Rybbit
AGPL-3.0 ↻ recently Self-host ✓ From $13/mo
Quiz
← All tools

Rybbit Review (2026)

Modern open-source GA replacement with cookieless tracking, session replay, and Web Vitals — AGPL, EU-hosted, lightweight

🇺🇸 United States Since 2025 AGPL-3.0

Session replay in a privacy-first tool — that's the rare combination. Pro tier ($26/mo) bundles rrweb-based replay alongside cookieless tracking. Plausible/Fathom/Umami don't ship replay at any price; for visual UX debugging without third-party tools (Hotjar, FullStory), Rybbit is the only direct option in this categor

— Mark Sutton, editor
Visit Rybbit rybbit.com See pricing Privacy passport Feature matrix
Rybbit demo dashboard — Web Analytics + Product Analytics sidebar, KPI grid, Users chart, Referrers + Pages tables (demo.rybbit.com/81)
Dashboard captured via puppeteer
Editor score 4.1/5
From $13/mo Cloud + self-host
GitHub ★ 12,000 648 forks · last commit recently
Hosting Self-host ✓ EU hosted
Privacy passport

Rybbit compliance at a glance

GDPR posture, sub-processors under DPA, per-jurisdiction stance, and encryption — everything a procurement team checks.

GDPR Compliant EU General Data Protection Regulation EU's omnibus privacy law requiring a lawful basis for processing personal data (consent, legitimate interest, etc.). Applies to anyone handling EU-resident data. Rybbit's posture: Legitimate interest.
CA
CCPA Compliant California Consumer Privacy Act California Consumer Privacy Act — rights for California residents (access, deletion, opt-out of sales). Triggered at $25M revenue or 50k+ CA-consumer records.
UK PECR Compliant UK Privacy and Electronic Communications Regulations UK Privacy and Electronic Communications Regulations sit on top of GDPR specifically for cookies and electronic marketing. PECR Reg 6 governs analytics-cookie consent.
SOC 2 · II Not held SOC 2 Type II SOC 2 Type II — independent audit verifying security/availability controls operate effectively over 6+ months. Standard B2B procurement requirement.
ISO27001
ISO 27001 Not held ISO/IEC 27001 information-security ISO/IEC 27001 — international information-security management standard, certified by accredited bodies on a 3-year renewal cycle.
HIPAA Not held US HIPAA (with BAA) US health-data law requiring a Business Associate Agreement (BAA) for any tool touching protected health information. Without BAA the tool cannot legally process PHI.

Per-jurisdiction posture

🇫🇷
France CNIL No banner Cookieless + no PII pattern aligns with CNIL exemption for analytics. Vendor has not published CNIL-specific assessment.
France · CNIL Cookieless + no PII pattern aligns with CNIL exemption for analytics. Vendor has not published CNIL-specific assessment.
🇬🇧
United Kingdom UK ICO / PECR No banner PECR Reg 6 applies only to cookies/local storage; Rybbit uses neither, so no PECR consent trigger.
United Kingdom · UK ICO / PECR PECR Reg 6 applies only to cookies/local storage; Rybbit uses neither, so no PECR consent trigger.
🇩🇪
Germany TTDSG No banner TTDSG §25 applies to terminal-device storage; cookieless mechanism avoids the §25 trigger.
Germany · TTDSG TTDSG §25 applies to terminal-device storage; cookieless mechanism avoids the §25 trigger.
🇮🇹
Italy Garante Banner recommended Italian Garante is the strictest EU DPA on analytics — Rybbit-specific ruling not published; conservative reading suggests disclosure recommended.
Italy · Garante Italian Garante is the strictest EU DPA on analytics — Rybbit-specific ruling not published; conservative reading suggests disclosure recommended.

Sub-processors (2)

GDPR Art. 28 disclosure — third parties under DPA that may receive data.

Rybbit (legal entity) Data processor for Cloud customers United States
ipapi.is IP geolocation lookup (IP not retained after lookup) United States

Collected

  • URLs visited and page titles
  • HTTP referrer + UTM parameters
  • Browser, OS, device type, screen resolution
  • Country and region (derived from IP)
  • Custom events and conversions
  • Anonymous session identifier (daily-rotating)

Explicitly NOT collected

  • IP addresses (used in-memory only for geo + hash, then discarded)
  • Cookies or local storage entries
  • Cross-site tracking identifiers
  • Personally identifying data (name, email, etc.)
Data retention

Cloud retention varies by plan: Standard 2 years, Pro 5 years, Enterprise infinite. Self-hosted retention is administrator-controlled.

