Counter.dev
AGPL-3.0 ↻ 2026-04-29 Self-host ✓ Free
Quiz
← All tools

Counter.dev Review (2026)

Minimalist OSS hit-counter — solo-dev project, 1.1KB tracker, Pay-What-You-Want free model, no IP processed at backend

Since 2020 AGPL-3.0

Counter.dev is the privacy-first idea taken to its philosophical extreme. Read the source code: `backend/endpoints/track.go` never calls `r.RemoteAddr`. The backend literally does not see visitor IPs — Cloudflare extracts the country at the edge via CF-IPCountry header and the backend works from that. There is no salt

— Mark Sutton, editor
Visit Counter.dev counter.dev See pricing Privacy passport Feature matrix
Main dashboard view
Editor score 3.5/5
From Free Cloud + self-host
GitHub ★ 1,004 48 forks · last commit 2026-04-29
Hosting Self-host ✓ EU hosted
Privacy passport

Counter.dev compliance at a glance

GDPR posture, sub-processors under DPA, per-jurisdiction stance, and encryption — everything a procurement team checks.

GDPR Compliant EU General Data Protection Regulation EU's omnibus privacy law requiring a lawful basis for processing personal data (consent, legitimate interest, etc.). Applies to anyone handling EU-resident data. Counter.dev's posture: Unclear.
CA
CCPA Not held California Consumer Privacy Act California Consumer Privacy Act — rights for California residents (access, deletion, opt-out of sales). Triggered at $25M revenue or 50k+ CA-consumer records.
UK PECR Not held UK Privacy and Electronic Communications Regulations UK Privacy and Electronic Communications Regulations sit on top of GDPR specifically for cookies and electronic marketing. PECR Reg 6 governs analytics-cookie consent.
SOC 2 · II Not held SOC 2 Type II SOC 2 Type II — independent audit verifying security/availability controls operate effectively over 6+ months. Standard B2B procurement requirement.
ISO27001
ISO 27001 Not held ISO/IEC 27001 information-security ISO/IEC 27001 — international information-security management standard, certified by accredited bodies on a 3-year renewal cycle.
HIPAA Not held US HIPAA (with BAA) US health-data law requiring a Business Associate Agreement (BAA) for any tool touching protected health information. Without BAA the tool cannot legally process PHI.

Per-jurisdiction posture

🇫🇷
France CNIL Unclear Vendor explicitly says 'I don't know' — no legal posture published.
France · CNIL Vendor explicitly says 'I don't know' — no legal posture published.
🇬🇧
United Kingdom UK ICO / PECR Unclear Vendor flags ePrivacy uncertainty.
United Kingdom · UK ICO / PECR Vendor flags ePrivacy uncertainty.
🇩🇪
Germany TTDSG Unclear No published assessment.
Germany · TTDSG No published assessment.
🇮🇹
Italy Garante Banner recommended Italian Garante is strictest; no Garante-specific stance from vendor.
Italy · Garante Italian Garante is strictest; no Garante-specific stance from vendor.

Sub-processors (3)

GDPR Art. 28 disclosure — third parties under DPA that may receive data.

Cloudflare CDN front + edge IP→country lookup United States
GitHub Pages Tracker script delivery (cdn.counter.dev/script.js) United States
PayPal Payment processing (PWYW subscriptions) United States

Collected

  • Country code (via Cloudflare CF-IPCountry header)
  • Browser, OS, device type, screen size, language
  • Referrer hostname
  • Hour-of-day timestamp
  • Per-site rolling 30-line visit log

Explicitly NOT collected

  • IP address (NEVER read by backend code — verified in source)
  • Cookies on visitor devices (sessionStorage only, in-tab session-scope)
  • Cross-site identifiers
  • User fingerprints
Data retention

Hot tier (Redis): Today/Yesterday/ThisMonth/ThisYear with rolling expiry. Cold tier (SQLite archive): WEBSTATS_ARCHIVE_MAX_AGE env var configurable, but specific retention period NOT publicly disclosed by vendor.

