Umami
MIT ↻ today Self-host ✓ Free
Quiz
← All tools

Umami Review (2026)

Open-source self-hosted privacy analytics

🇺🇸 USA Since 2020 MIT

Lightest stack in the privacy-analytics category. Single Postgres container, Node.js, MIT license — no ClickHouse, no Kafka, no premium-plugin upsell. Runs comfortably on a $5/mo VPS or as a side-deploy on Vercel/Railway.

— Mark Sutton, editor
Visit Umami umami.is See pricing Privacy passport Feature matrix
Umami Analytics dashboard with cookieless visitor stats
Main dashboard view
Editor score 4.0/5
From Free Cloud + self-host
GitHub ★ 36,409 7012 forks · last commit today
Hosting Self-host ✓ EU hosted · US hosted
Privacy passport

Umami compliance at a glance

GDPR posture, sub-processors under DPA, per-jurisdiction stance, and encryption — everything a procurement team checks.

GDPR Compliant EU General Data Protection Regulation EU's omnibus privacy law requiring a lawful basis for processing personal data (consent, legitimate interest, etc.). Applies to anyone handling EU-resident data. Umami's posture: Legitimate interest.
CA
CCPA Compliant California Consumer Privacy Act California Consumer Privacy Act — rights for California residents (access, deletion, opt-out of sales). Triggered at $25M revenue or 50k+ CA-consumer records.
UK PECR Not held UK Privacy and Electronic Communications Regulations UK Privacy and Electronic Communications Regulations sit on top of GDPR specifically for cookies and electronic marketing. PECR Reg 6 governs analytics-cookie consent.
SOC 2 · II Not held SOC 2 Type II SOC 2 Type II — independent audit verifying security/availability controls operate effectively over 6+ months. Standard B2B procurement requirement.
ISO27001
ISO 27001 Not held ISO/IEC 27001 information-security ISO/IEC 27001 — international information-security management standard, certified by accredited bodies on a 3-year renewal cycle.
HIPAA Not held US HIPAA (with BAA) US health-data law requiring a Business Associate Agreement (BAA) for any tool touching protected health information. Without BAA the tool cannot legally process PHI.

Per-jurisdiction posture

🇫🇷
France CNIL No banner Cookieless analytics with no PII fall under CNIL exemption.
France · CNIL Cookieless analytics with no PII fall under CNIL exemption.
🇬🇧
United Kingdom UK ICO / PECR Banner recommended PECR Reg 6 likely doesn't trigger (no cookies), but no formal ICO ruling for Umami specifically.
United Kingdom · UK ICO / PECR PECR Reg 6 likely doesn't trigger (no cookies), but no formal ICO ruling for Umami specifically.
🇩🇪
Germany TTDSG Banner recommended TTDSG §25 stricter reading — disclosure recommended.
Germany · TTDSG TTDSG §25 stricter reading — disclosure recommended.
🇮🇹
Italy Garante Banner recommended Italian Garante is the strictest EU DPA — most analytics use cases trigger consent.
Italy · Garante Italian Garante is the strictest EU DPA — most analytics use cases trigger consent.

Sub-processors (6)

GDPR Art. 28 disclosure — third parties under DPA that may receive data.

Umami Software, Inc Legal entity (data processor for Cloud customers) United States
Vercel Inc Cloud hosting (Next.js app, edge functions) United States
ClickHouse Cloud Analytics database (US/EU regions) United States
Hetzner Online GmbH EU compute for EU-tier customers Germany
Stripe Payment processing United States
Cloudflare DNS, CDN, DDoS protection United States

Collected

  • URL of page visited
  • HTTP referrer
  • User-Agent (parsed to browser/OS)
  • Country (derived from IP, then IP discarded)
  • Screen resolution
  • Custom events (if configured)

Explicitly NOT collected

  • IP address (used to derive country, then discarded)
  • Device fingerprint (no fingerprinting)
  • Cross-site tracking identifiers
  • Custom user IDs (unless explicitly sent)
Data retention

Cloud retention varies by plan but is not published on umami.is/pricing — verify in your account or via vendor support. Self-hosted (per umami.is docs FAQ): data retained indefinitely unless you manually delete it.

Encryption
  • In transit: TLS
  • At rest: Encrypted at rest (cloud-managed)
DPA Yes · manual
AI & Modern Capabilities

How Umami works with AI agents

Tier 3 — no AI yet — vendor focuses on classic privacy-first analytics; no AI/MCP features advertised.

AI Chat Not yet

Conversational natural-language interface

Not advertised by vendor

MCP Server Not yet

Model Context Protocol — Claude / Cursor / Codex

Not advertised by vendor

Agent API Not yet

Programmatic AI-agent endpoints

Not advertised by vendor

AI Insights Not yet

Anomaly detection / hypothesis / summaries

Not advertised by vendor

Export for AI Not yet

Structured export formatted for LLM ingestion

Not advertised by vendor

Strengths & weaknesses

What makes Umami worth a look — and where it falls short.

