Best Privacy-First Analytics Compared: Plausible vs Fathom vs Umami + 4 More
Harlan Wilton 8 min read"Privacy-first" is a marketing label. The code tells a different story.
We decompiled every privacy-first analytics script in the Nuxt Scripts registry and ran AST analysis to catalogue exactly which browser APIs each one touches at runtime. No marketing claims, no privacy policy excerpts - what the script does.
The finding: even among the best privacy-first analytics tools, the API surface ranges from 2 to 7 browser APIs. That gap determines what data leaves your users' browsers.
How We Compared These 7 Privacy-First Analytics Tools
Browser APIs Used
AST-Verified| Provider | Cookies | Local Storage | Session Storage | User Agent | Screen | Languages | Beacon | Fetch | XHR | Perf Observer | Mutation Obs | Intersect Obs | Total |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Vercel Analytics | — | — | — | — | — | — | — | — | — | — | 2 | ||
Plausible Analytics | — | — | — | — | — | — | — | — | — | — | 2 | ||
Fathom Analytics | — | — | — | — | — | — | — | — | — | — | 2 | ||
Umami Analytics | — | — | — | — | — | — | — | — | 4 | ||||
Cloudflare Web Analytics | — | — | — | — | — | — | — | — | 4 | ||||
Rybbit Analytics | — | — | — | — | — | 7 | |||||||
Databuddy Analytics | — | — | — | — | — | 7 |
All seven providers share one critical property: zero cookies. That's the baseline for any privacy-first Google Analytics alternative. But the similarity ends there.
The tools fall into three groups based on how many browser APIs they access:
- Minimal (2 APIs): Plausible Analytics, Fathom Analytics, Vercel Analytics
- Medium (3–4 APIs): Umami Analytics, Cloudflare Web Analytics
- Broader (6–8 APIs): Rybbit Analytics, Databuddy Analytics
None of these providers use fingerprinting APIs (canvas, WebGL, audioContext) or set cookies. The differences are in how much device and session context they collect alongside pageview data. Rybbit and Databuddy also use localStorage for persistent identifiers - still cookie-free, but with cross-session tracking capability.
cookies, mutationObserver, and intersectionObserver. The best privacy-first analytics tools use 2–8x fewer APIs than traditional analytics. See the full performance comparison for size and execution benchmarks.Plausible Analytics Review
Plausible Analytics is the most popular privacy-first Google Analytics alternative. It touches 2 browser APIs: localStorage (for session deduplication) and fetch.
- Privacy
- Generates a daily hash from the visitor's IP, user agent, and a rotating salt. Plausible purges the salt every 24 hours, making it impossible to reconstruct cross-day visitor chains - satisfying GDPR's anonymization threshold.
- Hosting
- Available. The most minimal footprint of any self-hostable privacy analytics option.
- Best for
- Teams that want the smallest privacy surface with the best standalone dashboard.
Fathom Analytics Review
Fathom Analytics matches Plausible's minimal API surface with 2 APIs: localStorage and sendBeacon.
- Privacy
- EU Isolation routes all EU visitor data through EU-based infrastructure, adding a layer of DPA compliance beyond the cookie-free baseline.
- Hosting
- No (SaaS only).
- Best for
- High-traffic sites that want flat pricing and strong EU data residency guarantees.
Umami Analytics Review
Umami Analytics is an open-source, self-hostable privacy analytics tool. It uses 3 APIs: localStorage, fetch, and screen (for viewport dimensions).
- Privacy
- Cookie-free, no persistent identifiers. Collects screen dimensions on top of the minimal baseline.
- Hosting
- MIT licensed, supports PostgreSQL or MySQL. Lowest operational overhead of any self-hosted option.
- Best for
- Developers who want full data ownership with minimal operational cost.
Cloudflare Web Analytics Review
Cloudflare Web Analytics uses 4 APIs: userAgent, sendBeacon, xhr, and performanceObserver - the extra APIs power built-in Core Web Vitals collection.
- Privacy
- Cookie-free. Cloudflare processes data on their infrastructure but does not sell or share it.
- Hosting
- No (tied to Cloudflare).
- Best for
- Sites already on Cloudflare that want free analytics with built-in CWV monitoring.
Rybbit Analytics Review
Rybbit Analytics is an open-source privacy analytics tool that touches 6 APIs including localStorage, performanceObserver, screen, and languages.
- Privacy
- Cookie-free. Uses
localStoragefor user IDs, which persists across sessions until manually cleared. Includes CWV collection. - Hosting
- Open-source and self-hostable.
