— Privacy

Privacy promise

Most analytics tools have a privacy page that’s mostly a list of what they collect, alongside a promise to be careful with it. Ours is different, because there isn’t much of a list.

What Crumbless does not collect

• No cookies. We don’t set them. We don’t read them. We don’t use localStorage, sessionStorage, IndexedDB, or any browser storage mechanism.
• No IP addresses are ever stored. We touch the IP for one calculation at the moment of a request, and discard it before the response goes out. The disk never sees it.
• No personal information. No email addresses. No names. No device identifiers. No advertising IDs. Nothing that could ever be tied back to a specific human.
• No fingerprinting. We don’t probe canvas, fonts, WebGL, audio context, hardware concurrency, or any of the other surfaces a tracking script can poke at. The tracker is roughly 1 KB and doesn’t have room to be sneaky.
• No cross-day tracking. The way we identify “is this the same visitor I saw 10 minutes ago” is destroyed at midnight UTC every night. Tomorrow’s Crumbless cannot link to today’s.
• No third-party SaaS. Your visitor data sits in a SQLite file on your hosting. It doesn’t leave. There is no server in California, Frankfurt, or anywhere else with a copy of your audience.

How we identify visitors without cookies

A “visitor” in Crumbless is a 16-character hash. The recipe is public:

visitor_id = sha256(IP + User-Agent + your_domain + daily_salt) → first 16 characters

The daily salt is a random 256-bit value generated at midnight UTC. The previous day’s salt is overwritten the moment the new one is created and is never written to disk again.

What this means in practice:

• The same person reading two pages in a row produces the same hash. We count them as one visitor.
• The same person coming back tomorrow produces a different hash. We have no way to know it’s the same person.
• The hash itself contains nothing recoverable. The original IP can’t be extracted from it. Even if your entire database were stolen, no individual visitor could be identified from it.

This is the same approach used by other privacy-respecting analytics tools. It has been examined and endorsed by:

• France’s CNIL as exempt from consent requirements under specific conditions
• Spain’s AEPD in similar guidance
• Germany’s DSK as compliant with TTDSG when implemented correctly

We’ve implemented it correctly. The result is analytics you can deploy on a public website without a consent banner.

Why this matters

A cookie banner is a daily admission that something on a website is doing something the visitor wouldn’t agree to if asked clearly. Most people just dismiss it. The banner is designed to be dismissable.

We think the better answer is to stop doing the thing — to build analytics that are useful for the site owner without being a problem for the visitor. To make consent unnecessary by design, not just fast to dismiss.

If you’ve ever felt slightly uncomfortable adding the Google Analytics tag to a project, that feeling was right. There’s a better way, and it’s been in front of us the whole time.

Verifying it for yourself

Crumbless is open source. The tracker is one short JavaScript file. The visitor-ID logic is one PHP function. You can read the code. You don’t have to take our word for it.

• Tracker source: github.com/crumbless/crumbless/blob/main/public/c.js
• Visitor-ID implementation: github.com/crumbless/crumbless/blob/main/src/Visitor.php
• Salt rotation: github.com/crumbless/crumbless/blob/main/src/Salt.php

If we ever change any of this, it’ll show up in the changelog before it ships.

What about the dashboard?

The Crumbless admin dashboard — where you log in to look at your analytics — does use a session cookie. That’s an HttpOnly, Secure, SameSite=Lax cookie set when you sign in, used so you don’t have to retype your password on every page. It’s deleted when you log out.

This cookie is not a visitor-tracking cookie. It’s used by you, the site owner, to access your own admin panel. It’s the same kind of cookie WordPress uses to keep you logged in to wp-admin. Your visitors never encounter it.

What about Crumbless’s own website (crumbless.eu)?

Same answer. We use Crumbless on this website. We don’t run any third-party analytics, advertising pixels, or fingerprinting scripts. The only cookies on crumbless.eu are the ones we set when you sign in to your account dashboard, and they exist only on account.crumbless.eu.

The marketing site you’re reading right now? Zero cookies. You can check.

Questions

If anything on this page is unclear, or if you have a specific privacy or compliance question we haven’t answered, write to us at privacy@crumbless.eu. We answer every email.