Strengths 8

  • MIT licensed (most permissive in category)
  • Lightest stack — Postgres only, no ClickHouse
  • ~2 KB gzipped tracker
  • Permanent free Hobby tier (100k events)
  • Cookieless with salted-hash visitor ID
  • Docker Compose deploy in 15 min
  • v3.1 ships session replay (rrweb)
  • Real enterprise users (AMD, Accenture, GM, ESPN, Siemens, Intel, Hulu, VSP)

Weaknesses 6

  • Default salt rotation = monthly (Plausible: daily)
  • No GA4 importer — manual cutover
  • No official WordPress plugin
  • Cloud on US infra (Vercel + AWS)
  • No native GSC integration / multi-touch attribution
  • DNT signal explicitly not honored

Feature matrix

All 38 verified checks across 4 categories. Hover any row for the editor's note.

Tracking & Reporting 15

  • Pageviews & visitors Yes
  • Live visitor count No
  • Top pages report Yes
  • Top referrers Yes
  • UTM campaign tracking Yes
  • Country & city breakdown Yes
  • Device, browser, OS Yes
  • Bounce / engagement Yes
  • Time on site Yes
  • Custom events Yes
  • Goals / conversions Yes
  • Funnels Yes
  • Outbound link tracking Yes
  • File download tracking Yes
  • 404 / error tracking No

Privacy & Compliance 9

  • Cookieless by default Yes
  • No personal data collected Yes
  • GDPR-compliant out of the box ~Partial
  • Data hosted in EU ~Partial
  • Data hosted in US Yes
  • Self-hostable Yes
  • Open source Yes
  • Data retention period Configurable
  • Bot & spam filtering Yes

Setup & Integrations 10

  • Script weight (KB) 2
  • Single-snippet install Yes
  • WordPress plugin No
  • Proxy / first-party domain Yes
  • Public API Yes
  • Data export (CSV/JSON) Yes
  • Google Search Console connector No
  • Email digests Yes
  • Slack / webhook alerts No
  • Public shareable dashboard Yes

Pricing & Plans 4

  • Free tier exists Yes
  • Entry price ($/mo) $20/mo
  • Price at 100k pageviews $20/mo
  • Unlimited sites on entry plan ~Partial

Umami vs alternatives

How it compares to the closest 3 rivals on key buyer-decision fields.

Compare Umami against

Side-by-side comparisons with other tools in the directory.

Umami vs Fathom Analytics Umami vs Matomo Umami vs Plausible Umami vs Simple Analytics

Pricing tiers

Real plans, real numbers — pulled from umami.is (verified May 2026).

Self-hosted

Free/free

Unlimited

  • ✓ Full OSS core (MIT)
  • ✓ You manage Postgres + updates
  • ✓ Indefinite retention
Hobby

Free/free

100k events

  • ✓ 3 websites
  • ✓ 6-month retention
  • ✓ Community support
  • ✓ Permanent free
Pro

$20/mo

1M events

  • ✓ 20 sites · 10 team members
  • ✓ 2-year retention
  • ✓ Email reports
  • ✓ 14-day free trial
Business

$200/mo

10M events

  • ✓ Unlimited sites + team
  • ✓ 5-year retention
  • ✓ 5,000 session replays
  • ✓ White-labeling
  • ✓ Streaming API
Enterprise

Custom

Custom

  • ✓ SAML SSO
  • ✓ Audit log
  • ✓ SLA + onboarding
  • ✓ Contact sales

Tech specs

Stack, repo health, deployment options — for engineers evaluating self-host.

Stack

  • Written inTypeScript / Next.js 16
  • DatabasePostgreSQL ≥12.14
  • FrontendReact 19 + Chart.js
  • Cache (optional)Redis · ClickHouse for high traffic
  • LicenseMIT
  • Min specsNode 18.18+ · Postgres 12.14+ · ~512 MB RAM (low traffic)

GitHub github.com/umami-software/umami

  • Stars★ 36,409
  • Forks7,012
  • Open issues132
  • Last committoday

Deploy

  • · Docker
  • · docker-compose
  • · Vercel template
  • · Railway template

Used by

Companies and projects that publicly trust Umami.

AMD
Accenture
General Motors
ESPN
Siemens
Intel
Hulu
VSP Vision
Mark Sutton

Editor review

Independently reviewed by Mark Sutton, cross-checked against vendor documentation. Click any panel to expand.

+ What it does well

Lightest stack in the privacy-analytics category. Single Postgres container, Node.js, MIT license — no ClickHouse, no Kafka, no premium-plugin upsell. Runs comfortably on a $5/mo VPS or as a side-deploy on Vercel/Railway.

Permanent free tier on Cloud. Hobby = 100k events/mo, 3 sites, no credit card. The most-generous free plan among Cloud-hosted privacy tools.

Genuinely cookieless. No cookies, no localStorage. Visitor identity is a server-side salted hash that rotates (default monthly, configurable). No PII stored.

Surprisingly mainstream customers. AMD, Accenture, GM, ESPN, Siemens, Intel, Hulu — Umami quietly ended up in big-enterprise stacks despite the indie-OSS reputation.

v3.1 added session replay via rrweb. Plausible/Goatcounter still ship without it.