- Best for
- Teams that want self-hosted analytics with Core Web Vitals built in.
Databuddy Analytics Review
Databuddy Analytics touches the most APIs at 8: localStorage, sessionStorage, performanceObserver, screen, languages, userAgent, sendBeacon, and fetch.
- Privacy
- Cookie-free. Uses both
localStorageandsessionStoragefor state. Broader device signal collection than other privacy-first tools, but no fingerprinting APIs. - Hosting
- Open-source and self-hostable.
- Best for
- Teams that want the most device context possible while staying cookie-free.
Vercel Analytics Review
Vercel Analytics is the most minimal option, touching 2 APIs: userAgent (device classification) and fetch.
- Privacy
- Cookie-free by default. Minimal data collection - no
localStorage, no session state. An opt-inenableCookieflag exists but defaults to off. - Hosting
- No (tied to Vercel platform).
- Best for
- Vercel-hosted apps that want zero-config analytics with the absolute smallest footprint.
Performance Comparison: All 7 Privacy-First Analytics Tools
Fewer APIs and smaller scripts translate directly to less main-thread work:
Privacy-First Performance
| Provider | Transfer | Decoded | Script | Task | Heap | CWV |
|---|---|---|---|---|---|---|
Vercel Analytics | 1.6 KB | 2.4 KB | 0ms | 6ms | +716KB | — |
Plausible Analytics | 1.9 KB | 2.9 KB | 1ms | 7ms | +759KB | — |
Fathom Analytics | 3.0 KB | 6.7 KB | 1ms | 8ms | +760KB | — |
Umami Analytics | 3.2 KB | 4.5 KB | 0ms | 6ms | +727KB | |
Rybbit Analytics | 9.3 KB | 26.0 KB | 2ms | 8ms | +755KB | |
Databuddy Analytics | 10.6 KB | 28.8 KB | 1ms | 8ms | +804KB | |
Cloudflare Web Analytics | 10.7 KB | 30.4 KB | 1ms | 7ms | +784KB |
Every privacy-first analytics provider stays under 2ms of script execution and 10ms of task duration.
The three providers that collect Core Web Vitals (Cloudflare, Rybbit, Databuddy) carry larger decoded sizes (25–30 KB) because the performanceObserver integration adds measurement code. That's a reasonable tradeoff if you want CWV data without a separate monitoring tool.
GDPR Compliance: Why Cookie-Free Analytics Win in 2026
The Consent Banner Problem
EU cookie acceptance rates dropped to 40–58% across member states in 2026 (CNIL guidance, February 2026). Cookie-based analytics like GA4 and default Matomo lose 40–60% of their traffic data to "Reject All" clicks. All seven privacy-first analytics tools in this comparison capture close to 100%.
Matomo's CNIL Exemption
Matomo is the only analytics platform with a formal consent exemption from France's data protection authority. The exemption requires IP masking, 13-month cookie caps, and no third-party data sharing. However, Matomo's default configuration uses cookies - you must explicitly configure cookie-free mode to qualify.
First-Party Mode: Recovering Ad-Blocked Data
25–45% of users block trackers (Blockthrough Ad-Block Report 2026). Even privacy-first scripts hosted on known domains (plausible.io, cloud.umami.is) get blocked at the DNS level.
Nuxt Scripts' first-party mode proxies analytics traffic through your own domain:
// nuxt.config.ts
export default defineNuxtConfig({
scripts: {
registry: {
plausibleAnalytics: {
domain: 'yourdomain.com'
}
}
}
})
Requests go to yourdomain.com/_scripts/plausible instead of plausible.io/js/script.js. Indistinguishable from a first-party request to most blockers. Data accuracy returns to near 100%.
Which Privacy-First Analytics Tool Should You Choose?
Quick Pick Guide
| Need | Best Pick | Note |
|---|---|---|
| Smallest privacy surface | Plausible or Vercel Analytics | 2 APIs |
| Best standalone dashboard | Plausible | — |
| Self-hosted, minimal | Umami | MIT, 3.2 KB |
| Self-hosted with CWV | Rybbit | — |
| Free, no setup | Cloudflare Web Analytics | — |
| Flat pricing, high traffic | Fathom | — |
| Zero-config on Vercel | Vercel Analytics | — |
| Most device context | Databuddy | cookie-free |
For most apps: start with Plausible Analytics, Fathom Analytics, or Vercel Analytics. Add Cloudflare Web Analytics or Rybbit Analytics if you need Core Web Vitals. Only reach for GA4 or Matomo if you need specific features that privacy-first analytics tools don't offer.
Last reviewed: March 2026