Encryption
  • In transit: TLS
  • At rest: Encrypted at rest
DPA Yes · click through
AI & Modern Capabilities

How Rybbit works with AI agents

Tier 3 — no AI yet — vendor focuses on classic privacy-first analytics; no AI/MCP features advertised.

AI Chat Not yet

Conversational natural-language interface

Not advertised by vendor

MCP Server Not yet

Model Context Protocol — Claude / Cursor / Codex

Not advertised by vendor

Agent API Not yet

Programmatic AI-agent endpoints

Not advertised by vendor

AI Insights Not yet

Anomaly detection / hypothesis / summaries

Not advertised by vendor

Export for AI Not yet

Structured export formatted for LLM ingestion

Not advertised by vendor

Strengths & weaknesses

What makes Rybbit worth a look — and where it falls short.

Strengths 8

  • Session replay (Pro tier) — rare in privacy-first tools
  • Web Vitals + funnels + autocapture out of the box
  • EU-only hosting (Germany) — clean Schrems II
  • AGPL-3.0 fully open-source, free self-host
  • Cookieless with daily-rotating salt hash
  • ClickHouse backend scales to 20M+ pv/mo
  • Annual billing — 4 months free (~33% off)
  • 12k+ GitHub stars in first year of release

Weaknesses 6

  • No permanent free SaaS tier (only 7-day trial)
  • No SOC 2 / ISO 27001 / HIPAA certifications
  • No public DPA URL or signing flow documented
  • Self-host needs 2GB+ RAM and ClickHouse (heavier than Plausible/Umami)
  • DNT browser signal handling not documented
  • Founded 2025 — limited operational track record

Feature matrix

All 38 verified checks across 4 categories. Hover any row for the editor's note.

Tracking & Reporting 15

  • Pageviews & visitors Yes
  • Live visitor count Yes
  • Top pages report Yes
  • Top referrers Yes
  • UTM campaign tracking Yes
  • Country & city breakdown Yes
  • Device, browser, OS Yes
  • Bounce / engagement Yes
  • Time on site Yes
  • Custom events Yes
  • Goals / conversions Yes
  • Funnels Yes
  • Outbound link tracking Yes
  • File download tracking Yes
  • 404 / error tracking Yes

Privacy & Compliance 9

  • Cookieless by default Yes
  • No personal data collected Yes
  • GDPR-compliant out of the box Yes
  • Data hosted in EU Yes
  • Data hosted in US No
  • Self-hostable Yes
  • Open source Yes
  • Data retention period 12
  • Bot & spam filtering Yes

Setup & Integrations 10

  • Script weight (KB) ·
  • Single-snippet install Yes
  • WordPress plugin No
  • Proxy / first-party domain Yes
  • Public API Yes
  • Data export (CSV/JSON) Yes
  • Google Search Console connector No
  • Email digests Yes
  • Slack / webhook alerts ·
  • Public shareable dashboard ~Partial

Pricing & Plans 4

  • Free tier exists No
  • Entry price ($/mo) $13/mo
  • Price at 100k pageviews $13/mo
  • Unlimited sites on entry plan No

Rybbit vs alternatives

How it compares to the closest 3 rivals on key buyer-decision fields.

Plausible

Plausible

Privacy-first GA alternative, EU-hosted, simple dashboard

  • From$9/mo
  • HostingSelf-host ✓
  • EU-hostedYes
  • CookielessYes
Read review →
Umami

Umami

Open-source self-hosted privacy analytics

  • FromFree
  • HostingSelf-host ✓
  • EU-hostedYes
  • CookielessYes
Read review →
Fathom Analytics

Fathom Analytics

Cookieless privacy analytics with EU Isolation by default, founder-led since 2018

  • From$15/mo
  • HostingSaaS only
  • EU-hostedYes
  • CookielessYes
Read review →

Pricing tiers

Real plans, real numbers — pulled from rybbit.com (verified May 2026).

