Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Rybbit is an open source, privacy first web analytics platform positioned as a lightweight, cookieless alternative to Google Analytics, Plausible and Fathom. The default configuration runs without cookies, derives a daily rotating session ID from a salted hash of IP plus user agent and stores aggregated data only. Rybbit Cloud is hosted in Germany (Hetzner) and the server stack is fully open source for self hosting, which makes Rybbit one of the most compliance friendly analytics tools for European websites.
Rybbit is an open source, privacy first analytics platform aimed at indie hackers, SaaS teams and EU based publishers who want to drop Google Analytics. It ships as a lightweight JavaScript snippet, a small server stack written in Go and a modern dashboard. Rybbit Cloud runs from Hetzner Falkenstein in Germany; the same stack can be self hosted on any Linux server.
Rybbit collects page views, referrers, country derived from IP, device class, browser, screen breakpoint, time on page and custom events declared by the site owner. The session identifier is derived server side from a salted hash of IP plus user agent and the salt rotates every 24 hours, so the value cannot be linked across days. The full IP address is not stored.
Because Rybbit does not write to or read from the device, Article 5(3) of the ePrivacy Directive does not apply to the analytics path. The cookieless session ID, the IP anonymisation and the absence of third party sharing make the default deployment compatible with the CNIL exemption for audience measurement. Custom events that capture personal data still fall under the GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In the default configuration, Rybbit can be deployed without a cookie banner across the EU, including in France under the CNIL exemption and in Germany under the TTDSG essential cookie test. Site owners must still provide a transparent privacy notice that explains what is measured and how to object. Activating the optional first party cookie or capturing identifying custom events can move the deployment back into the consent regime.
Rybbit Cloud is hosted in Germany. No data leaves the European Union. Self hosters control the geography entirely. There are no Google or Meta dependencies, no IAB TCF participation and no advertising profiling.
Sign the Rybbit DPA when using Rybbit Cloud, document the Legitimate Interest Assessment for cookieless audience measurement, mention Rybbit and the EU hosting in the privacy notice, avoid sending personal data through custom events without an opt in, and re evaluate if you decide to enable the optional first party cookie or to bridge Rybbit data with a CRM.
Websites using Rybbit must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Rybbit in its default cookieless configuration. It may become relevant if the deployment is enriched with custom event tracking that captures personal data fields, behavioural scoring or integration with external CRM systems.
Sample consent text
This site uses Rybbit Analytics in cookieless mode to count visitors and understand which content works. No cookies are set, no personal data is shared with third parties, and analytics data is stored on EU servers. No consent is required for this configuration.
Third-party domains contacted
rybbit.ioapp.rybbit.iocdn.rybbit.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rybbit_id | persistent | 12 months | Optional first party identifier set only when self hosters explicitly enable cookie based session tracking. Disabled by default. |
Rybbit collects user analytics data — you legally need a consent banner. Try FlowConsent free.
In its default configuration Rybbit sets no cookies at all. Sessions are derived server side from a daily rotating salted hash of IP and user agent. Self hosters can optionally enable a first party rybbit_id cookie for higher accuracy on returning visitors, in which case Article 5(3) ePrivacy applies and consent becomes required.
Not in the default cookieless configuration. Rybbit can be deployed without a cookie banner across the EU under the CNIL exemption for audience measurement and the TTDSG essential cookie test in Germany. A clear privacy notice is still required.
Legitimate interest (Art. 6(1)(f) GDPR) for the cookieless audience measurement, supported by a documented Legitimate Interest Assessment. Consent (Art. 6(1)(a) GDPR) becomes the legal basis if the optional first party cookie is enabled or if custom events capture personally identifying data.
No. Rybbit Cloud is hosted in Germany and data does not leave the EU. Self hosters can choose any region. There are no Google or Meta dependencies and no IAB TCF participation.
Generally no. Cookieless analytics on EU servers, with no advertising integration and no third party sharing, do not meet the DPIA threshold. A DPIA may become relevant if you bridge Rybbit with a CRM, capture sensitive personal data through custom events or operate at very large scale.
Use the cookieless default, sign the Rybbit Cloud DPA or document the self hosted environment, write a privacy notice that mentions Rybbit and the EU hosting, set a sensible data retention (12 months by default), and avoid sending personal data through custom events without an opt in.
Other privacy first analytics tools include Plausible (EU hosted, cookieless), Fathom (EU hosted), Umami (self hosted), Matomo (self hosted, cookieless mode), Pirsch (Germany), Simple Analytics (Netherlands) and GoatCounter (open source). All can be deployed without a cookie banner under the CNIL exemption when configured correctly.
List Rybbit (publisher: Rybbit Analytics) with the purpose (audience measurement), the legal basis (legitimate interest in cookieless mode), the storage location (Germany for Rybbit Cloud, your own server otherwise), the cookies (none by default, optional rybbit_id if enabled) and the retention period.