# HitKeep > HitKeep is a privacy-first web analytics platform built on the principle that your data belongs to you. You can self-host it as a single Go binary with zero external service dependencies, or run it in HitKeep Cloud in EU or US regions. Data lives in DuckDB and can be exported at any time in open formats (JSON, CSV, Parquet). Current Linux release binaries target a modern glibc baseline (`glibc 2.34+`). HitKeep is designed for DevOps engineers, developers, and privacy-conscious site owners who want full ownership of their analytics data without managing complex infrastructure. The tracking snippet (hk.js) is under 2 KB, cookie-less by default, and respects Do Not Track headers. Core values: sovereignty, ownership, and freedom to export. Current version: v2.2.0 ## Key Documentation - [Introduction](/guides/introduction/): Architecture overview, single-binary philosophy, and feature summary - [Installation — Binary](/guides/installation/binary/): Download and run on bare metal or a VPS with systemd - [Installation — Docker Compose](/guides/installation/docker-compose/): Docker Compose setup with Caddy and Traefik examples - [Installation — Kubernetes](/guides/installation/kubernetes/): StatefulSet deployment with persistent volumes - [Trusted Proxies](/guides/installation/trusted-proxies/): Configure real client IP resolution behind reverse proxies - [Goals](/guides/analytics/goals/): Path-based and event-based conversion tracking - [Funnels](/guides/analytics/funnels/): Multi-step conversion funnel analytics - [Ecommerce Analytics](/guides/analytics/ecommerce/): GA4-inspired revenue, product, and source reporting - [AI Visibility Analytics](/guides/analytics/ai-visibility/): Track AI crawler fetches and correlate them with later AI-referred visits - [AI Chatbot Analytics](/guides/analytics/ai-chatbot-analytics/): Measure on-site assistant conversations, citations, handoffs, and assisted conversions - [Event Analytics](/guides/analytics/events/): Event timeseries, property breakdowns, and audience segmentation - [Period Comparison](/guides/analytics/comparison/): Period-over-period overlay with delta badges on all KPIs - [Custom Events](/guides/tracking/custom-events/): Browser and server-side custom event tracking - [UTM Parameters](/guides/tracking/utm-parameters/): Automatic UTM campaign attribution - [IP Exclusions](/guides/tracking/ip-exclusions/): Filter own traffic and known bots - [Bot and Spam Filtering](/guides/tracking/spam-filtering/): Block Matomo-listed referrer spam and Spamhaus-listed abuse networks - [Shareable Dashboards](/guides/sharing/dashboard-links/): Read-only share links for stakeholders - [Two-Factor Authentication](/guides/security/two-factor-authentication/): TOTP and WebAuthn/Passkeys setup - [Account Recovery](/guides/security/recovery/): Recovery codes, owner-only MFA reset, and CLI break-glass recovery - [API Clients](/guides/security/api-clients/): Personal and team-owned bearer tokens for programmatic access - [Verify Artifacts](/guides/security/verify-artifacts/): Cryptographic verification of binaries and Docker images - [Email Reports](/guides/notifications/email-reports/): Scheduled digest and per-site email reports - [Permissions & Roles](/guides/admin/permissions/): RBAC — instance and site-level roles - [Teams & Data Isolation](/guides/admin/teams/): Multi-tenant data isolation with per-team DuckDB databases - [Data Retention](/guides/data/retention/): Configurable per-site retention policies and Parquet archiving - [Data Takeout](/guides/data/takeout/): Open-format export in JSON, CSV, or Parquet (GDPR Article 20) - [Backups & Restore](/guides/data/backups-and-restore/): Single-tenant and multiteam backup strategies - [Disaster Recovery](/guides/data/disaster-recovery/): Recovery planning for production deployments - [S3 Backups](/guides/data/s3-backups/): AWS S3, MinIO, Cloudflare R2, and Backblaze B2 backup configuration - [Compliance Overview](/compliance/overview/): Product capabilities and deployment caveats for privacy compliance - [GDPR](/compliance/gdpr/): GDPR-oriented guidance for deploying HitKeep - [PECR and ePrivacy](/compliance/pecr-eprivacy/): PECR and ePrivacy-focused guidance for tracking and consent - [CCPA and CPRA](/compliance/ccpa-cpra/): California privacy-law guidance for HitKeep deployments - [Digital Sovereignty](/compliance/sovereignty/): Data