Trial

Trial/7 days

Full access

  • ✓ No card charged until trial ends
Standard

$13/mo

100k–20M+ pv

  • ✓ 5 sites
  • ✓ 3 team members
  • ✓ Custom events, funnels, goals
  • ✓ 2-year retention
  • ✓ Web Vitals
Pro

$26/mo

100k–20M+ pv

  • ✓ Unlimited sites
  • ✓ Unlimited team
  • ✓ Session replays (rrweb)
  • ✓ 5-year retention
  • ✓ Email reports + API
Enterprise

Custom

Custom

  • ✓ SSO
  • ✓ Infinite retention
  • ✓ On-premise install
  • ✓ White-label
  • ✓ Custom SLA
Self-host

Free/free

Unlimited

  • ✓ AGPL-3.0
  • ✓ Docker Compose
  • ✓ ClickHouse backend
  • ✓ You manage updates

Tech specs

Stack, repo health, deployment options — for engineers evaluating self-host.

Stack

  • Written inTypeScript
  • DatabaseClickHouse
  • FrontendNext.js / React
  • BackendNode.js
  • Reverse proxyCaddy
  • Session replayrrweb
  • LicenseAGPL-3.0
  • Min specs2 GB RAM · x86_64 or ARMv8.2-A+ · Docker

GitHub github.com/rybbit-io/rybbit

  • Stars★ 12,000
  • Forks648
  • Open issues115
  • Last commitrecently

Deploy

  • · Docker Compose (automated installer)
  • · Docker Compose (manual)
  • · VPS bare-metal

Used by

Companies and projects that publicly trust Rybbit.

Convex
Onyx
Automatio
ustwo
MyDramaList
DTelecom
DPM.lol
Vanguard
Mark Sutton

Editor review

Independently reviewed by Mark Sutton, cross-checked against vendor documentation. Click any panel to expand.

+ What it does well

Session replay in a privacy-first tool — that's the rare combination. Pro tier ($26/mo) bundles rrweb-based replay alongside cookieless tracking. Plausible/Fathom/Umami don't ship replay at any price; for visual UX debugging without third-party tools (Hotjar, FullStory), Rybbit is the only direct option in this category.

Out-of-the-box feature breadth. Funnels, retention cohorts, Web Vitals, JavaScript error tracking, click autocapture, outbound-link tracking, 3D globe visualization — all in the base Standard plan ($13/mo). Plausible gates funnels behind its $39 Business tier; Umami's funnel feature is a v3.1 Custom Boards add-on. Rybbit treats this as table stakes.

Self-host without compromise. AGPL-3.0 with Docker Compose installer. ClickHouse backend handles 20M+ pv/mo on commodity hardware. 12k+ GitHub stars in the first year — active community, not a dormant repo. EU-only Cloud (Germany) for teams that want hosted; either path keeps data out of US infrastructure.

Weaknesses & gotchas

No permanent free SaaS tier. Just a 7-day Cloud trial — after that you either pay $13/mo or self-host. Umami Hobby and GoatCounter Cloud both have free SaaS tiers. For "I just want to see if this works on my blog without a credit card," Rybbit Cloud is the wrong pick.

ClickHouse + 2GB RAM minimum. Heavier than Plausible (Elixir + ClickHouse, ~1GB workable) and substantially heavier than Umami (Postgres/MySQL on a $5 VPS) or GoatCounter (single Go binary, ~256MB RAM). The richer feature set is the trade-off — but on a small VPS, Rybbit will dominate the resource budget.

No third-party security certifications. SOC 2, ISO 27001, HIPAA all absent. Founded 2025, AGPL-licensed, no public DPA URL or click-through signing flow. Procurement teams with attestation requirements will need Matomo Cloud (ISO 27001) or Piwik PRO (ISO 27001 + SOC 2 + HIPAA BAA) instead.

DNT signal handling not documented. Vendor's privacy policy doesn't address how Do Not Track is handled — visitors who want opt-out rely on browser ad-blockers. Track record is short: 2025 launch, limited operational history under load.

Best for

Best for engineering teams that want one tool for web analytics + session replay + Web Vitals + error tracking, all under AGPL self-host. The "I'm tired of paying for Plausible AND Sentry AND Hotjar" use case is exactly what Rybbit targets.

Real value at the $26 Pro tier — that's where session replay (rrweb), unlimited sites, and 5-year retention unlock. Standard at $13/mo is the cheaper option if you don't need replay; Self-host on your own VPS is $0 if you can carry the ClickHouse/2GB-RAM operational cost.

Not for content sites/blogs (Plausible is cheaper and lighter), procurement-heavy enterprises (no SOC 2/ISO 27001), tiny VPS deployments (Umami or GoatCounter fit better), or teams without DevOps capacity to run Docker + ClickHouse.

