannot be linked across days. The full IP address is not stored.
Because Hubalz does not write to or read from the device, Article 5(3) of the ePrivacy Directive does not apply to the analytics path. The cookieless session ID, the IP anonymisation and the absence of third party sharing make the default deployment compatible with the CNIL exemption for audience measurement. Custom events that capture personal data still fall under the GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In the default configuration, Hubalz can be deployed without a cookie banner across the EU, including in France under the CNIL exemption and in Germany under the TTDSG essential cookie test. Site owners must still provide a transparent privacy notice that explains what is measured and how to object. Activating the optional first party cookie or capturing identifying custom events can move the deployment back into the consent regime.
Hubalz is hosted on EU infrastructure (Hetzner Germany, OVHcloud France). No data leaves the European Union. There are no Google or Meta dependencies, no IAB TCF participation and no advertising profiling. Sub processors are limited to EU based hosting and notification providers.
Sign the Hubalz DPA, document the Legitimate Interest Assessment for cookieless audience measurement, mention Hubalz and the EU hosting in the privacy notice, avoid sending personal data through custom events without an opt in and re evaluate the configuration if you decide to enable the optional first party cookie or to bridge Hubalz data with a CRM.
Websites using Hubalz must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Hubalz in its default cookieless configuration. It may become relevant if the deployment is enriched with custom event tracking that captures personal data fields, behavioural scoring or integration with external CRM systems.
Sample consent text
This site uses Hubalz Analytics in cookieless mode to count visitors and understand which content works. No cookies are set, no personal data is shared with third parties, and analytics data is stored on EU servers. No consent is required for this configuration.
Third-party domains contacted
hubalz.comapp.hubalz.comcdn.hubalz.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| hubalz_id | persistent | 12 months | Optional first party identifier set only when the customer explicitly enables cookie based session tracking. Disabled by default. |
Hubalz collects user analytics data — you legally need a consent banner. Try FlowConsent free.
In its default configuration Hubalz sets no cookies at all. Sessions are derived server side from a daily rotating salted hash of IP and user agent. Customers can optionally enable a first party hubalz_id cookie for higher accuracy on returning visitors, in which case Article 5(3) ePrivacy applies and consent becomes required.
Not in the default cookieless configuration. Hubalz can be deployed without a cookie banner across the EU under the CNIL exemption for audience measurement and the TTDSG essential cookie test in Germany. A clear privacy notice is still required.
Legitimate interest (Art. 6(1)(f) GDPR) for the cookieless audience measurement, supported by a documented Legitimate Interest Assessment. Consent (Art. 6(1)(a) GDPR) becomes the legal basis if the optional first party cookie is enabled or if custom events capture personally identifying data.
No. Hubalz is hosted on EU infrastructure and data does not leave the EU. There are no Google or Meta dependencies and no IAB TCF participation.
Generally no. Cookieless analytics on EU servers, with no advertising integration and no third party sharing, do not meet the DPIA threshold. A DPIA may become relevant if you bridge Hubalz with a CRM, capture sensitive personal data through custom events or operate at very large scale.
Use the cookieless default, sign the Hubalz DPA, write a privacy notice that mentions Hubalz and the EU hosting, set a sensible data retention (12 months by default) and avoid sending personal data through custom events without an opt in.
Other privacy first analytics tools include Plausible (EU hosted, cookieless), Fathom (EU hosted), Umami (self hosted), Matomo (self hosted, cookieless mode), Pirsch (Germany), Simple Analytics (Netherlands), Rybbit and GoatCounter (open source). All can be deployed without a cookie banner under the CNIL exemption when configured correctly.
List Hubalz with the publisher, the purpose (audience measurement), the legal basis (legitimate interest in cookieless mode), the storage location (EU), the cookies (none by default, optional hubalz_id if enabled) and the retention period.