Home Docs Privacy & compliance

Privacy & compliance

Publistic is designed from the ground up to respect reader privacy. No cookies, no personal data, no consent banners needed.

No cookies

Publistic does not set any cookies. Not first-party, not third-party. This means you don't need a cookie consent banner for Publistic, simplifying your compliance and improving your site's user experience.

Visitor identification

Instead of cookies, Publistic uses a privacy-friendly fingerprinting approach to count unique visitors. The fingerprint is generated by combining anonymized browser and device attributes into a one-way hash. The hash salt rotates monthly, which means:

  • Visitors cannot be tracked across months
  • The hash is not reversible — you cannot identify a person from it
  • No personal data is stored or transmitted
🔒
EU mode is available for publishers who want additional privacy guarantees. In EU mode, cookieless fingerprinting uses the same monthly salt rotation approach, ensuring full GDPR compliance without any consent mechanism.

What we collect

Publistic collects only the minimum data needed to produce useful analytics:

  • Page URL and referrer — to know which pages are visited and where traffic comes from
  • Browser and device type — parsed from the user agent string for device/browser statistics. The raw user agent string is not stored in analytics.
  • Country and region — derived from the visitor's IP address via GeoIP lookup. The IP address itself is discarded immediately after lookup and is never stored.
  • Engagement signals — scroll depth, engaged time, and click activity
  • Web Vitals — LCP, INP, CLS performance metrics

What we do NOT collect

  • No names, email addresses, or account information
  • No IP addresses (used for GeoIP lookup, then discarded)
  • No raw user agent strings in analytics storage
  • No cross-site tracking
  • No advertising identifiers
  • No fingerprints that persist beyond one month

GDPR compliance

Publistic is designed to be GDPR-compliant without requiring a consent banner. Since no personal data is stored and no cookies are used, there is no legal basis requirement for consent under GDPR's analytics exception.

For publishers who want to be extra cautious, EU mode provides additional safeguards with the same cookieless fingerprinting approach and monthly salt rotation.

Data storage

Analytics data is stored in one of two locations depending on your plan:

  • Self-hosted — data stays on your own server, under your full control. You decide the retention period and data handling policies.
  • Managed cloud — data is stored on Publistic's infrastructure on Vultr servers in the United States. Data is encrypted at rest and in transit.
📚
If your organization requires data residency in a specific region, self-hosting gives you full control over where your data lives. Deploy Publistic on any server, anywhere in the world.

Data export and deletion

You can export all your analytics data at any time via CSV export or the API. If you cancel your account, all data is permanently deleted within 30 days. Self-hosted users have direct database access and can manage data retention themselves.