Encryption
  • In transit: HTTPS (Cloudflare-managed)
  • At rest: Not disclosed
DPA Not available
AI & Modern Capabilities

How Counter.dev works with AI agents

Tier 3 — no AI yet — vendor focuses on classic privacy-first analytics; no AI/MCP features advertised.

AI Chat Not yet

Conversational natural-language interface

Not advertised by vendor

MCP Server Not yet

Model Context Protocol — Claude / Cursor / Codex

Not advertised by vendor

Agent API Not yet

Programmatic AI-agent endpoints

Not advertised by vendor

AI Insights Not yet

Anomaly detection / hypothesis / summaries

Not advertised by vendor

Export for AI Not yet

Structured export formatted for LLM ingestion

Not advertised by vendor

Strengths & weaknesses

What makes Counter.dev worth a look — and where it falls short.

Strengths 6

  • Most extreme privacy mechanism — backend never reads visitor IPs
  • 1.1 KB tracker — among smallest in directory
  • Permanent free tier with no quotas, no feature gates
  • AGPL-3.0 self-host with full Cloud feature parity
  • Pay-What-You-Want — only directory tool with this model
  • Source-code transparency — every line auditable

Weaknesses 7

  • NO legal entity disclosed — solo dev
  • NO privacy policy / terms / DPA (/privacy returns 404)
  • Hosting region NOT disclosed
  • NO funnels, NO custom events, NO goals — pure hit counter
  • Domain expired once before (2025, issue #124)
  • Recent commits mostly copy edits since mid-2025
  • No DNT honoring, vendor itself flags ePrivacy ambiguity

Feature matrix

All 38 verified checks across 4 categories. Hover any row for the editor's note.

Tracking & Reporting 15

  • Pageviews & visitors Yes
  • Live visitor count ~Partial
  • Top pages report ~Partial
  • Top referrers Yes
  • UTM campaign tracking No
  • Country & city breakdown ~Partial
  • Device, browser, OS Yes
  • Bounce / engagement No
  • Time on site No
  • Custom events No
  • Goals / conversions No
  • Funnels No
  • Outbound link tracking No
  • File download tracking No
  • 404 / error tracking No

Privacy & Compliance 9

  • Cookieless by default Yes
  • No personal data collected Yes
  • GDPR-compliant out of the box ~Partial
  • Data hosted in EU ~Partial
  • Data hosted in US No
  • Self-hostable Yes
  • Open source Yes
  • Data retention period ·
  • Bot & spam filtering ~Partial

Setup & Integrations 10

  • Script weight (KB) 1
  • Single-snippet install Yes
  • WordPress plugin No
  • Proxy / first-party domain No
  • Public API ~Partial
  • Data export (CSV/JSON) Yes
  • Google Search Console connector No
  • Email digests No
  • Slack / webhook alerts No
  • Public shareable dashboard No

Pricing & Plans 4

  • Free tier exists Yes
  • Entry price ($/mo) Free
  • Price at 100k pageviews Free
  • Unlimited sites on entry plan Yes

Counter.dev vs alternatives

How it compares to the closest 3 rivals on key buyer-decision fields.

GoatCounter

GoatCounter

Solo-developer cookieless analytics — single binary on SQLite, EUPL-1.2 license

  • FromFree
  • HostingSelf-host ✓
  • EU-hostedYes
  • CookielessYes
Read review →
Plausible

Plausible

Privacy-first GA alternative, EU-hosted, simple dashboard

  • From$9/mo
  • HostingSelf-host ✓
  • EU-hostedYes
  • CookielessYes
Read review →
Umami

Umami

Open-source self-hosted privacy analytics

  • FromFree
  • HostingSelf-host ✓
  • EU-hostedYes
  • CookielessYes
Read review →

Pricing tiers

Real plans, real numbers — pulled from counter.dev (verified May 2026).

