GDPR · 16 tools

GDPR-compliant analytics tools — verified, not just claimed

A short list of analytics tools that actually meet GDPR requirements after a Schrems II audit. We checked sub-processors, hosting jurisdiction, and DPA availability for each.

Independently researched by Mark Sutton · No affiliate links · How we test

Who this list is for

👤 EU compliance officer / DPO

Your legal team flagged GA4 in 2023 and you've been running on borrowed time. Every vendor claims 'GDPR compliant', but most fail when you read their sub-processor list. You need tools that survive a Schrems II review.

Why "GDPR-compliant" is a meaningless badge

Every analytics vendor in 2026 has the words "GDPR-compliant" on their landing page. That includes a few tools whose own sub-processor lists violate Schrems II. The problem isn't that vendors lie — it's that "GDPR-compliant" has no testable definition. The DPO at your company will verify it the hard way: by reading the DPA, the sub-processor list, and the actual data flow.

This list cuts that work. Every tool below was checked against the four facts that matter to a Schrems II-aware compliance officer: (1) EU-only data residency with no transfers to US sub-processors without active SCCs; (2) downloadable, readable DPA before signing; (3) documented sub-processor list with countries and roles; (4) a real EU legal entity on the contract — not just a Delaware LLC with an EU office.

Schrems II compliance: the four facts that matter

Of the 21 web-analytics tools we list, only the subset below has all four. The other tools are perfectly fine analytics products — many are cookieless and privacy-friendly — but they fail at least one of the four facts above. A common failure mode: a US-incorporated SaaS that hosts data in EU regions but routes through Cloudflare US edge nodes and uses a US-based payment processor as a sub-processor. That works for most use cases, but not for a regulated buyer with a strict Schrems II posture.

The hierarchy of GDPR rigor

Within this short list, there are still levels:

  1. Self-host any open-source option (Matomo on-prem, Umami self-host, Plausible CE). You're the data controller AND processor; sub-processors are whatever you choose. The hardest tier to fault legally — also the most ops work.
  2. EU-only managed SaaS with audited frameworks (Piwik PRO, Wide Angle). Real EU GmbH on the DPA, ISO 27001 + SOC 2 Type II, named EU-only sub-processors.
  3. Cookieless EU-hosted SaaS with strong DPA (Plausible, Fathom, Pirsch). Vendor-managed, but the privacy posture is well-documented and survives a German DPA review.

The two questions your legal team will ask

Before you pitch a tool to procurement, get the answer to these:

  • "Where does the data physically reside, including backups?" The right answer names the cloud region (e.g., "Hetzner DE Falkenstein, with backups in Hetzner DE Helsinki"). The wrong answer is "EU-region" without specificity, or "we use AWS" without a region commitment.
  • "Show me the active SCC for any non-EU sub-processor." Even if the primary is EU-only, payment, support, and email may route through US providers. The right answer is "we have SCCs with [X], here's a redacted copy." The wrong answer is silence or "our DPA covers it."

What to do next

If you need an enterprise-grade audit trail with HIPAA + ISO 27001 + SOC 2 Type II: Piwik PRO. If you need a cookieless tracker with a clean Schrems II posture and a $10/mo entry: Plausible. If your legal team rejected GA4 specifically because of US data flow: self-host one of the open-source options. Read each tool's review for the DPA clauses that matter to your contract.

The 16 tools that qualify

Independently audited for GDPR compliance — not just self-attested. Each tool below has documented EU-only data residency, no transfers to US sub-processors without SCCs, and a downloadable DPA you can read before signing.

Plausible

🇪🇪 Estonia

Privacy-first GA alternative, EU-hosted, simple dashboard

  • Price: $9/mo
  • License: AGPL-3.0
  • Founded: 2018
Read full review →

Matomo

🇳🇿 New Zealand

Open-source self-hosted analytics, formerly Piwik

  • Price: $29/mo
  • License: GPL-3.0-or-later
  • Founded: 2007
Read full review →

Fathom Analytics

🇨🇦 Canada

Cookieless privacy analytics with EU Isolation by default, founder-led since 2018

  • Price: $15/mo
  • License: Proprietary (closed-source SaaS)
  • Founded: 2018
Read full review →

Cabin

🇬🇧 United Kingdom

Privacy-first carbon-aware analytics — built-in CO2 reporting per pageview, only directory tool with sustainability dashboard. UK solo-maintained Nic Mulvaney LTD

  • Price: Free
  • License: Closed-source SaaS
  • Founded: 2022
Read full review →

Databuddy

🇺🇸 United States

AI-native observability suite — analytics + Web Vitals + errors + feature flags + uptime + short links + Databunny AI chat in one AGPL tracker, EU-hosted Hetzner DE

  • Price: Free
  • License: AGPL-3.0
  • Founded: 2025
Read full review →

GoatCounter

🇮🇪 Ireland

Solo-developer cookieless analytics — single binary on SQLite, EUPL-1.2 license

  • Price: Free
  • License: EUPL-1.2 (server) · ISC (count.js)
  • Founded: 2019
Read full review →

Litlyx

🇮🇹 Italy

Italian Apache-2.0 cookieless web + product + UTM marketing analytics with AI chat — Hetzner Germany, €8.99 entry, 48h breach notification

