Swetrix
AGPL-3.0 ↻ recently Self-host ✓ From $19/mo
Quiz
← All tools

Swetrix Review (2026)

Open-source privacy-first analytics with errors, funnels, A/B, feature flags — AGPL-3.0, EU-hosted, 50 sites included

🇬🇧 United Kingdom Since 2021 AGPL-3.0

Swetrix is the rare cookieless tool that actually competes with PostHog on feature surface. Where Plausible and Fathom give you pageviews and call it a day, Swetrix bundles full Core Web Vitals performance monitoring, JavaScript error tracking, A/B experiments, feature flags, conversion funnels, and a built-in CAPTCHA

— Mark Sutton, editor
Visit Swetrix swetrix.com See pricing Privacy passport Feature matrix
Swetrix product UI — Goals, Feature Flags, Experiments, CAPTCHA sidebar + Pageviews 24.5k chart + Events table
Dashboard captured via puppeteer
Editor score 4.5/5
From $19/mo Cloud + self-host
GitHub ★ 966 56 forks · last commit recently
Hosting Self-host ✓ EU hosted
Privacy passport

Swetrix compliance at a glance

GDPR posture, sub-processors under DPA, per-jurisdiction stance, and encryption — everything a procurement team checks.

GDPR Compliant EU General Data Protection Regulation EU's omnibus privacy law requiring a lawful basis for processing personal data (consent, legitimate interest, etc.). Applies to anyone handling EU-resident data. Swetrix's posture: Legitimate interest.
CA
CCPA Compliant California Consumer Privacy Act California Consumer Privacy Act — rights for California residents (access, deletion, opt-out of sales). Triggered at $25M revenue or 50k+ CA-consumer records.
UK PECR Compliant UK Privacy and Electronic Communications Regulations UK Privacy and Electronic Communications Regulations sit on top of GDPR specifically for cookies and electronic marketing. PECR Reg 6 governs analytics-cookie consent.
SOC 2 · II Not held SOC 2 Type II SOC 2 Type II — independent audit verifying security/availability controls operate effectively over 6+ months. Standard B2B procurement requirement.
ISO27001
ISO 27001 Not held ISO/IEC 27001 information-security ISO/IEC 27001 — international information-security management standard, certified by accredited bodies on a 3-year renewal cycle.
HIPAA Not held US HIPAA (with BAA) US health-data law requiring a Business Associate Agreement (BAA) for any tool touching protected health information. Without BAA the tool cannot legally process PHI.

Per-jurisdiction posture

🇫🇷
France CNIL No banner Cookieless + no PII pattern aligns with GDPR Recital 26. Vendor has not obtained or published a CNIL-specific assessment.
France · CNIL Cookieless + no PII pattern aligns with GDPR Recital 26. Vendor has not obtained or published a CNIL-specific assessment.
🇬🇧
United Kingdom UK ICO / PECR No banner PECR Reg 6 applies to cookies/local storage; Swetrix uses neither for visitor tracking.
United Kingdom · UK ICO / PECR PECR Reg 6 applies to cookies/local storage; Swetrix uses neither for visitor tracking.
🇩🇪
Germany TTDSG No banner TTDSG §25 applies to terminal-device storage; cookieless mechanism avoids the §25 trigger.
Germany · TTDSG TTDSG §25 applies to terminal-device storage; cookieless mechanism avoids the §25 trigger.
🇮🇹
Italy Garante Banner recommended Italian Garante is the strictest EU DPA. No Garante-specific ruling published; conservative reading recommends disclosure.
Italy · Garante Italian Garante is the strictest EU DPA. No Garante-specific ruling published; conservative reading recommends disclosure.

Sub-processors (6)

GDPR Art. 28 disclosure — third parties under DPA that may receive data.

Hetzner Online GmbH Primary infrastructure, ClickHouse + MySQL hosting (Germany) Germany
Paddle.com Market Limited Payment processing / Merchant of Record United Kingdom
Functional Software Inc. (Sentry) Error tracking / monitoring United States
OpenRouter, Inc. AI chat access (in-product AI feature) United States

Collected

  • URLs visited and page titles
  • HTTP referrer + UTM parameters
  • Browser, OS, device type, screen resolution
  • Country, region, city (derived from IP, then IP discarded)
  • Custom events and conversions
  • Daily-rotating anonymous session hash

Explicitly NOT collected

  • IP addresses (used in-memory only for session hash + geo lookup, then discarded)
  • Cookies or local storage entries on visitor devices
  • Cross-site tracking identifiers
  • Browser fingerprints (no canvas / WebGL fingerprinting)
Data retention

Privacy policy: data retained 'as long as your account is active or as needed.' DPA: permanent deletion 'without undue delay' on project/account deletion. No specific retention window for analytics data.

