What's self-hosting like?

You own your data, fully. It's lightweight, runs on Docker with just 512MB RAM on any VPS. Plus, it supports multiple websites out of the box.

How easy is the setup?

One command, done. Installs in seconds via Docker, no fuss. Updates? They're automated, zero-downtime, and always backward-compatible.

Can I manage my data?

Totally. It's yours in a SQLite database, query it, export it, or plug it into your tools anytime.

How does the AI Query feature work? Is my data sent externally?

No, your analytics data is never sent externally. When you ask a question in plain English (e.g., "Show me page views per day for the last week"), the AI model (running via an API like OpenAI, which requires your own API key configured in the settings) translates your question into an SQL query. This SQL query is then executed *locally* against your own database on your server to retrieve the results. Only the natural language question itself is sent to the AI API for translation, not your underlying visitor data.

How does pricing work?

One-time payment, lcifetime access, no subscriptions. Not happy? We've got a 30-day money-back guarantee.

Do updates cost extra?

Updates within the same major version (1.0 to 1.1) are free. Regarding major version upgrades (1.x to 2.x), I'm still determining the pricing structure. Since this is a new product, I want to be honest that I haven't finalized how future major version upgrades will be handled yet. You'll always have the choice whether to upgrade to a new major version when the time comes.

Is it really GDPR compliant?

Yes, 100%. No cookies, no personal data, no consent banners needed. Just anonymous stats, aggregated data, privacy-first by design.

What metrics does Infinity Metrics track?

Infinity Metrics tracks a wide range of aggregated metrics including: Pageviews, Unique Visitors (daily fingerprint), Sessions, Bounce Rate, Avg. Session Duration, Page-specific views/entrances/exits, Referrer Sources, UTM Campaign parameters (source, medium, campaign, term, content), Browser types, Operating Systems, Device Types (desktop, mobile, tablet), Visitor Country, and any Custom Events you define.

How does privacy-first tracking work?

Infinity Metrics ditches cookies for fingerprinting and session-based analytics, no personal data stored. You get accurate insights while keeping user privacy intact.

GDPR Compliance & Infinity Metrics

Understanding Roles: You vs. Us

Infinity Metrics is a self-hosted analytics software. This means you (our customer) install and run the software on your own servers. Consequently:

You are the Data Controller for the website visitor data collected through your installation of Infinity Metrics.
We (Infinity Metrics, the company) are the Data Processor only for the limited personal data we collect directly from you (our customer) via our website (getinfinitymetrics.com) for account management and payment processing (see our Privacy Policy).
We do not process, store, or have access to the website visitor data collected by your self-hosted instance of Infinity Metrics.

This page explains how the design of the Infinity Metrics software helps you meet your GDPR obligations as a Data Controller for the analytics data you collect.

How the Software Design Aids Compliance

Infinity Metrics is designed with privacy at its core, making GDPR compliance simpler for website owners using our self-hosted software.

No Cookies, No Consent Banners Needed (for Analytics)

Traditional analytics tools often use persistent cookies, requiring consent banners under GDPR. The Infinity Metrics software avoids this:

Zero cookies used by the software - The tracking script does not set cookies on your visitors' browsers for analytics purposes.
Consent banners often not required for analytics - Since the software doesn't use cookies or collect personal data (when configured correctly), you likely don't need specific cookie consent banners *for the analytics function*. You may still need banners for other cookies or tracking used on your site.
Focus on User Experience - Helps you avoid intrusive consent popups related to analytics tracking.

Note: While the software avoids cookies, you, as the Data Controller, must still ensure your overall data collection practices comply with GDPR, including providing transparency in your site's privacy policy.