residency, EU-first design, and jurisdictional control - [Configuration Reference](/reference/configuration/): All flags and environment variables - [Architecture](/reference/architecture/): DuckDB, NSQ, clustering, and frontend stack - [Security Overview](/reference/security/): Zero third-party requests, favicon proxy, zero telemetry, JWT, WebAuthn, rate limiting - [Tech Stack & Who It's For](/reference/tech-stack/): Full dependency list and target audiences ## Comparison Pages - [HitKeep vs Google Analytics (GA4)](/vs/google-analytics/) - [HitKeep vs Plausible Analytics](/vs/plausible/) - [HitKeep vs Umami](/vs/umami/) - [HitKeep vs Matomo](/vs/matomo/) - [HitKeep vs Fathom Analytics](/vs/fathom/) - [HitKeep vs Simple Analytics](/vs/simple-analytics/) - [HitKeep vs Cloudflare Web Analytics](/vs/cloudflare-web-analytics/) - [HitKeep vs PostHog](/vs/posthog/) - [HitKeep vs GoatCounter](/vs/goatcounter/) - [HitKeep vs Pirsch Analytics](/vs/pirsch/) - [HitKeep vs Piwik PRO](/vs/piwik-pro/) - [HitKeep vs Adobe Analytics](/vs/adobe-analytics/) - [HitKeep vs Rybbit](/vs/rybbit/) ## REST API - [API Reference](/api/): Full REST API documentation ## Release Tracking - [Changelog](/changelog/): Release history and shipped changes - [Public Roadmap](/support/roadmap/): What shipped in 2.2.0 and what is planned next ## Blog - [Blog](/blog/): Technical tutorials, deployment guides, and product updates - [How I Replaced Google Analytics](/blog/replace-google-analytics-single-binary/): Migration guide from GA4 to HitKeep - [Set Up Self-Hosted Analytics in 2 Minutes](/blog/setup-self-hosted-analytics-2-minutes/): Quickstart on a $4 VPS - [GA4-Inspired Ecommerce in a Single Binary](/blog/ga4-inspired-ecommerce-single-binary/): Ecommerce event model design - [Cookie-Less Analytics Explained](/blog/cookieless-analytics-gdpr-explained/): What cookie-free actually means for GDPR ## Cloud - [HitKeep Cloud](/cloud/): Managed hosting overview and region selection - [Start in EU Cloud](https://cloud.hitkeep.eu/signup): Create a hosted workspace in the EU region (Frankfurt) - [Start in US Cloud](https://cloud.hitkeep.com/signup): Create a hosted workspace in the US region (Virginia) ## Security Properties - Zero third-party frontend requests — all assets served from the user's own instance - No telemetry, no phone-home, no external license validation - Favicon images are proxied server-side via DuckDuckGo (no browser-to-third-party requests) - Air-gap compatible — fully operational with no outbound internet access - JWT in HTTP-only cookies (not accessible to JavaScript) - WebAuthn / FIDO2 Passkeys support (hardware security keys, platform authenticators) - TOTP 2FA (RFC 6238, compatible with all standard authenticator apps) - Recovery codes for MFA fallback - Sec-Fetch header validation on state-changing requests (CSRF protection) - Per-IP token bucket rate limiting on all public and login endpoints - LRU caching for auth and rate limiters - Cookie-free public tracking by default, but the tracker currently uses sessionStorage so PECR / ePrivacy analysis still depends on deployment and jurisdiction - Full source code audit: MIT license, GitHub public repository ## Technical Details - Language: Go 1.26+ - Database: Embedded DuckDB v2.5 (columnar OLAP, single file per tenant) - Queue: Embedded NSQ v1.3 (in-process, loopback only) - Ingest: Batch DuckDB appender for high-throughput writes - Clustering: HashiCorp Memberlist (gossip protocol, Leader/Follower) - Frontend: Angular v21 + PrimeNG + Tailwind CSS v4 - Tracking snippet: Rolldown-compiled hk.js (~2 KB, served from user's instance) - IP geolocation: phuslu/iploc (offline, embedded — no external geolocation API) - Localization: 5 languages (English, German, Spanish, French, Italian) - License: MIT - Source: https://github.com/pascalebeier/hitkeep ## Who It's For - DevOps engineers and platform teams who want one binary and one file to back up - Go developers who want an auditable, idiomatic Go analytics backend - Privacy-first organizations requiring cookie-less, DNT-respecting, no-fingerprint tracking - Enterprise and government bodies requiring data residency, air-gap support, and source audit - Homelabbers and indie hackers running on resource-constrained servers (Raspberry Pi, $6/month VPS) ## Contact - Maintainer: Pascale Beier - Email: mail@pascalebeier.de - Website: https://pascalebeier.de