Encryption
  • In transit: TLS/HTTPS with HSTS, X-Content-Type-Options, Referrer-Policy
  • At rest: AES-256-CBC (sensitive tokens), bcrypt (passwords), 2FA recovery codes
DPA Yes · click through
AI & Modern Capabilities

How Swetrix works with AI agents

Tier 3 — no AI yet — vendor focuses on classic privacy-first analytics; no AI/MCP features advertised.

AI Chat Not yet

Conversational natural-language interface

Not advertised by vendor

MCP Server Not yet

Model Context Protocol — Claude / Cursor / Codex

Not advertised by vendor

Agent API Not yet

Programmatic AI-agent endpoints

Not advertised by vendor

AI Insights Not yet

Anomaly detection / hypothesis / summaries

Not advertised by vendor

Export for AI Not yet

Structured export formatted for LLM ingestion

Not advertised by vendor

Strengths & weaknesses

What makes Swetrix worth a look — and where it falls short.

Strengths 8

  • JavaScript error tracking + Web Vitals on entry tier
  • A/B experiments + feature flags + funnels bundled
  • 50 sites included on every paid tier — agency-friendly
  • AGPL-3.0 with Cloud-parity Community Edition
  • EU-only Hetzner Germany hosting
  • Cookieless with daily-rotating salt + monthly profile salt
  • Built-in CAPTCHA + bot filtering
  • Built-in GSC connector for SEO dashboard

Weaknesses 6

  • No free Cloud tier — only 14-day trial
  • DNT explicitly NOT honored (per privacy policy)
  • No SOC 2 / ISO 27001 / HIPAA certifications
  • US sub-processors (Sentry/AWS/OpenRouter) without explicit SCC reference
  • Solo-director operation — bus factor of 1
  • $19 entry pricier than Plausible $9/10k pv

Feature matrix

All 38 verified checks across 4 categories. Hover any row for the editor's note.

Tracking & Reporting 15

  • Pageviews & visitors Yes
  • Live visitor count Yes
  • Top pages report Yes
  • Top referrers Yes
  • UTM campaign tracking Yes
  • Country & city breakdown Yes
  • Device, browser, OS Yes
  • Bounce / engagement Yes
  • Time on site Yes
  • Custom events Yes
  • Goals / conversions Yes
  • Funnels Yes
  • Outbound link tracking Yes
  • File download tracking Yes
  • 404 / error tracking Yes

Privacy & Compliance 9

  • Cookieless by default Yes
  • No personal data collected Yes
  • GDPR-compliant out of the box Yes
  • Data hosted in EU Yes
  • Data hosted in US No
  • Self-hostable Yes
  • Open source Yes
  • Data retention period 12
  • Bot & spam filtering Yes

Setup & Integrations 10

  • Script weight (KB) 5
  • Single-snippet install Yes
  • WordPress plugin Yes
  • Proxy / first-party domain Yes
  • Public API Yes
  • Data export (CSV/JSON) ~Partial
  • Google Search Console connector Yes
  • Email digests Yes
  • Slack / webhook alerts No
  • Public shareable dashboard Yes

Pricing & Plans 4

  • Free tier exists No
  • Entry price ($/mo) $19/mo
  • Price at 100k pageviews $19/mo
  • Unlimited sites on entry plan ~Partial

Swetrix vs alternatives

How it compares to the closest 3 rivals on key buyer-decision fields.

Plausible

Plausible

Privacy-first GA alternative, EU-hosted, simple dashboard

  • From$9/mo
  • HostingSelf-host ✓
  • EU-hostedYes
  • CookielessYes
Read review →
Pirsch

Pirsch

Cookieless EU-hosted analytics built in Germany, with open-source AGPLv3 core

  • From$6/mo
  • HostingSaaS only
  • EU-hostedYes
  • CookielessYes
Read review →
Matomo

Matomo

Open-source self-hosted analytics, formerly Piwik

  • From$29/mo
  • HostingSelf-host ✓
  • EU-hostedYes
  • Cookieless
Read review →

Pricing tiers

Real plans, real numbers — pulled from swetrix.com (verified May 2026).