Setup walkthrough

Self-host via Docker Compose. Vendor ships an automated installer that provisions Caddy + ClickHouse + Node.js on a blank VPS. Manual mode for existing reverse proxies is documented. Minimum specs: 2GB RAM, x86_64 or ARMv8.2-A+, Docker.

Cloud setup is one snippet. Sign up, get a tag from the dashboard, paste it into your site's . Auto-tracks pageviews, SPA route changes, outbound links, file downloads. ~3 KB tracker.

Custom events via JS API or HTML attributes — data-rybbit-event for click capture, rybbit.event('name', {props}) for programmatic. Funnels are configured in-dashboard from the captured events.

Session replay (Pro tier) requires no extra setup beyond enabling it on the site config — the bundled rrweb library captures DOM mutations server-side. First-party proxy via custom subdomain is documented for ad-blocker resilience.

Migrating from GA4

No native GA4 importer. Vendor mentions "Data Import" in docs but doesn't ship a one-click GA4 history pull. Migration is forward-looking: drop the Rybbit snippet, optionally dual-tag with GA4 for a few weeks to align metrics, then sunset GA4.

Re-define funnels and goals. GA4's hit-based event model doesn't map 1:1 to Rybbit's funnel/conversion schema. Plan to redefine 5-15 critical events using rybbit.event() and rebuild conversions from scratch.

Cookie banner removal is the immediate win. Rybbit is cookieless by default — no consent prompt required for GDPR/CCPA/PECR (subject to per-jurisdiction interpretation; Italy's Garante is the strictest). On most sites this delivers a measurable conversion-rate lift within 2-4 weeks of dropping GA4.

Optional: enable session replay (Pro tier) before the GA4 sunset — gives you visual debugging that GA4 never offered, useful during the transition for catching tracking gaps.

Help & FAQ

Where to get help with Rybbit and the questions buyers email us about.

Support

HoursAsync (community-driven)UTC
ChannelsEmail · Discord · Github issues · Twitter
LanguagesEnglish
Response SLA~48h

FAQ (7)

Is Rybbit really free and open source?

Rybbit is fully open-source under AGPL-3.0 and free to self-host on your own server using Docker Compose with ClickHouse. The hosted SaaS at rybbit.com is paid: a 7-day trial precedes the Standard plan at $13/month. There is no permanent free cloud tier.

How does Rybbit differ from Plausible and Umami?

Rybbit ships features Plausible and Umami lack out of the box: session replay (via rrweb), Web Vitals, autocapture of clicks and outbound links, conversion funnels, user journey mapping, retention cohorts, error tracking, and a 3D globe visualization. It uses ClickHouse rather than PostgreSQL, scaling further but requiring 2GB+ RAM on self-host.

Where is Rybbit hosted? Is data EU-only?

Rybbit Cloud runs on EU infrastructure in Germany — vendor materials state EU-hosting with no US region published. The legal entity sits in California, USA, but customer analytics data does not transit US infrastructure on the SaaS plan. Self-host lets you choose any region.

Does Rybbit require a cookie banner?

Vendor positions Rybbit as banner-free: it stores no cookies or local storage and uses anonymous session identifiers. Most EU jurisdictions accept this as a no-consent trigger; Italy's Garante is the strictest reader and disclosure is recommended there. Specific technical implementation (hash construction, rotation interval) is not disclosed in the public privacy policy.

Can I self-host Rybbit?

Yes. The GitHub repo (rybbit-io/rybbit, AGPL-3.0) ships Docker Compose configs with a Caddy-based automated installer for blank VPS or manual setup for existing reverse proxies. Minimum specs: 2GB RAM, x86_64 or ARMv8.2-A+, Docker. ClickHouse runs as the analytics database.

What features does Rybbit have that other privacy-first tools don't?

Session replay (Pro tier, via rrweb), JavaScript error tracking, Core Web Vitals capture, click autocapture, conversion funnels, user journey mapping, retention cohorts, organizations/team management, 3D globe visualization, and email reports. Plausible and Umami offer none of these natively.

How does Rybbit pricing compare at 100k pageviews per month?

At 100k pv/mo: Rybbit Standard is $13/mo, Plausible Starter is $19/mo, Fathom is $15/mo, Simple Analytics is $19/mo, Umami Pro is $20/mo, GoatCounter is $15/mo. Annual billing on Rybbit grants 4 months free (~33% discount). Self-host is $0.