OpenPanel ships a hosted MCP server with 38 tools at api.openpanel.dev/mcp — Claude, Cursor, Windsurf, or any custom AI agent can connect via Model Context Protocol and query your analytics data with natural language. One of only five tools in this directory with a real MCP server.
GDPR posture, sub-processors under DPA, per-jurisdiction stance, and encryption — everything a procurement team checks.
?GDPR✓ CompliantEU General Data Protection Regulation
EU's omnibus privacy law requiring a lawful basis for processing personal data (consent, legitimate interest, etc.). Applies to anyone handling EU-resident data. OpenPanel's posture: Legitimate interest. ?CCPA✓ CompliantCalifornia Consumer Privacy Act
California Consumer Privacy Act — rights for California residents (access, deletion, opt-out of sales). Triggered at $25M revenue or 50k+ CA-consumer records. ?UK PECR✓ CompliantUK Privacy and Electronic Communications Regulations
UK Privacy and Electronic Communications Regulations sit on top of GDPR specifically for cookies and electronic marketing. PECR Reg 6 governs analytics-cookie consent. ?SOC 2 · II✕ Not heldSOC 2 Type II
SOC 2 Type II — independent audit verifying security/availability controls operate effectively over 6+ months. Standard B2B procurement requirement. ?ISO 27001✕ Not heldISO/IEC 27001 information-security
ISO/IEC 27001 — international information-security management standard, certified by accredited bodies on a 3-year renewal cycle. ?HIPAA✕ Not heldUS HIPAA (with BAA)
US health-data law requiring a Business Associate Agreement (BAA) for any tool touching protected health information. Without BAA the tool cannot legally process PHI.
Per-jurisdiction posture
🇫🇷
FranceCNILNo banner
Cookieless + no PII pattern aligns with GDPR Recital 26. No CNIL-specific assessment published.
?France · CNIL
Cookieless + no PII pattern aligns with GDPR Recital 26. No CNIL-specific assessment published. 🇬🇧
United KingdomUK ICO / PECRNo banner
PECR Reg 6 applies to cookies/local storage; OpenPanel uses neither.
?United Kingdom · UK ICO / PECR
PECR Reg 6 applies to cookies/local storage; OpenPanel uses neither. 🇩🇪
GermanyTTDSGNo banner
TTDSG §25 applies to terminal-device storage; cookieless mechanism avoids the §25 trigger.
?Germany · TTDSG
TTDSG §25 applies to terminal-device storage; cookieless mechanism avoids the §25 trigger. 🇮🇹
ItalyGaranteBanner recommended
Italian Garante is the strictest EU DPA. No Garante-specific ruling. Conservative reading recommends disclosure.
?Italy · Garante
Italian Garante is the strictest EU DPA. No Garante-specific ruling. Conservative reading recommends disclosure.
Sub-processors (4)
GDPR Art. 28 disclosure — third parties under DPA that may receive data.
🇩🇪
Hetzner Online GmbH
Cloud infrastructure and primary data storage (Germany)
Germany
🇺🇸
Cloudflare R2
Backup storage (EU region)
United States
PA🇪🇺
Payment processor (name not disclosed)
Billing — vendor states 'operating under EU data protection standards'
EU
TR🇪🇺
Transactional email provider (name not disclosed)
Account & system emails — vendor states 'EU data protection standards'
EU
● Collected
URLs visited and page titles
HTTP referrer + UTM parameters
Browser, OS, device type
Country and city (derived from IP, then IP discarded)
Custom events with properties
Daily-rotating anonymous visitor identifier
● Explicitly NOT collected
IP addresses (used transiently for geo + hash, then discarded)
Cookies or local storage entries on visitor devices
Cross-site tracking identifiers
Data retention
Analytics events: kept while account active, no enforced cap. Session replays: 30 days fixed. Backups deleted within standard rolling cycle.
Encryption
In transit: TLS on all endpoints
At rest: Hetzner-default disk encryption (not explicitly vendor-asserted)
DPAYes · click through
✦ AI & Modern Capabilities
How OpenPanel works with AI agents
Tier 2 — AI add-ons — 1 available. Selective AI footprint vs full suite.
