Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Umami is an open source, privacy, focused web analytics platform released under the MIT license. It writes no cookies, stores no personal data on disk, and identifies visitors only through a daily, rotating salted hash so re, identification across days is impossible. Available as a self, hosted Docker stack or as Umami Cloud with optional EU data residency, it is one of the easiest analytics tools to deploy without a consent banner in the EU.
Umami is an open source web analytics tool first released in 2020 and distributed under the MIT license. It is built around a single design principle: collect website traffic statistics without identifying any individual visitor. Umami runs as a Node.js application backed by Postgres or MySQL and ships as Docker images that can be deployed to a small VPS, to Kubernetes, or to a managed PaaS. Umami Software Inc., a US company, also operates Umami Cloud, a hosted version of the same code with optional EU data residency on paid plans. The product reports the standard set of analytics dimensions (pageviews, sessions, devices, browsers, countries, referrers, custom events) without ever writing a cookie or storing a raw IP.
Umami does not write any cookie or localStorage entry. Visitor sessions are computed server, side from a SHA hash of (daily rotating salt + visitor IP + user agent + hostname). The salt is regenerated every 24 hours, so the same visitor on two different days appears as two unrelated sessions and there is no way to track a person across days. The raw IP is never stored on disk; only the hashed identifier and aggregated metadata (country derived from IP geolocation, browser, OS, device type, screen size, language) are persisted. Custom events can carry numeric counters or short string payloads if the operator adds them, those stay under the operator''s control.
Because Umami writes no cookie and stores no personal data in identifiable form, it does not trigger Article 5(3) of the ePrivacy Directive (the rule that requires consent for storage of or access to information on the terminal). The CNIL exemption criteria for analytics tools, no advertising purpose, no cross, site tracking, no enrichment with other data, anonymisation, are met by default. Under the GDPR, the residual risk is very low: aggregated metrics that cannot be tied back to an individual fall outside the scope of personal data after the daily salt rotation. The operator remains controller for the configuration choices (retention period, custom events).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Umami can be loaded without a CMP consent gate when used in its default cookieless configuration. The CNIL, the AEPD, and the BfDI all accept analytics solutions of this kind under the consent exemption, provided the data is not enriched with profiling sources and the purpose is limited to audience measurement. If the operator adds custom events that capture personal data (email captured on a form, free, text fields), those specific events should be gated by consent or relocated to a separate processing path, but the basic Umami tracker continues to run without consent.
Self, hosted Umami transfers no data outside the operator''s chosen region. On Umami Cloud, the operator picks between EU (Frankfurt) and US regions: choose EU for European audiences and the data path stays inside the EEA. Umami Software Inc. is a US company, so the contractual relationship still involves a small amount of metadata flowing to the US (billing, support tickets), covered by Standard Contractual Clauses with EU customers. For most European websites, self, hosting on a small EU VPS or Umami Cloud EU is the recommended path.
Add Umami to your record of processing activities under Audience measurement with legitimate interest as the legal basis. If you use Umami Cloud, sign the DPA published by Umami Software Inc. and select the EU region. Set a reasonable retention period for events (12 to 25 months is enough for year, on, year comparisons). Avoid sending personal data through custom event properties. List Umami in the privacy policy with a short note explaining that no cookies are used and that the visitor cannot be re, identified across days. The site can usually be served without a consent banner.
Websites using Umami must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a default Umami deployment because no cookies are written, the daily salt rotation prevents cross, day re, identification, and no cross, site tracking is performed. A DPIA becomes relevant only if the operator extends Umami with custom event payloads that include personal data (email, user ID, free, text fields), or if Umami is combined with other tools to build full visitor profiles. Document the salt rotation, the retention period, the hosting location (self, hosted vs Umami Cloud EU/US), and the role of Umami Software Inc. as processor on Cloud plans.
Sample consent text
We use Umami Analytics to understand how our website is used. Umami does not write cookies, does not store IP addresses, and cannot re, identify you across days. Aggregate usage statistics are stored on our own servers [or in Umami Cloud EU]. Because Umami collects no personal data by default, no consent banner is required, but you can object at any time.
Third-party domains contacted
umami.iscloud.umami.isanalytics.umami.isapi.umami.isCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies | none | n/a | Umami is a privacy focused analytics platform that does not use cookies or any client side persistent identifier. Sessions are derived server side from a hashed combination of IP address, user agent and a daily rotating salt. |
Umami collects user analytics data — you legally need a consent banner. Try FlowConsent free.
None. Umami is fully cookieless. It does not write any cookie or localStorage entry on the visitor's browser. Visitor sessions are computed server, side from a SHA hash of (daily salt + IP + user agent + hostname), and the salt rotates every 24 hours, which makes cross, day re, identification impossible.
No, in default configuration. Because Umami writes no cookie or local storage and does not store identifiable personal data, it does not trigger Article 5(3) of the ePrivacy Directive. The CNIL, the AEPD, and the BfDI accept this kind of cookieless analytics under the consent exemption when there is no advertising purpose, no cross, site tracking and no enrichment with other data.
Legitimate Interest (GDPR Article 6(1)(f)) is the standard legal basis, with a documented Legitimate Interest Assessment that highlights the minimal data collected, the daily salt rotation, and the absence of cross, site tracking. For some implementations, the data is so aggregated that it falls outside the personal data scope altogether after the salt rotates.
Not when Umami is self, hosted in the EU, and not when Umami Cloud is configured with the EU region. Umami Software Inc. is incorporated in the US, so a small amount of metadata (billing, support) flows to the US under SCCs, but the analytics data itself stays in the chosen region.
Generally not. The combination of cookieless tracking, daily salt rotation, no cross, site tracking, and limited dimensions keeps the residual risk very low. A DPIA is only recommended if you extend Umami with custom event properties that contain personal data or if you combine it with other tools to build profiles.
Self, host on an EU server or pick the EU region on Umami Cloud. Keep the default cookieless configuration, set a sensible retention period (12 to 25 months), avoid sending personal data through custom events, list Umami in the privacy policy with the note that no cookies are written, and add it to your record of processing activities under audience measurement with legitimate interest.
Yes. Plausible Analytics (cookieless, EU cloud), Fathom Analytics (cookieless, EU cloud), Pirsch (cookieless, Germany), Simple Analytics (cookieless, Netherlands), Matomo with cookieless mode (CNIL exemption), and Counter (open source, self, hosted) all share a similar privacy posture.
State explicitly that Umami is cookieless, that no personal data is stored on disk, and that the visitor cannot be re, identified across days. List the daily salt rotation as the technical safeguard. If you use Umami Cloud, mention Umami Software Inc. as processor and the EU region. No third, party cookies need to be disclosed because none are set.