Trial

Trial/14 days

Full access

  • ✓ Card required to start
Starter

$19/mo

100k events

  • ✓ 50 sites
  • ✓ All features
  • ✓ Funnels + A/B + feature flags
  • ✓ Error tracking
  • ✓ Web Vitals
Growth

$29/mo

200k events

  • ✓ 50 sites
  • ✓ All features
  • ✓ Team members
  • ✓ Priority queues
Professional

$49/mo

500k events

  • ✓ 50 sites
  • ✓ All features
  • ✓ Custom alerts
  • ✓ SEO dashboard
Business

$79/mo

1M events

  • ✓ 50 sites
  • ✓ All features
  • ✓ Higher API limits
Self-host

Free/free

Unlimited

  • ✓ AGPL-3.0
  • ✓ Docker Compose
  • ✓ ClickHouse + MySQL
  • ✓ You manage updates

Tech specs

Stack, repo health, deployment options — for engineers evaluating self-host.

Stack

  • Written inTypeScript
  • DatabaseClickHouse + MySQL
  • BackendNest.js (Node.js)
  • FrontendReact
  • HostingHetzner Germany
  • LicenseAGPL-3.0
  • Min specs~2 GB RAM · Docker

GitHub github.com/Swetrix/swetrix

  • Stars★ 966
  • Forks56
  • Open issues0
  • Last commitrecently

Deploy

  • · Docker Compose
  • · Self-host on VPS

Used by

Companies and projects that publicly trust Swetrix.

Casterlabs
Phalcode
Caritas
AE Studio
Tonomo
Stelp
Mark Sutton

Editor review

Independently reviewed by Mark Sutton, cross-checked against vendor documentation. Click any panel to expand.

+ What it does well

Swetrix is the rare cookieless tool that actually competes with PostHog on feature surface. Where Plausible and Fathom give you pageviews and call it a day, Swetrix bundles full Core Web Vitals performance monitoring, JavaScript error tracking, A/B experiments, feature flags, conversion funnels, and a built-in CAPTCHA — all included on every paid tier from $19.

The privacy mechanics are the real thing. Sessions are derived from a daily-rotating salt hashed against IP + User-Agent in memory; the raw IP never touches disk. Compare that to Matomo's anonymize-IP plugin, which still writes a truncated IP to MySQL. Hosting is single-region Hetzner Germany, no US plane.

The codebase is AGPL-3.0 and the Community Edition is the same code as the cloud — not a stripped "open-core."

50 sites included on every tier — favorable for agencies and portfolio operators vs Plausible's per-site or Pirsch's metered-site model.

Weaknesses & gotchas

Three real holes will disqualify Swetrix for some buyers. First, no SOC 2 or ISO 27001 attestation, which is a hard blocker for enterprise procurement. Matomo Cloud holds ISO 27001; Piwik PRO has ISO 27001 + SOC 2 + HIPAA BAA. Plausible, Fathom, and Pirsch self-attest GDPR/CCPA/PECR but hold no third-party certs either — Swetrix is in good company at the SMB tier.

Second, the DPA names only Hetzner and Sentry, but the privacy policy lists Sentry, AWS, and OpenRouter — three US sub-processors — without referencing Standard Contractual Clauses anywhere. Schrems II compliance is left to the buyer's interpretation.

Third, Do Not Track is explicitly not honored — verbatim from the privacy policy. For hardline privacy buyers comparing against Fathom (which does honor DNT) this is a flag.

Solo-founder dependency risk. Companies House lists Andrii Romasiun as sole director; bus-factor of 1 for a SaaS handling production analytics. Pricing also bites at the low end: $19 for 100k events vs Plausible's $9 for 10k pv.

Best for

Best for indie SaaS founders and dev shops who want analytics + error tracking + performance monitoring + feature flags as one tool, hosted in the EU, without writing a check to PostHog enterprise. The 50-site cap on every tier makes it especially strong for agencies and portfolio operators — at $79 you get 1M events across 50 client sites, which Plausible would charge $190+ for.

