Why sub.analytics doesn’t use cookies — and why that matters for you

If you’ve ever added Google Analytics to a website, you’ve seen the cascade that follows: cookie consent banner, privacy policy update, legal review, 40% of users clicking “reject all” and vanishing from your data. It’s a mess — and it’s entirely caused by how traditional analytics works.

How traditional analytics tracks users

Google Analytics sets a cookie with a unique visitor ID (like _ga=GA1.1.123456789.1234567890) in the user’s browser. That ID persists for up to two years. It lets Analytics link every page that person visits — across your site, across sessions, across days — into a unified journey.

That’s powerful. It’s also, under GDPR, the definition of processing personal data without a legal basis unless you get explicit consent first. Hence: the banner. And since the banner interrupts the experience, a huge fraction of users refuse it, breaking your analytics in the process.

How we track without cookies

When a pageview hits our server, we receive the visitor’s IP address and user agent. Instead of storing either, we immediately hash the combination together with a secret salt:

session_hash = SHA-256(ip + user_agent + daily_salt)

The hash is what gets stored — never the raw IP. And critically, the salt rotates every day. That means a hash from Tuesday is completely different from a hash from Wednesday, even for the same visitor. There is no way to link the two records after the fact. The visitor cannot be identified or tracked across days.

What you gain

No persistent identifier means no cookie. No cookie means no consent banner required. You’re GDPR-compliant by design, not by checkbox. Your visitors load the page, they don’t see a banner, and their pageview is counted. That’s it.

There’s a secondary benefit: our tracking script works even when cookies are blocked by the browser or a content blocker, because we don’t rely on them. You get better data coverage, not worse.

The honest tradeoff

Daily salt rotation means “unique visitors” is a daily concept, not a weekly or monthly one. The same person visiting Monday and Friday looks like two unique visitors when you look at a weekly view. We aggregate at the day level and sum up — which slightly overcounts unique visitors over longer periods.

For most use cases — understanding if traffic is growing, which pages resonate, where visitors come from — this is completely fine. You’re looking at trends, not audit trails. If you need exact individual user journeys, you need a cookie-based tool and a consent banner. That’s a deliberate product decision, not a technical limitation.

Why we built this

We wanted analytics we could install on any project in two minutes without a legal review. The established privacy-first tools — Plausible, Fathom, Simple Analytics — are excellent, but $9–19/mo is a real number when you’re running three side projects and a client site. We built sub.analytics to fill that gap: honest, cookie-free, and affordable enough to use everywhere.

If that sounds useful, the 30-day free trial requires no credit card.