How the Software Protects Visitor Personal Data

The Infinity Metrics software is designed to minimize the collection of personal data as defined by GDPR:

Designed for minimal data collection - The software aims to collect only aggregated, anonymized metrics necessary for understanding website trends.
IP address anonymization - IP addresses are used briefly for country-level geolocation, then immediately hashed (using a salt unique to your installation) and discarded. The original IP is never stored permanently by the software. This hashing process is one-way and designed to prevent re-identification.
No cross-site tracking - The software operates only on the site where you install it. It does not track users across different websites.
No persistent user identifiers - The software generates user signatures based on IP address (anonymized) and User-Agent, salted uniquely per day per site. This prevents long-term tracking of individuals across days.
Focus on aggregated metrics - The primary output is anonymized, aggregated data (e.g., page views, visitor counts, session duration) that cannot reasonably be used to identify individuals.

Software's Technical Approach to Privacy

How Infinity Metrics Works Without Cookies

Instead of cookies, the software uses a privacy-preserving method to distinguish visits within a limited timeframe:

Daily Anonymous Signatures - For each visitor on a given day, a unique signature is generated using their anonymized IP address, User-Agent string, and a site-specific, daily-rotating salt. This allows distinguishing unique visits within a day without long-term tracking.
One-way hashing - This signature is created using a secure, one-way hash function. It's mathematically infeasible to reverse the hash to get the original IP or User-Agent data.
Not stored on device - No identifiers are stored on the user's device by the analytics script.
Session Calculation - Sessions are calculated based on the time between events from the same daily anonymous signature, typically resetting after 30 minutes of inactivity.

How the Software Handles IP Addresses

IP addresses must be handled carefully under GDPR. Here's the software's process:

IP address is briefly held in memory for country lookup (if enabled).
IP is immediately hashed using a secure one-way algorithm combined with a unique, daily-rotating salt specific to your website installation.
Original IP address is permanently discarded and never stored on disk.
The hash cannot be reversed to reveal the original IP address.
The use of a unique, daily-rotating salt for each installation makes pre-computed attack methods like rainbow tables infeasible. Recovering the original IP from the hash is computationally impractical with current technology, estimated to take decades or longer.
Neither you nor we can access the original visitor IP addresses from the stored data.

Data Processed by Your Infinity Metrics Installation

Data Type	How It's Processed	GDPR Consideration (for Customer)
Country	Derived from IP during processing, then IP is discarded	Generally not personal data when aggregated
Browser & OS	Extracted from User-Agent string (e.g., "Chrome", "Windows")	Generally not personal data when aggregated
Page Views	Counted anonymously by URL path	Not personal data
Referrer Source	Recorded as domain name (e.g., "google.com")	Generally not personal data
Device Type	Categorized as mobile, tablet, or desktop	Not personal data
Session Duration	Calculated based on time between events linked by daily anonymous signature	Not personal data when aggregated
UTM Parameters	Extracted from URL query strings (e.g., utm_source)	Potentially personal data if misused; customer responsibility
Custom Events	Data defined and sent by the customer via the SDK	Potentially personal data depending on what is sent; customer responsibility

Important: You, the customer, are responsible for ensuring that you do not configure custom events or use UTM parameters in a way that sends personal data to your Infinity Metrics instance unless you have a valid legal basis and meet necessary GDPR requirements (like consent, if applicable).

GDPR Rights and Your Visitors (Data You Collect)

GDPR grants individuals rights regarding their personal data. Because the Infinity Metrics software is designed *not* to collect personal data that identifies individuals:

Right to access / rectification / erasure ('to be forgotten') - Since no identifiable personal data is stored by the software's default configuration, there is typically no personal data for visitors to access, correct, or delete from the analytics system.
Right to data portability - Aggregated, anonymous data is not subject to portability requirements.
Right to object to processing - Visitors can typically object by using browser privacy settings (like Do Not Track, which Infinity Metrics can be configured to respect) or browser extensions that block tracking scripts.

You must inform visitors about the analytics data you collect (even if anonymous) in your website's privacy policy and explain how they can exercise their rights, potentially including how to opt-out of tracking if you offer such a mechanism.