Real value at the $49 Professional tier — 500k events, all features unlocked (errors, performance, funnels, feature flags, A/B). Below that, Pirsch or Plausible win on price-per-pageview.

Not for enterprises requiring SOC 2 or ISO 27001 certificates; HIPAA-regulated workloads (claimed but not certified); teams who need GA4-style multi-touch attribution; or hardline privacy buyers who want DNT-honoring (use Fathom) or CNIL-certified banner-free posture (use Matomo).

Setup walkthrough

Setup is a single-snippet drop-in. Add the ~5 KB JavaScript loader to your , set data-website-id, and you're collecting. Custom events go through a small swetrix.track('event_name', {props}) call — same shape as Plausible's plausible() function.

WordPress users have a dedicated plugin in the integrations directory; it auto-injects the snippet and supports custom events via shortcodes. For sites that fight ad-blockers, Swetrix offers a managed first-party reverse proxy — same model as Plausible's proxy.

The Statistics API, Events API, and Admin API are all REST + JSON, fully documented at docs.swetrix.com. GSC data flows in via the SEO dashboard once you OAuth-connect your Search Console property.

Self-host: clone github.com/Swetrix/swetrix, docker compose up -d. Stack is Node.js + ClickHouse + MySQL. AGPL-3.0 — full Cloud feature parity.

Migrating from GA4

There is no GA4 history importer. Like Plausible and Fathom, Swetrix is a fresh-tag tool — you cut over from your GA4 cutoff date forward. Historical comparison requires keeping GA4 read-only for 14 months on its own.

Migration steps: install the Swetrix snippet alongside GA4 for 2-4 weeks to validate volumes match within ~10–15% (the gap is real-bots-filtered + ad-blocker-free), then remove GA4. The cookie consent banner can come down the day GA4 leaves, since Swetrix collects no PII under GDPR Recital 26 anonymization.

Re-tag custom events. GA4 events don't map 1:1 — Swetrix uses an event-name + properties model closer to Plausible than to GA4's hit schema. Plan to redefine 5-15 critical events using swetrix.track() and rebuild conversions from scratch. UTM parameters are auto-captured.

For agencies migrating multiple sites, Swetrix's 50-sites-per-plan model means you can cover an entire portfolio under one $79 Business plan.

Help & FAQ

Where to get help with Swetrix and the questions buyers email us about.

Support

HoursAsync (small team)Europe/London (UTC+0/+1)
ChannelsEmail
LanguagesEnglish
Response SLA~48h

FAQ (7)

Is Swetrix really cookieless or just 'privacy-friendly with first-party cookies'?

Truly cookieless. No cookies, no localStorage, no client-side identifiers. Sessions are derived from a daily-rotating salt + project ID + IP + User-Agent hashed in memory only. Raw IP never written to disk.

Where is my data stored?

Hetzner Online GmbH datacenters in Germany (EU). Single-region, no US data plane for analytics events. US sub-processors are limited to email (AWS SES), error tracking (Sentry), and the optional in-product AI chat (OpenRouter).

Can I run a banner-free site in France or Germany with Swetrix?

Vendor claims yes under GDPR Recital 26 anonymization. Swetrix has not obtained jurisdiction-specific approvals from CNIL or DPA-Bayern the way Matomo or Plausible did — you're relying on the vendor's own legal interpretation. Italy's Garante is strictest; disclosure is recommended there.

Is there a free tier?

Cloud has only a 14-day trial requiring a payment method. The self-hosted Community Edition is free under AGPL-3.0 — full feature parity with Cloud, you just run it on your own ClickHouse + MySQL infrastructure.

Does Swetrix honor Do Not Track?

No. The privacy policy explicitly states: 'our Websites do not respond to Do Not Track beacons.' For DNT-honoring privacy-first analytics, consider Fathom.

How does pricing scale at high traffic?

Starter $19/100k, Growth $29/200k, Professional $49/500k, Business $79/1M, Advanced $119/2M, Pro $179/5M, Enterprise tiers up to $419/20M. Cheaper than Plausible at 5M+ events; more expensive at the entry $19/100k vs Plausible $19/100k tier.

What features does Swetrix have that Plausible and Fathom don't?

Core Web Vitals performance monitoring, JavaScript error tracking, conversion funnels, A/B experiments, feature flags, and a built-in CAPTCHA — all included on every paid tier from $19. Plausible and Fathom are pageview-only by design.