✕AI ChatNot yet
Conversational natural-language interface
Vendor positions NL Q&A as MCP feature, not built-in chat UI
✓MCP ServerAvailable
Model Context Protocol — Claude / Cursor / Codex
Hosted MCP server with 38 tools — connects Claude, Cursor, Windsurf or custom AI agents Source ↗
✕Agent APINot yet
Programmatic AI-agent endpoints
Not advertised by vendor
✕AI InsightsNot yet
Anomaly detection / hypothesis / summaries
Highlights/changes engine marketed as analytics, not AI-generated insights
✕Export for AINot yet
Structured export formatted for LLM ingestion
Not advertised by vendor
Strengths & weaknesses
What makes OpenPanel worth a look — and where it falls short.
Real plans, real numbers — pulled from openpanel.dev (verified May 2026).
Trial
Trial/30 days
Full access
✓ No card required
Basic
$2/mo
5K events
✓ Unlimited sites
✓ All features
✓ Funnels + cohorts
Standard
$20/mo
100K events
✓ Unlimited sites
✓ All features
✓ Session replay
✓ Profiles
Pro
$90/mo
1M events
✓ Unlimited sites
✓ All features
✓ A/B testing
✓ Higher limits
Enterprise
$250/mo
5M events
✓ Custom support
✓ Higher API limits
Self-host
Free/free
Unlimited
✓ AGPL-3.0
✓ Docker Compose
✓ Postgres + ClickHouse + Redis
✓ You manage updates
Tech specs
Stack, repo health, deployment options — for engineers evaluating self-host.
Stack
Written inTypeScript
DatabasePostgreSQL + ClickHouse + Redis
BackendFastify + BullMQ
FrontendNext.js
HostingHetzner DE
BackupsCloudflare R2 EU
LicenseAGPL-3.0
Min specs~2 GB RAM · Docker
GitHub github.com/Openpanel-dev/openpanel
Stars★ 5,700
Forks0
Open issues0
Last commitrecently
Deploy
· Docker Compose
· Self-host on VPS
Used by
Companies and projects that publicly trust OpenPanel.
Midday.ai
Screenzen
Editor review
Independently reviewed by Mark Sutton, cross-checked against vendor documentation. Click any panel to expand.
+What it does well▾
OpenPanel ships a hosted MCP server with 38 tools at api.openpanel.dev/mcp — Claude, Cursor, Windsurf, or any custom AI agent can connect via Model Context Protocol and query your analytics data with natural language. One of only five tools in this directory with a real MCP server.
OpenPanel is the cheapest serious product analytics in the privacy-first lane — and it isn't close. $2.50/mo for 5K events versus Plausible's $9 floor, Fathom's $15 floor, and Mixpanel's $25-and-rising bracket means a side project, an indie SaaS, or an internal dashboard can buy real funnel + retention + cohort analysis for the price of a coffee.
The depth is what separates OpenPanel from the rest of this directory. Plausible gates funnels to its $39/mo Business tier and ships no user profiles or session replay; Fathom has none of these at any price. OpenPanel does all three, plus A/B testing, plus event-based goals — Mixpanel-grade product analytics, sold at Plausible-grade simplicity.
The Swedish-incorporated, Hetzner-DE-hosted, Cloudflare-R2-EU-backed-up stack gives the cleanest Schrems II posture in this peer group — no US sub-processors disclosed, no transatlantic data path. AGPL-3.0, run it on your own Hetzner box with PostgreSQL + ClickHouse, and have unlimited events forever.
−Weaknesses & gotchas▾
OpenPanel is a 2023 solo-founder project, and the disclosures show it. Carl Lindesvärd is the only public face; OpenPanel AB does not publish a team size, a status page URL, a named DPO, or a sub-processor changelog. The DPA names Hetzner and Cloudflare R2 — but the payment processor and the transactional email provider are described only as "operating under EU data protection standards." A SOC 2 auditor would flag that gap on day one.
There is no SOC 2, no ISO 27001, no HIPAA. Regulated buyers (healthcare, finance, US public sector) will be blocked at procurement.
There is no US data-residency option. Cloud is Hetzner Germany only. US-only-data customers must self-host.
The 5.7K-star repo is healthy, but contributor breadth is limited — practically a one-person project with community PRs. If Lindesvärd steps away, AGPL means the code survives, but the SaaS doesn't.
