Full Data Ownership
Your analytics live in hitkeep.db — one file on your server. Export everything in JSON, CSV, or Parquet. No retention limits. No vendor lock-in. Your data is always portable.
HitKeep
Open Source · MIT Licensed · Self-Hosted
Sovereign Web Analytics.
Deploy on your servers, in your jurisdiction, under your security policy. HitKeep is a single auditable binary — no PostgreSQL, no Redis, no ClickHouse, no external service calls. Your traffic data never leaves your network.
Full analytics dashboard. Your data, your server, your rules.
For Organizations That Own Their Data
Not a SaaS. Not a Vendor.
Yours.
Most analytics tools are built around the assumption that sending your visitors’ data to a third-party cloud is acceptable. For government agencies, healthcare organizations, financial services firms, and security-conscious teams, it is not. HitKeep is built on the opposite assumption.
Government Agencies
Deploy on classified or air-gapped networks. No outbound connections required. Full source code available under MIT license for security review and procurement processes.
Healthcare Organizations
Cookie-free tracking processes no personal identifiers. Data never leaves your HIPAA-compliant infrastructure. No third-party data processors to disclose.
Financial Services
Full data sovereignty. Export your complete analytics history in open formats (Parquet, JSON, CSV) at any time. No vendor lock-in. Audit your data pipeline end to end.
Enterprise IT & Security Teams
Single binary with minimal attack surface. RBAC across all sites. WebAuthn hardware key authentication. Kubernetes StatefulSet with PVC. Health and readiness probes.
Features
Everything Needed.
Nothing Extra.
Conversion tracking, multi-step funnels, hardware-key authentication, and automated reports — all built in, all running on your server.
Goals & Conversion Tracking
Multi-Step Funnels
TOTP & Passkeys (WebAuthn)
Scheduled Email ReportsCompliance
Compliant by Design,
Not by Configuration
GDPR — Article 5
Cookie-free by default. No personal identifiers stored. No consent banner required under the ePrivacy Directive. Data minimization built in.
Zero Telemetry
HitKeep makes no outbound network calls from the server process. Your traffic data, your user list, your analytics — none of it leaves your network unless you export it.
Data Sovereignty
Choose your jurisdiction: on-premise on your own hardware, EU region (Frankfurt, strict GDPR), or US region. You decide where the data physically resides.
Air-Gap Deployable
A single binary with zero runtime dependencies. No package manager, no container registry pull, no external service calls. Runs in fully disconnected network environments.
WebAuthn / Passkeys
Hardware security key authentication (YubiKey, FIDO2) and platform authenticators (Face ID, Windows Hello). TOTP included as a second option. Not a paid add-on.
Open Source Audit
Full source code under MIT license on GitHub. Audit the entire codebase. No proprietary binaries, no obfuscated code, no telemetry hidden in dependencies.
Architecture
One Binary.
Everything Included.
01
Download
One binary (~80 MB). Runs on Linux, macOS, Windows, and ARM. No runtime, no package manager, no container required.
curl -L …/hitkeep-linux-amd64 -o hitkeep && chmod +x hitkeep02
Configure
Set your domain and a JWT secret. No database provisioning. DuckDB and NSQ are embedded and start automatically.
./hitkeep -public-url=“https://analytics.example.com” -jwt-secret=”…“03
Track & Own
Add a 2 KB cookie-free snippet to your site. Analytics flows into your embedded DuckDB database. Export any time, forever.
<script async src=“https://analytics.example.com/hk.js”></script>Why HitKeep?
Section titled “Why HitKeep?”Zero External Dependencies
DuckDB and NSQ are embedded directly into the binary. No containers to orchestrate. No databases to provision. One process, one file to back up.
Goals, Funnels & UTM
Conversion goals (path or event-based), multi-step funnels, and UTM campaign attribution — all with fast timeseries rollups over DuckDB’s columnar storage.
Shareable Dashboards
Generate read-only share links for stakeholders, clients, or public dashboards. No account required to view. Revoke any time.
Email Reports
Scheduled digest emails and per-site reports. The built-in Report Worker dispatches over your SMTP server — no external cron jobs or queue services.
Cluster Ready
Start on a single $4 VPS. Scale to a Leader/Follower cluster with HashiCorp Memberlist gossip protocol. Health and readiness probes for Kubernetes.