Free (PWYW)

Free/forever

Unlimited

  • ✓ No quotas
  • ✓ No feature gates
  • ✓ All features
  • ✓ Optional donations
Donate €3/€5/€7

$3/mo

Unlimited

  • ✓ Pay-What-You-Want via PayPal subscription
Donate €20/€25/€30

$20/mo

Unlimited

  • ✓ Higher PWYW tier
Donate €70/€90/€120

$70/mo

Unlimited

  • ✓ Top PWYW tier
Self-host

Free/free

Unlimited

  • ✓ AGPL-3.0
  • ✓ Docker (counter.dev-selfhost, 26 stars)
  • ✓ Go + Redis + SQLite

Tech specs

Stack, repo health, deployment options — for engineers evaluating self-host.

Stack

  • Written inGo
  • Hot tierRedis (Today/Yesterday/Month/Year buckets with rolling expiry)
  • Cold tierSQLite (configurable WEBSTATS_ARCHIVE_MAX_AGE)
  • FrontCloudflare
  • Tracker deliveryGitHub Pages + Cloudflare
  • LicenseAGPL-3.0
  • Min specs~$5/mo VPS handles millions of pv/mo at 25% CPU

GitHub github.com/ihucos/counter.dev

  • Stars★ 1,004
  • Forks48
  • Open issues41
  • Last commit2026-04-29

Deploy

  • · Cloud SaaS at counter.dev
  • · Self-host via Docker (counter.dev-selfhost repo, 26 stars)
Mark Sutton

Editor review

Independently reviewed by Mark Sutton, cross-checked against vendor documentation. Click any panel to expand.

+ What it does well

Counter.dev is the privacy-first idea taken to its philosophical extreme. Read the source code: backend/endpoints/track.go never calls r.RemoteAddr. The backend literally does not see visitor IPs — Cloudflare extracts the country at the edge via CF-IPCountry header and the backend works from that. There is no salt to rotate because there is no identifier to hash.

The tracker is 1.1 KB. The whole stack is a Go server + Redis (hot tier) + SQLite (cold archive) running on a single ~$5/mo VPS that the developer (ihucos) says serves "millions of unique visits per month at 25% CPU." The frontend is a small set of Web Components, the dashboard polls and shows hourly/daily numbers near-realtime.

Pricing is Pay-What-You-Want — permanent free tier with no quotas, no feature gates, optional donation tiers from €3/mo via PayPal. Self-host is AGPL-3.0 with a Docker recipe at github.com/ihucos/counter.dev-selfhost. License-wise it sits in the same camp as Plausible (AGPL-3.0) but with the indie-craft sensibility of GoatCounter.

Weaknesses & gotchas

Counter.dev is a solo-dev project with no legal entity, no privacy policy, and no published hosting region. /privacy returns 404. /terms returns 404. /about returns 404. There is no DPA. The domain has expired in the past (issue #124, 2025). There are no third-party security certifications.

For procurement, this is disqualifying — there is no vendor to point a security questionnaire at. For accountable analytics, GoatCounter (Martin Tournoij sole-trader, IE, full privacy policy, Hetzner FI+DE) is the same idea done professionally.

Feature breadth is minimal by design. No funnels, no custom events, no goals, no A/B testing, no error tracking, no heatmaps, no email reports. The /track endpoint accepts pageviews and that's it; there is literally no events endpoint in the backend code. If you need product analytics, look at OpenPanel ($2.50 entry, AGPL self-host) or Umami ($0/$20, MIT).

Recent commit cadence (2025-2026) is mostly copy edits and blog posts, not feature work. Bus factor is one. DNT honoring is site-level localStorage flag only — does NOT respect the browser-level navigator.doNotTrack header (which only Fathom does in this directory).

Best for

Best for: indie developers, hobbyists, side projects, personal blogs, GitHub-Pages-deployed sites — anyone whose analytics need is "I want a number that says how many people visited yesterday and where they came from" with the strongest possible privacy posture.

Real value at $0: Counter.dev's permanent free tier covers virtually any small-site need. The optional €3+/mo PWYW model is genuinely optional — there are no quotas, no feature gates.

