Matomo
GPL-3.0-or-later ↻ today Self-host ✓ From $29/mo
Quiz
← All tools

Matomo Review (2026)

Open-source self-hosted analytics, formerly Piwik

🇳🇿 New Zealand Since 2007 GPL-3.0-or-later
MCP Server

Matomo Cloud holds ISO 27001:2022 certification — the only tool in this directory beyond Piwik PRO with formal third-party security attestation, and the only one of the three certified tools with a fully open-source GPL-3.0 codebase available for self-host.

— Mark Sutton, editor
Visit Matomo matomo.org See pricing Privacy passport AI & MCP Feature matrix
Matomo Analytics dashboard with visitor stats, heatmaps, and reports
Main dashboard view
Editor score 4.3/5
From $29/mo Cloud + self-host
GitHub ★ 21,458 2839 forks · last commit today
Hosting Self-host ✓ EU hosted · US hosted
Privacy passport

Matomo compliance at a glance

GDPR posture, sub-processors under DPA, per-jurisdiction stance, and encryption — everything a procurement team checks.

GDPR Compliant EU General Data Protection Regulation EU's omnibus privacy law requiring a lawful basis for processing personal data (consent, legitimate interest, etc.). Applies to anyone handling EU-resident data. Matomo's posture: Depends on config.
CA
CCPA Compliant California Consumer Privacy Act California Consumer Privacy Act — rights for California residents (access, deletion, opt-out of sales). Triggered at $25M revenue or 50k+ CA-consumer records.
UK PECR Compliant UK Privacy and Electronic Communications Regulations UK Privacy and Electronic Communications Regulations sit on top of GDPR specifically for cookies and electronic marketing. PECR Reg 6 governs analytics-cookie consent.
SOC 2 · II Not held SOC 2 Type II SOC 2 Type II — independent audit verifying security/availability controls operate effectively over 6+ months. Standard B2B procurement requirement.
ISO27001
ISO 27001 Compliant ISO/IEC 27001 information-security ISO/IEC 27001 — international information-security management standard, certified by accredited bodies on a 3-year renewal cycle.
HIPAA Not held US HIPAA (with BAA) US health-data law requiring a Business Associate Agreement (BAA) for any tool touching protected health information. Without BAA the tool cannot legally process PHI.

Per-jurisdiction posture

🇫🇷
France CNIL No banner CNIL has explicitly approved Matomo as a CNIL-exempted analytics tool when configured per their guidance (anonymized IP, opt-out only).
France · CNIL CNIL has explicitly approved Matomo as a CNIL-exempted analytics tool when configured per their guidance (anonymized IP, opt-out only).
🇬🇧
United Kingdom UK ICO / PECR Banner recommended Cookie-based default trips PECR Reg 6. UK ICO guidance requires consent for non-strictly-necessary cookies.
United Kingdom · UK ICO / PECR Cookie-based default trips PECR Reg 6. UK ICO guidance requires consent for non-strictly-necessary cookies.
🇩🇪
Germany TTDSG Banner required TTDSG §25 requires consent for cookies. Default Matomo install must show a banner in Germany.
Germany · TTDSG TTDSG §25 requires consent for cookies. Default Matomo install must show a banner in Germany.
🇮🇹
Italy Garante Banner required Italian Garante is the strictest in EU on analytics — banner required unless cookieless mode is explicitly enabled.
Italy · Garante Italian Garante is the strictest in EU on analytics — banner required unless cookieless mode is explicitly enabled.

Sub-processors (5)

GDPR Art. 28 disclosure — third parties under DPA that may receive data.

InnoCraft Ltd Legal entity (data processor for Cloud customers) New Zealand
AC3 Cloud Services AWS reseller / contract holder for Matomo Cloud (data stays in EU) New Zealand
Amazon Web Services Cloud hosting (servers, MySQL database — EU region) Ireland
Stripe Payment processing (Cloud subscriptions) Ireland

Collected

  • URL of page visited
  • HTTP referrer
  • User-Agent (browser, OS, device)
  • Country/city (from IP — IP is anonymized by default)
  • Visitor session duration
  • Custom dimensions / events (if configured)

Explicitly NOT collected

  • Full IP address (last 1-3 octets are anonymized by default)
  • Cross-site tracking identifiers (when 1st-party cookies are used)
  • Personal information from form fields (unless explicitly tracked)
Data retention

Per matomo.org/pricing — Cloud (all tiers): Raw data retention 24 months · Report data retention Forever. Custom retention available for Enterprise on request. On-Premise (self-hosted): Forever for both raw + reports.

