Gizmo Analytics
PreiseEinloggenKostenlos loslegen →

How cookieless tracking works

Website tracking without cookies

You can run real web analytics — pageviews, sources, conversions, AI traffic — without setting a single cookie. Here's how, what you give up, and what you gain.

What "cookieless" actually means

A cookieless analytics tool doesn't set cookies (`document.cookie`), doesn't use `localStorage` or `sessionStorage`, and doesn't fingerprint the browser. It doesn't store anything on the visitor's device. Instead, the tracker fires a single HTTP request per pageview to the analytics server. The server generates a visitor ID from a hash of the visitor's IP + User-Agent + a daily-rotating salt — the IP is never persisted in raw form, and the salt rotation means the hash can't be used to identify the same person across days.

The result: real analytics data, no device storage, no persistent identifier, no GDPR / ePrivacy consent obligation.

What you can measure

  • Pageviews + unique visitors (within a day). Unique-per-day, not unique-per-month — but that's the trade for not setting cookies.
  • Sources — direct, organic search by engine, social, referral, and AI assistants (ChatGPT, Claude, Perplexity).
  • Top pages, entry pages, exit pages.
  • Geography (country, region, city) via GeoIP — no IP stored.
  • Browser, device, OS from User-Agent.
  • Custom events + conversion funnels — fire `gizmo('event', 'signup')` from any button.
  • UTM campaign attribution within a session.
  • Real-time visitor count — who's on the site right now.

What you can't measure

Being honest about the trade-offs:

  • Cross-day or cross-device user identity. Someone who visits Monday on their laptop and Tuesday on their phone is two visitors to us, one to GA4.
  • Long-window attribution. Multi-touch attribution windows that span weeks/months require a persistent ID; cookieless can't do this.
  • Remarketing audiences. Building lookalikes or retargeting in Google Ads needs cookies + cross-site identity.
  • Logged-in user analytics. If you need to tie analytics events to specific authenticated users by ID, that's product analytics — use something like PostHog or Mixpanel alongside cookieless web analytics for traffic.

For operator-style sites — content, indie SaaS, agencies running fleets — these missing features rarely matter. For ad-revenue-heavy operations, they matter a lot, and a cookieless tool is a poor primary analytics choice.

How Gizmo's cookieless tracker works

One <script> tag in your <head>. ~1KB minified. Fires after `interactive` so it doesn't compete with your LCP. Sends a single fetch per pageview to https://gizmoanalytics.io/api/collect.

On the server: incoming IP gets concatenated with the User-Agent and a daily-rotating per-workspace salt, then SHA-256'd. The raw IP is never written to the database. The hash becomes the visitor ID for the rest of that day. At midnight UTC, the salt rotates and yesterday's visitor IDs become un-derivable. The IP is held in memory only long enough to compute the hash and derive geography (country + city); both are discarded after.

Bot filtering happens at this layer too — known bot User-Agents are dropped before storage so your traffic numbers reflect real humans.

Track your site without cookies

Drop the one-line script and you're live. No banner needed. No CMP integration. Free forever for 10k events / month, unlimited sites in one workspace. AI coding agents (Cursor, Claude, Codex) can install Gizmo on a new site in one prompt via our MCP server.

Start free →More on privacy

FAQ

Is website tracking without cookies even possible?
Yes, and it's been mainstream for years. Plausible, Fathom, Umami, and Gizmo are all cookieless. They generate visitor IDs server-side from a salted hash of IP + User-Agent that rotates daily, so the same person visiting twice in the same day is counted once but can't be tracked across days, devices, or sites. You lose Google's cross-device user-stitching; you keep pageviews, sources, top pages, countries, devices, browsers, and goal conversions.
What can you measure without cookies?
Almost everything operators actually look at: pageviews, unique visitors, sessions, bounce rate, time on page, top pages, referrer sources (including AI assistants like ChatGPT and Claude), countries, browsers, devices, custom events, conversion funnels, and UTM campaigns. What you can't do: track an individual user's behavior across multiple sessions (we don't know it's the same person tomorrow), build attribution models that span multiple touchpoints over weeks, or run remarketing campaigns. Those features require persistent cross-session identity — i.e., cookies.
Doesn't IP-based tracking still count as PII under GDPR?
IP addresses are personal data under GDPR. The trick is what you do with them. Cookieless analytics tools salt-hash the IP at ingestion and discard the original — the database never stores a raw IP. The salt rotates daily, so even the hash can't be used to identify someone across days. The CNIL (France) and EDPB (EU-wide) have both published guidance confirming this pattern is GDPR-compliant and consent-exempt because the data is anonymized at the point of collection.
How is fingerprinting different from cookieless tracking?
Fingerprinting builds a stable identifier from browser characteristics (canvas, fonts, screen size, plugins, timezone, etc.) — the goal is identifying a specific user across sessions even if they clear cookies. That's the opposite of cookieless analytics. We DON'T fingerprint. The daily-rotating hash is designed specifically to prevent cross-day identification. If a tool advertises 'cookieless tracking' but uses fingerprinting underneath, it still has GDPR + ePrivacy obligations — the directive covers any persistent device identifier, not just cookies. Read the privacy policy.
How accurate is cookieless visitor counting?
Within a single day: very accurate — the IP+UA hash collisions are vanishingly rare for normal home/mobile traffic. Across days: you'll over-count returning visitors (someone visiting Monday and Tuesday is counted twice) but under-count nobody. Most operators find this trade fine: returning-visitor metrics are noisy anyway, and the gain of not needing a banner (and not losing 30–60% of EU traffic to consent declines) more than compensates.
Will my marketing team be okay with cookieless analytics?
Depends on what they do. If they run content + organic growth + product analytics, yes — the data they need (which posts converted, which channels drive signups, funnel drop-off) is all there. If they run heavy paid acquisition with multi-touch attribution windows of weeks-to-months, no — that workflow needs cross-session identity and they'll want to keep GA4 (or both, in parallel). Many teams run a cookieless tool as the no-banner site analytics and keep GA4 just for ad attribution.
What does Gizmo Analytics do differently?
Gizmo is cookieless web analytics built MCP-first. The cookieless tracker is the same shape Plausible/Fathom pioneered — one-line script, ~1KB, daily salted hash. The wedge is the MCP server: every dashboard operation is also an MCP tool, so Cursor, Claude Desktop, Codex, and other AI coding agents can install Gizmo on a new site in one prompt, query traffic, set up goals and funnels, and investigate anomalies — all without you writing API integration code. Free forever for 10k events / month, unlimited sites.