Not for: Anyone running marketing campaigns that need conversion attribution; anyone in a regulated industry (no DPA, no certifications); anyone whose security review requires a published privacy policy from the analytics vendor; anyone whose embedding site is itself subject to enterprise procurement; anyone who needs funnels, goals, or events. For all of those use cases, look at Plausible ($9 entry, full vendor accountability) or Umami ($0/$20, named legal entity).

Setup walkthrough

Single snippet drop-in. Sign up at counter.dev (no credit card), get a data-id token, paste:

`html

`

That's it. Tracker is 1.1 KB, fires once per tab via sessionStorage flag, sends a single fetch POST to t.counter.dev/track with country (via Cloudflare), referrer, screen size, language. No multi-page tracking by default — the optional external tracker (cdn.counter.dev/script.js) handles pageview tracking on subsequent pages.

Self-host: clone github.com/ihucos/counter.dev-selfhost, set Redis + Mailgun-or-SMTP + cookie/password salt env vars, docker-compose up. Same code as Cloud. Stack is Go + Redis + SQLite. AGPL-3.0 means SaaS forks must publish source.

Custom events / funnels / goals: None of these exist. If you need them, Counter.dev is not the right tool.

Migrating from GA4

Migration from GA4 doesn't really apply — Counter.dev tracks pageviews, country, referrers, and basic device breakdowns. There is no event taxonomy to port, no funnels to recreate, no goals to redefine. Just paste the script and you're done.

Banner removal: The vendor itself flags ePrivacy ambiguity ("I don't know" — verbatim from FAQ). Counter.dev does NOT formally self-certify consent-free deployment. If banner removal is a hard requirement, Plausible, GoatCounter, or Wide Angle have clearer legal posture.

From GoatCounter: the pure web-counter migration is trivial — replace the snippet, the rendered metrics are similar (pageviews, top pages, country, referrers). You'll lose GoatCounter's UTM auto-capture, public dashboards, and team accounts. Most operators stay with GoatCounter once they're on it because the published privacy policy and legal entity are worth the $0 price differential.

Help & FAQ

Where to get help with Counter.dev and the questions buyers email us about.

Support

HoursAsync (solo developer)Not disclosed
ChannelsGithub issues
LanguagesEnglish

FAQ (7)

Is Counter.dev really free?

Yes, permanently. The Pay-What-You-Want model means everything is free with optional donations starting at €3/mo via PayPal subscription. No quotas, no feature gates. Vendor states ~$5/mo VPS cost covers hundreds of active users via donations.

Where is my data stored?

Not disclosed by vendor. The site is Cloudflare-fronted and ihucos states it runs on a single ~$5/mo VPS (issue #114), but the hosting provider, region, and country are not published. The backend does NOT read visitor IP addresses — confirmed by source-code inspection (backend/endpoints/track.go).

Does Counter.dev set cookies?

No browser cookies on visitor devices. Uniqueness is enforced via sessionStorage._swa flag (in-tab session-scope) plus referrer inspection. No salt-rotation, no IP hashing — the most minimal mechanism in this directory.

Can I avoid the cookie banner with Counter.dev?

Vendor itself says 'I don't know' — explicitly flags ePrivacy Directive ambiguity. Counter.dev does not formally self-certify consent-free deployment. Buyers wanting clear banner-free posture should look at Plausible, Pirsch, GoatCounter, or Wide Angle.

Is there a privacy policy or DPA?

No. /privacy, /terms, /about all return 404. There is no published privacy policy, terms of service, DPA, or imprint. No legal entity is disclosed. Counter.dev is a solo-developer project, not a vendor with contractual compliance posture.

Does Counter.dev have funnels or events?

No. There is no events endpoint in the backend code — only /track and /trackpage. No funnels, no goals, no custom events, no A/B testing, no error tracking. Counter.dev is intentionally a minimal hit counter.

Is Counter.dev a sustainable choice for production?

It depends on your risk tolerance. The domain has expired once before (2025, issue #124). Recent commits (2025-2026) are mostly copy edits, not features. Solo developer (Irae Hueck Costa / ihucos), no SLA, no formal support. For a personal site or hobby project, fine; for a business that needs accountable analytics, look elsewhere.