Encryption
  • In transit: TLS
  • At rest: Encrypted at rest (AWS-managed)
DPA Yes · click through
AI & Modern Capabilities

How Matomo works with AI agents

Tier 2 — AI add-ons — 1 available. Selective AI footprint vs full suite.

AI Chat Not yet

Conversational natural-language interface

Natural-language querying via MCP client only — no built-in dashboard chat UI

MCP Server Available

Model Context Protocol — Claude / Cursor / Codex

Official Matomo MCP plugin — connects ChatGPT, Claude, OpenAI Codex via natural language Source ↗

Agent API Not yet

Programmatic AI-agent endpoints

Not advertised by vendor

AI Insights Not yet

Anomaly detection / hypothesis / summaries

Not advertised by vendor

Export for AI Not yet

Structured export formatted for LLM ingestion

Not advertised by vendor

Strengths & weaknesses

What makes Matomo worth a look — and where it falls short.

Strengths 8

  • Full GA4 feature surface (heatmaps, funnels, recordings)
  • Self-hostable AGPL/GPL with Premium Bundle option
  • CNIL exemption single-click toggle
  • ISO 27001:2022 certified Cloud
  • Built-in Tag Manager (no separate install)
  • Native GA Importer (UA + GA4)
  • EU AWS hosting + EU adequacy chain
  • Real institutional users (EC, UN, Amnesty, noyb)

Weaknesses 6

  • Heavy ~23 KB tracker (vs 1 KB peers)
  • PHP + MySQL ops burden on self-host
  • Premium plugins $99–$259/yr each
  • Cookieless mode is opt-in, not default
  • No PostgreSQL or ClickHouse — MySQL lock-in
  • 2,500+ open issues — large backlog

Feature matrix

All 38 verified checks across 4 categories. Hover any row for the editor's note.

Tracking & Reporting 15

  • Pageviews & visitors Yes
  • Live visitor count Yes
  • Top pages report Yes
  • Top referrers Yes
  • UTM campaign tracking Yes
  • Country & city breakdown Yes
  • Device, browser, OS Yes
  • Bounce / engagement Yes
  • Time on site Yes
  • Custom events Yes
  • Goals / conversions Yes
  • Funnels ~Partial
  • Outbound link tracking Yes
  • File download tracking Yes
  • 404 / error tracking Yes

Privacy & Compliance 9

  • Cookieless by default ~Partial
  • No personal data collected ~Partial
  • GDPR-compliant out of the box ~Partial
  • Data hosted in EU Yes
  • Data hosted in US Yes
  • Self-hostable Yes
  • Open source Yes
  • Data retention period Configurable
  • Bot & spam filtering Yes

Setup & Integrations 10

  • Script weight (KB) 23
  • Single-snippet install Yes
  • WordPress plugin Yes
  • Proxy / first-party domain Yes
  • Public API Yes
  • Data export (CSV/JSON) Yes
  • Google Search Console connector No
  • Email digests Yes
  • Slack / webhook alerts No
  • Public shareable dashboard Yes

Pricing & Plans 4

  • Free tier exists No
  • Entry price ($/mo) $29/mo
  • Price at 100k pageviews ·
  • Unlimited sites on entry plan Yes

Matomo vs alternatives

How it compares to the closest 3 rivals on key buyer-decision fields.

Compare Matomo against

Side-by-side comparisons with other tools in the directory.

Matomo vs Fathom Analytics Matomo vs Piwik PRO Matomo vs Plausible Matomo vs Simple Analytics Matomo vs Umami

Pricing tiers

Real plans, real numbers — pulled from matomo.org (verified May 2026).

Self-hosted

Free/free

Unlimited

  • ✓ Full OSS core
  • ✓ Premium plugins sold separately
  • ✓ You manage updates
Trial

Trial/21 days

Full access

  • ✓ No credit card
  • ✓ All Cloud features
Starter

$29/mo

50k hits

  • ✓ 30 sites + 30 users
  • ✓ Email support
  • ✓ GA Importer
  • ✓ GDPR Manager
Business

Custom

Up to 1M hits

  • ✓ + Heatmaps + Session Recording
  • ✓ + A/B Testing
  • ✓ + Funnels
  • ✓ + Form Analytics
  • ✓ CSM included
Enterprise

Custom

10M+ hits

  • ✓ + Multi-Channel Attribution
  • ✓ + Tag Manager containers
  • ✓ SLA + SSO
  • ✓ Contact sales

Tech specs

Stack, repo health, deployment options — for engineers evaluating self-host.

