Privacy-First Analytics Compared: Plausible vs Umami vs Fathom vs Cloudflare vs Rybbit vs Databuddy vs Vercel
Harlan Wilton "Privacy-first" is a marketing label. The code tells a different story.
We decompiled every privacy-first analytics script in the Nuxt Scripts registry and ran AST analysis to catalogue exactly which browser APIs each one touches at runtime. No marketing claims, no privacy policy excerpts - what the script does.
The finding: even among cookie-free analytics, the API surface ranges from 2 to 7 browser APIs. That gap determines what data leaves your users' browsers.
Browser APIs: What Each Script Touches
Browser APIs Used
AST-Verified| Provider | Cookies | Local Storage | Session Storage | User Agent | Screen | Languages | Beacon | Fetch | XHR | Perf Observer | Mutation Obs | Intersect Obs | Total |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Vercel Analytics | — | — | — | — | — | — | — | — | — | — | 2 | ||
Plausible Analytics | — | — | — | — | — | — | — | — | — | — | 2 | ||
Fathom Analytics | — | — | — | — | — | — | — | — | — | — | 2 | ||
Umami Analytics | — | — | — | — | — | — | — | — | — | 3 | |||
Cloudflare Web Analytics | — | — | — | — | — | — | — | — | 4 | ||||
Rybbit Analytics | — | — | — | — | — | — | 6 | ||||||
Databuddy Analytics | — | — | — | — | — | 7 |
All seven providers share one critical property: zero cookies. That's the baseline for "privacy-first." But the similarity ends there.
Minimal surface (2 APIs): Vercel Analytics and Plausible touch only two browser APIs each. Vercel reads userAgent for device classification and uses fetch to send data. Plausible uses localStorage (for session deduplication) and fetch. Fathom is similarly minimal - localStorage and sendBeacon.
Medium surface (3-4 APIs): Umami adds screen dimensions on top of localStorage and fetch. Cloudflare Web Analytics reads userAgent, uses sendBeacon, xhr, and performanceObserver - the extra APIs power its built-in Core Web Vitals collection.
Broader surface (6-7 APIs): Rybbit and Databuddy touch the most APIs. Both use sessionStorage (cross-page state within a session), performanceObserver (CWV collection), and device signals like screen or languages. Databuddy adds userAgent and sendBeacon on top.
None of these providers use fingerprinting APIs (canvas, WebGL, audioContext) or set cookies. The differences are in how much device and session context they collect alongside pageview data.
cookies, mutationObserver, and intersectionObserver. Matomo uses 8 as well. The privacy-first providers use 2-7x fewer APIs than traditional analytics. See the full performance comparison for size and execution benchmarks.Performance: The Privacy Dividend
Fewer APIs and smaller scripts translate directly to less main-thread work:
| Provider | Transfer | Decoded | Script | Task | Heap | CWV |
|---|---|---|---|---|---|---|
| Vercel | 1.6 KB | 2.4 KB | 0ms | 5ms | +667 KB | - |
| Plausible | 1.9 KB | 2.9 KB | 1ms | 6ms | +698 KB | - |
| Umami | 2.4 KB | 2.6 KB | 0ms | 5ms | +677 KB | - |
| Fathom | 3.0 KB | 6.7 KB | 1ms | 10ms | +721 KB | - |
| Rybbit | 9.0 KB | 25.3 KB | 1ms | 7ms | +706 KB | Yes |
| Databuddy | 10.6 KB | 29.2 KB | 1ms | 7ms | +754 KB | Yes |
| Cloudflare | 10.8 KB | 30.4 KB | 1ms | 6ms | +736 KB | Yes |
Every privacy-first provider stays under 2ms of script execution and 10ms of task duration. For context, GA4 burns 17ms of script time, 28ms of task time, and allocates +2.5 MB of heap.
The three providers that collect Core Web Vitals (Cloudflare, Rybbit, Databuddy) carry larger decoded sizes (25-30 KB) because the performanceObserver integration adds measurement code. That's a reasonable tradeoff if you want CWV data without a separate tool.