★Best for▾
Best for EU-based indie SaaS founders and mid-size B2C apps with 100K–1M events/mo who want Mixpanel-class funnels and retention without the Mixpanel bill. Public references include Midday.ai and Screenzen — that's the developer-founder crowd it's built for.
Real value at $20/mo (100K events): A side-project SaaS doing 50K pageviews and 50K custom events gets full funnels + cohort retention + user profiles + 30-day session replay — the exact stack a $300/mo Mixpanel seat provides.
Not for US healthcare or finance (no SOC 2 / HIPAA), procurement-heavy enterprise buyers (no certifications, no public status page), pageview-only WordPress blogs (Plausible is simpler), or teams that need >50M events/mo with white-glove onboarding (Mixpanel/Amplitude are still the answer at that scale).
⚡Setup walkthrough▾
WordPress (recommended): Install the official OpenPanel plugin from wordpress.org/plugins/openpanel/. Paste your Client ID. The plugin inlines op1.js (~2.3 KB), caches it locally for one week, and proxies events through your domain — defeating most ad-blockers.
Vanilla site: Add before . That's it for pageview tracking. Custom events: window.op('track', 'signup', { plan: 'pro' });.
SDKs: First-party packages for React, Vue, Next.js, Node, Python, Ruby, iOS, Android, React Native, Flutter. Server-side tracking is supported and recommended for revenue events.
Self-host:git clone Openpanel-dev/openpanel, docker compose up -d. Defaults to PostgreSQL + ClickHouse + Redis. Production deploy guide in repo. AGPL-3.0 — if you fork and modify the SaaS, you must publish source.
↔Migrating from GA4▾
No automated GA4 importer. Migration is a re-tagging exercise: swap the GA4 gtag.js snippet for OpenPanel's 2.3 KB tag, then re-implement custom events using OpenPanel's op('track', name, props) API. The naming model is event-name + properties, almost identical to GA4's event-name + parameters, so most teams port their event taxonomy 1:1 in a day.
Banner removal lift: This is the underrated win. GA4 in the EU effectively requires a Consent Mode v2 banner; OpenPanel — being cookieless, no-personal-data, EU-hosted — lets most EU sites drop the analytics banner entirely. Faster page loads, higher consented-traffic baseline, no Consent Mode dark traffic to model around.
Practical path: Run GA4 and OpenPanel in parallel for one calendar month, validate event counts match within 5%, then strip GA4 + the consent banner in a single deploy. Plan a half-day for tag rewrite and a half-day for funnel re-creation in OpenPanel's UI.
Help & FAQ
Where to get help with OpenPanel and the questions buyers email us about.
Yes. No tracking cookies are set on visitors. A daily-rotating anonymous identifier is hashed from (IP + user-agent + site salt); raw IP is discarded immediately. Dashboard login uses one server-side session cookie unrelated to tracking.
Can I avoid the GDPR cookie banner with OpenPanel?▾
Vendor's design supports a banner-free posture (no cookies + no personal data + EU hosting). OpenPanel does not cite specific CNIL/ICO/Garante opinions, so legal sign-off remains your responsibility — the technical posture is among the cleanest in this peer group.
Where is the data stored?▾
Hetzner data center in Germany (primary). Backups on Cloudflare R2 within the EU. No transfer outside the EEA per vendor's DPA.
What's the difference vs Plausible or Fathom?▾
OpenPanel does product analytics — funnels, retention cohorts, user profiles, session replay, A/B testing. Plausible and Fathom don't. If you only need pageview analytics, Plausible/Fathom are simpler. If you want Mixpanel-grade depth without the Mixpanel bill, OpenPanel is the differentiator.
Can I self-host?▾
Yes — AGPL-3.0 license, free, unlimited events. Stack: PostgreSQL + ClickHouse + Redis + Node.js, deployed via Docker Compose. Same features as Cloud.
How long is data retained?▾
Analytics events: kept while your account is active, no enforced cap. Session replays: 30 days fixed.
Is there a free hosted tier?▾
No permanent free Cloud tier — only a 30-day trial without a credit card. Self-host is free and unlimited under AGPL-3.0.