  • Price: $8/mo
  • License: Apache 2.0
  • Founded: 2024
Read full review →

OpenPanel

🇸🇪 Sweden

Open-source bridge web→product analytics — Mixpanel power, Plausible simplicity, $2.50 entry, EU-hosted Sweden

  • Price: $2/mo
  • License: AGPL-3.0
  • Founded: 2023
Read full review →

Pirsch

🇩🇪 Germany

Cookieless EU-hosted analytics built in Germany, with open-source AGPLv3 core

  • Price: $6/mo
  • License: Closed-source SaaS · open-source AGPLv3 Go core
  • Founded: 2021
Read full review →

Piwik PRO

🇵🇱 Poland

Enterprise GDPR-strict analytics suite — ISO 27001 + SOC 2 Type II + HIPAA BAA, multi-region SaaS, Polish closed-source (forked from Matomo 2016)

  • Price: $38/mo
  • License: Commercial (closed-source SaaS / on-premises)
  • Founded: 2013
Read full review →

Rybbit

🇺🇸 United States

Modern open-source GA replacement with cookieless tracking, session replay, and Web Vitals — AGPL, EU-hosted, lightweight

  • Price: $13/mo
  • License: AGPL-3.0
  • Founded: 2025
Read full review →

Seline

🇵🇱 Poland

SaaS-friendly cookieless analytics with funnels, user profiles, and AI chat — flat $14/mo, EU-hosted Germany

  • Price: Free
  • License: Closed-source SaaS (tracker MIT)
  • Founded: 2024
Read full review →

Swetrix

🇬🇧 United Kingdom

Open-source privacy-first analytics with errors, funnels, A/B, feature flags — AGPL-3.0, EU-hosted, 50 sites included

  • Price: $19/mo
  • License: AGPL-3.0
  • Founded: 2021
Read full review →

Visitors

🇺🇸 United States

Real-time globe + RUM Web Vitals + revenue attribution, GPC + DNT honored — only directory tool checking GPC. US Delaware LLC, EU-hosted Hetzner

  • Price: $9/mo
  • License: Closed-source SaaS
  • Founded: 2025
Read full review →

Wide Angle Analytics

🇩🇪 Germany

Strict EU-only privacy-first analytics on OVHcloud — German GmbH, external DPO, 50-100 sites per plan, $15 entry

  • Price: $15/mo
  • License: Closed-source SaaS
  • Founded: 2021
Read full review →

Side-by-side

Six facts that decide the call. Sortable.

Tool Entry price Self-host EU-only Cookieless Open source
Plausible $9/mo Yes Yes Yes Yes
Matomo $29/mo Yes Yes No Yes
Fathom Analytics $15/mo No No Yes No
Simple Analytics Free No Yes Yes No
Cabin Free No Yes Yes No
Databuddy Free Yes Yes Yes Yes
GoatCounter Free Yes Yes Yes Yes
Litlyx $8/mo Yes Yes Yes Yes
OpenPanel $2/mo Yes Yes Yes No
Pirsch $6/mo No Yes Yes No
Piwik PRO $38/mo No No Yes No
Rybbit $13/mo Yes Yes Yes Yes
Seline Free No Yes Yes No
Swetrix $19/mo Yes Yes Yes Yes
Visitors $9/mo No Yes Yes No
Wide Angle Analytics $15/mo No Yes Yes No

Head-to-head comparisons in this category

  • Fathom Analytics vs Matomo Fathom is closed-source SaaS, premium price, polished UI. Matomo is open-source, self-hostable for free, deeper feature set but heavier script and steeper…
  • Fathom Analytics vs Plausible Both are top-tier privacy-first GA alternatives. Plausible is cheaper, has funnels in Business+, and is open-source. Fathom is pricier but bundles uptime…
  • Fathom Analytics vs Simple Analytics Both are polished privacy-first SaaS at the premium end. Fathom is unlimited-sites at $15/mo Starter (with bounce, session length, real-time visitors, an…
  • GoatCounter vs Plausible GoatCounter is free for under 100k pageviews and minimalist by design — no funnels, no goals, no event tagging. Plausible adds the…
  • Matomo vs Piwik PRO Matomo (founded 2007, GPL-3.0, NZ-operated) and Piwik PRO (founded 2013, closed-source, Polish) share a lineage — Piwik PRO began as consulting around…
  • Matomo vs Plausible Matomo is the heavyweight: every feature, self-hostable for free, but a 25KB script and a complex UI. Plausible trades depth for a…
  • Matomo vs Simple Analytics Matomo replicates GA4's feature depth (funnels, heatmaps, ecommerce) at €29/mo Cloud or free self-host. Simple Analytics ships a deliberately small SaaS at…
  • Pirsch vs Plausible Pirsch is German-hosted with cheaper entry ($6/mo) and better event/funnel tracking out of the box. Plausible has a larger ecosystem, GSC integration,…

Browse another category

COOKIELESS Cookieless analytics tools that work without a cookie banner OPEN SOURCE Open-source analytics tools — auditable code, owned data SELF-HOSTED Self-hosted analytics — run it on your own server