GDPR Compliance in 2026
The Cookie-Free Advantage
All seven providers avoid cookies entirely. Under GDPR and the ePrivacy Directive, cookie-free analytics that don't build persistent user profiles generally don't require a consent banner. This sidesteps the structural data gap that plagues cookie-based analytics.
EU cookie acceptance rates dropped to 40-58% across member states in 2026 (CNIL guidance, February 2026). Cookie-based analytics (GA4, Matomo with default settings) lose 40-60% of their traffic data to "Reject All" clicks. Cookie-free providers capture close to 100%.
Plausible's 24-Hour Hash Model
Plausible generates a daily hash from the visitor's IP address, user agent, and a rotating daily salt. The salt is deleted every 24 hours, making it impossible to reconstruct cross-day visitor chains even from the raw server logs. This satisfies GDPR's anonymization threshold.
Matomo's CNIL Exemption
Matomo is the only analytics platform with a formal consent exemption from the CNIL (France's data protection authority). The exemption applies when Matomo is used for audience measurement only, with IP masking, 13-month cookie caps, and no third-party data sharing. However, Matomo's default configuration uses cookies - you must explicitly configure it for cookie-free mode to get this benefit.
Fathom's EU Isolation
Fathom's EU Isolation routes all EU visitor data through EU-based infrastructure, adding another layer of DPA compliance beyond the cookie-free baseline.
First-Party Mode: Recovering Blocked Data
25-45% of users block trackers (Blockthrough Ad-Block Report 2026). Even privacy-first scripts hosted on known domains (plausible.io, cloud.umami.is) get blocked at the DNS level.
Nuxt Scripts' first-party mode proxies analytics traffic through your own domain:
// nuxt.config.ts
export default defineNuxtConfig({
scripts: {
registry: {
plausibleAnalytics: {
domain: 'yourdomain.com'
}
}
}
})
Requests go to yourdomain.com/_scripts/plausible instead of plausible.io/js/script.js. Indistinguishable from a first-party request to most blockers. Data accuracy returns to near 100%.
Self-Hosting: Full Data Ownership
Three privacy-first providers support self-hosting:
Umami: MIT licensed, Node.js, 2.4 KB transfer. Supports PostgreSQL or MySQL. Minimal feature set (pageviews, events, referrers) but the lowest operational overhead.
Rybbit: Open-source, 9 KB transfer. Includes CWV collection. More APIs than Umami but still cookie-free.
Plausible: Self-hosted option available. 1.9 KB transfer, 2 APIs. The most minimal footprint of any self-hostable option.
For teams that need full data ownership without the operational weight of Matomo or PostHog, these three cover the spectrum from minimal (Plausible/Umami) to feature-rich (Rybbit).
Choosing Between Them
The seven providers cluster into three tiers based on what they collect:
Tier 1 - Minimal (2 APIs, sub-3 KB): Vercel, Plausible, Fathom. If you want the absolute smallest privacy surface and don't need CWV collection, these are the right default. Plausible has the best standalone dashboard. Vercel is zero-config if you're already on Vercel. Fathom offers flat pricing for high-traffic sites.
Tier 2 - With CWV (4-7 APIs, 9-11 KB): Cloudflare, Rybbit, Databuddy. If you want Core Web Vitals data alongside analytics without adding a separate monitoring tool, these bundle it in. Cloudflare is free. Rybbit and Databuddy are open-source and self-hostable.
Tier 3 - Traditional: GA4 and Matomo use 8 APIs each including cookies, mutationObserver, and more. They offer deeper features (audiences, heatmaps, A/B tests) but at a measurably higher privacy and performance cost.
For most Nuxt apps: start with a Tier 1 provider. Add a Tier 2 if you need CWV. Only reach for Tier 3 if you need specific features that privacy-first tools don't offer.
Last reviewed: March 2026