Stack

  • Written inPHP 8
  • DatabaseMySQL 8 / MariaDB
  • FrontendTwig + Vue 3 + jQuery (legacy)
  • Cache/queueRedis (optional, high traffic)
  • LicenseGPL-3.0-or-later
  • Min specs2 CPU · 2 GB RAM · 50 GB SSD (≤100k pv/mo)

GitHub github.com/matomo-org/matomo

  • Stars★ 21,458
  • Forks2,839
  • Open issues2,542
  • Last committoday

Deploy

  • · Docker
  • · docker-compose
  • · WordPress plugin
  • · LAMP tarball
  • · Cloudron
  • · WordPress plugin (100,000+ active installs)

Used by

Companies and projects that publicly trust Matomo.

European Commission
United Nations
Amnesty International
noyb
Stockholm University
Mark Sutton

Editor review

Independently reviewed by Mark Sutton, cross-checked against vendor documentation. Click any panel to expand.

+ What it does well

Matomo Cloud holds ISO 27001:2022 certification — the only tool in this directory beyond Piwik PRO with formal third-party security attestation, and the only one of the three certified tools with a fully open-source GPL-3.0 codebase available for self-host.

Official Matomo MCP server (2025-2026) lets Claude, ChatGPT, and OpenAI Codex query your analytics data via natural language through Model Context Protocol. Listed on matomo.org/integrate alongside Slack and PowerBI as a first-class peer — concrete evidence Matomo is keeping pace with the AI tooling shift.

17-year track record under InnoCraft Ltd in New Zealand, hosted on AWS Europe via AC3. Customer base spans EU Commission, NASA JPL, Sharp, WikiHow — enterprise credibility unmatched in the privacy-first segment outside Piwik PRO. Premium plugins ship heatmaps, session recordings, A/B testing, form analytics, media analytics, and GDPR Manager.

Fully self-hostable under GPL-3.0 — drop on a $5 PHP/MySQL VPS, no copyleft contagion for derivative work, no enterprise license fees.

Weaknesses & gotchas

The tracker is heavy. ~23 KB gzipped (~218 KB uncompressed) script vs ~1 KB for Plausible/Umami. On a content site with strict Core Web Vitals targets, that hurts. Tune CDN + first-party proxy and it gets manageable.

Self-host needs ops. PHP 7.2.5+ (8.x recommended) + MySQL 8 / MariaDB + Apache/Nginx + archiving cron + Redis (for high traffic). Half a day for a clean LAMP install; longer with reverse proxy + GeoIP + SSL. Without a sysadmin, this will eat your week.

"Free self-host" gets expensive once you scale. Heatmaps & Session Recording $259/yr, A/B Testing $219/yr, Funnels $229/yr, Form Analytics $199/yr — the Premium Bundle is $1,899/yr. Cloud users get all of it included; self-hosters pay à la carte.

Cookieless mode is opt-in. Default install uses first-party cookies. CNIL exemption mode (one-click since April 2026) auto-applies the 12+ settings needed for no-banner audience measurement, but the same config has not been blessed by every EU DPA — Germany's DSK and Italy's Garante require case-by-case review.

Cloud is not HIPAA-compliant. No BAA offered. US healthcare teams need to self-host on a HIPAA-eligible infra (e.g., AWS with BAA) and configure Matomo to meet HIPAA requirements themselves.

Best for

Best for EU public sector and compliance-first organizations (Europa Analytics is built on it), mid-to-large WordPress shops needing the full GA feature surface, and self-host enthusiasts with a sysadmin. The CNIL one-click compliance toggle makes it a defensible choice for French-market sites that legally must avoid consent banners.

Real value comes at Business+ tier on Cloud — that's where heatmaps, funnels, A/B testing, and form analytics unlock without per-plugin licensing.

Not for indie SaaS / solo founders who just want a lightweight pageview counter (Plausible or Umami win on simplicity), performance-sensitive marketing sites where 23 KB matters, or teams without Linux ops capability.