Your Responsibilities as a Data Controller

While the Infinity Metrics software aids compliance, as the Data Controller for your visitor data, you must:

Maintain a clear Privacy Policy: Inform your visitors that you use analytics, what data is collected (even if anonymous), why, and that it's hosted on your servers. Explain the privacy measures taken (like IP anonymization).
Ensure Lawful Basis: Determine your legal basis for processing analytics data (likely Legitimate Interest for anonymous, aggregated data, but potentially Consent if you collect identifiable data via custom events/UTMs).
Configure Responsibly: Ensure you do not configure custom events or use UTM parameters to collect personal data without a proper legal basis and disclosures.
Secure Your Server: Protect the server hosting your Infinity Metrics installation and the collected data according to security best practices.
Data Processing Agreement (DPA): Since we (Infinity Metrics, the company) do not process your visitors' data, a DPA between you and us is generally not required *for that data*. You may need DPAs with your hosting provider or other processors.

Data Processing by Us (Infinity Metrics, the Company)

Separately from the data you collect with your self-hosted instance, we, Infinity Metrics (the company), act as a Data Controller for the personal data we collect directly from our customers (you) and visitors to our website (`getinfinitymetrics.com`). This includes:

Account Information: Name, email address, company details provided during sign-up or purchase. Legal basis: Performance of Contract.
Payment Information: Processed via Stripe (our payment processor). We do not store full credit card details. Legal basis: Performance of Contract.
Website Analytics (`getinfinitymetrics.com`): We use our own Infinity Metrics software to collect anonymous, aggregated statistics about visitors to our website. This includes page views, referrers, device types, country, etc., using the same privacy-preserving techniques described above (no cookies, IP anonymization). Legal basis: Legitimate Interest.
Communication Data: Information you provide when contacting us for support or inquiries. Legal basis: Legitimate Interest, Performance of Contract.

We process this data in accordance with our Privacy Policy. We implement appropriate technical and organizational measures to protect this data.

Sample Privacy Policy Statement (For Your Website)

You can adapt the following text for your website's privacy policy:

"We use Infinity Metrics, a self-hosted web analytics software, to collect anonymous statistics about how visitors use our website. We host this software on our own servers, meaning no third-party company (including the makers of Infinity Metrics) has access to this data.

This analytics service does not use cookies. It collects anonymized information such as page views, approximate session duration, referral sources (the website you came from), general browser and device type (e.g., Chrome on Desktop), and country-level location derived from your IP address. Your IP address is anonymized immediately upon processing and the original IP is never stored.

We use this aggregated data solely to understand website traffic patterns and improve our website's performance and content. We cannot identify you or track your specific browsing habits across different websites using this data. The legal basis for this processing is our legitimate interest in understanding and improving our website."

Legal Basis for Your Analytics Processing

As the Data Controller for the analytics data you collect using your self-hosted Infinity Metrics instance, you need a legal basis under GDPR.

Legitimate Interest: For collecting anonymous, aggregated website statistics (like page views, browser types, country), Legitimate Interest is often the appropriate legal basis. You must balance this interest against the rights and freedoms of your visitors (which are minimal when data is truly anonymous). You should document this assessment (LIA).
Consent: If you configure Infinity Metrics (e.g., via custom events or UTM parameters) to collect data that could be considered personal data, or if required by specific local laws (like ePrivacy Directive nuances), you may need to obtain explicit consent *before* collecting that data.

Consult with legal counsel to determine the appropriate legal basis for your specific implementation and data collection practices.

Conclusion

The Infinity Metrics software is engineered to facilitate GDPR compliance for website analytics by minimizing data collection, avoiding cookies, and anonymizing potential identifiers like IP addresses. However, as a self-hosted solution, ultimate responsibility for GDPR compliance rests with you, the customer, as the Data Controller for the data you collect on your servers. Ensure you understand your obligations, maintain a transparent privacy policy, and configure the software responsibly.