Setup walkthrough

Cloud (managed):
1. Sign up at matomo.org/cloud → 21-day trial, no credit card.
2. Add a site → get a single JS snippet.
3. Paste it in the of every page.
4. Heatmaps, funnels, A/B testing all bundled. ~30 min to first dashboard.

On-Premise (self-host):
1. PHP 7.2.5+ (8.x recommended) + MySQL 8 / MariaDB on a 2 CPU / 2 GB RAM VPS (handles ≤100k pv/mo).
2. Either pull the official Docker image (docker pull matomo:latest) or untar the LAMP package.
3. WordPress users: install the Matomo for WordPress plugin (matomo slug, 100,000+ active installs) — runs the full Matomo bundled inside WP.
4. Set up the archiving cron (./console core:archive). Without this, dashboards crawl past 50k pv/mo.
5. Half-day clean install, longer with reverse proxy + GeoIP + SSL + plugin licenses.

Migrating from GA4

Matomo offers a free GA Importer plugin that pulls historical Universal Analytics and GA4 data — but reviewers warn it's a shift in responsibility, not a tool swap.

Common gotchas:

  • GA4's event model doesn't map 1:1 to Matomo events — you redefine, not translate. Plan ~10 min per goal.
  • Google Ads conversions stop "just working" — you'll rebuild conversion plumbing through Matomo Tag Manager.
  • E-commerce dimensions don't always have Matomo equivalents.
  • KPIs drift for the first month — run both side-by-side and reconcile before dropping GA.

Recommended: parallel tracking for 30 days, then sunset GA. Don't expect identical numbers — Matomo defaults differ from GA4 (session timeout, bot filtering, IP handling).

Help & FAQ

Where to get help with Matomo and the questions buyers email us about.

Support

HoursMon-Fri 09:00-17:00NZST/NZDT (UTC+12/+13)
ChannelsEmail · Forum · Github issues
LanguagesEnglish, French (community)
Response SLA~24h

FAQ (7)

Is Matomo really free?

Matomo On-Premise (the self-hosted edition) is free under GPL-3.0 — you pay only for the server and your own time. Matomo Cloud is the hosted SaaS, starting at €29/mo for 50,000 hits. Premium plugins (heatmaps, session recording, A/B testing) cost extra on self-host but are included on Cloud Business+.

Do I need a cookie banner if I use Matomo?

By default yes — Matomo uses 1st-party cookies and most EU jurisdictions require a banner under ePrivacy/PECR/TTDSG. CNIL (France) has issued specific guidance for a 'CNIL-exempted' configuration that doesn't need consent: anonymize IP, disable cross-site tracking, opt-out only. See Matomo's How-To-Configure-Matomo-with-CNIL guide.

How does Matomo Cloud differ from self-hosted On-Premise?

Cloud is fully managed — InnoCraft runs the servers, applies updates, includes premium plugins on Business+ tier, and bills monthly. On-Premise is the GPL-licensed source you run yourself on your VPS — free forever, but you handle upgrades, plugins, and scaling. Premium plugins cost €229+/yr on self-host.

Can I import my Google Analytics data into Matomo?

Yes — Matomo ships a free Google Analytics Importer plugin that pulls historical aggregate data from GA4 (and the older Universal Analytics) into Matomo. Custom dimensions and BigQuery exports do not migrate cleanly — those are GA-specific concepts.

Does Matomo support funnels and heatmaps?

Funnels: free on Cloud Business+, paid plugin (€229/yr) on self-host. Heatmaps & Session Recording: paid plugin (~€229/yr per site bracket) on both Cloud and self-host. A/B Testing and Form Analytics are also paid premium plugins.

Where is my data stored if I use Matomo Cloud?

Hetzner Online GmbH data centers in Gunzenhausen, Bavaria — exclusively in the EU. No transfer to non-EU jurisdictions for analytics data. InnoCraft (the legal entity operating Matomo Cloud) is incorporated in New Zealand.

Is Matomo compliant with HIPAA for healthcare sites?

No — Matomo does not offer a HIPAA Business Associate Agreement (BAA). If your site collects protected health information (PHI), you should not use Matomo Cloud. Self-hosted Matomo on your own infrastructure may be HIPAA-compatible if you handle the BAA chain yourself with your hosting provider.