Weaknesses & gotchas

Default monthly salt rotation is looser than peers. Plausible rotates daily; Umami defaults to monthly. That's a longer cross-visit linkability window — change SALT_ROTATION env to day if you care. (The variable exists in source but isn't on the public env-vars docs page yet.)

No GA4 importer. No official tool to backfill historical Google Analytics data. The cutover is a script-swap; you accept losing the past.

No official WordPress plugin. Only the third-party "Integrate Umami" by Ancocodet (~2k installs). Not endorsed by Umami Software.

Cloud is on US-primary infrastructure. Subprocessors: Vercel (US), Cloudflare (US, CDN), ClickHouse (US/EU, analytics DB), Hetzner (EU, secondary). Strict EU-residency teams should self-host.

No funnels in the GA-replacement sense, no heatmaps, no GSC integration. Custom Boards (v3.1) help, but if your job is product analytics, this isn't the tool.

DNT not honored, GPC not honored. Umami's tracker has no built-in Do-Not-Track or Global Privacy Control respect; not mentioned in vendor docs or env vars.

Best for

Best for indie devs, JAMstack/Vercel users, OSS maintainers, side-project builders, and MIT-license maximalists who refuse AGPL (rules out Plausible CE) and want the freest licensing in the category. Self-hosters on tight VPS budgets find it the most affordable path.

Real value comes at the Pro tier ($20/mo) — 1M events/mo, 20 sites, 2-year retention, email reports, 14-day free trial. Hobby tier is great to start but caps fast.

Not for product teams needing funnels/cohorts/retention (use PostHog or OpenPanel), marketing teams needing GSC integration or multi-touch attribution (Plausible/Matomo), or anyone whose primary need is session-replay-first analytics (Matomo wins there).

Setup walkthrough

Cloud (managed):
1. Sign up at cloud.umami.is → Hobby plan permanent free, 100k events/mo, 3 sites.
2. Add a website → get a single JS snippet (~2 KB gzipped).
3. Paste it in the of every page.
4. ~5 minutes to first dashboard.

Self-host (Docker Compose):
1. Clone github.com/umami-software/umami.
2. Set DATABASE_URL to a Postgres instance (≥12.14). MySQL is no longer documented in current install path.
3. docker compose up -d ships Umami + Postgres bundled.
4. Set up DNS + TLS via Caddy or nginx reverse proxy.
5. ~15-30 minutes on a fresh VPS. Upgrades: docker pull + restart (~2 min).
6. Set DISABLE_TELEMETRY=1 if you don't want the OSS instance phoning home.

Vercel deploy: community template + Postgres via Neon/Supabase = near-1-click.

Migrating from GA4

No GA4 importer. Umami doesn't ship one. Migration is a swap-the-snippet exercise.

What you keep: future tracking from cutover day onwards. What you lose: historical GA4 data, Explorations, and any custom dimensions that don't map to Umami's flat model (URL, referrer, browser, country/city, custom event).

Recommended approach:
1. Deploy Umami in parallel for ~30 days.
2. Recreate goal/event names manually in Umami (~10 minutes).
3. Export GA4 data to BigQuery before sunset if you need it preserved.
4. After parallel period, drop the GA4 snippet.

If you live in GA4 Explorations or built attribution flows on UA, expect the floor to drop — Umami's model is intentionally flat.

Help & FAQ

Where to get help with Umami and the questions buyers email us about.

Support

HoursAsync (community-driven)UTC
ChannelsEmail · Github issues · Discord
LanguagesEnglish
Response SLA~48h

FAQ (6)

Is Umami really free?

Self-hosted Umami is free under the MIT license — pull the OSS code, run on your own VPS, no fees. Umami Cloud has a free Hobby plan (3 sites, 100k events/mo, 6-month retention) and paid Pro ($20/mo for 1M events) and Business ($200/mo for 10M events) tiers.

What does Umami collect that Plausible doesn't?

Umami captures screen resolution by default — small but useful for design teams. Otherwise the tracking model is similar: cookieless, daily-rotating salt hash, no IP storage. Both omit fingerprinting, cross-site IDs, and PII.

How do I self-host Umami?

Umami runs as a Next.js app with a PostgreSQL database. Recommended setup: Docker Compose on a 1-2GB VPS. The official docs at umami.is/docs/install cover Vercel one-click, Docker, and bare-metal installs. You'll need ~5-10 minutes for the basic install.

Is Umami GDPR compliant?

Yes — for the same reasons Plausible is. Umami doesn't store IP addresses (uses an in-memory hash, discarded daily), doesn't set cookies, and doesn't track visitors across sites. GDPR's legitimate-interest basis applies. Cookie banner is not required under most EU readings (CNIL, UK ICO); Germany TTDSG and Italy Garante are stricter — disclosure is recommended.

Can I import data from Google Analytics into Umami?

No native importer. The recommended pattern is parallel installation — run Umami alongside GA4 for 30+ days to build comparable data, then deprecate GA4. Custom dimensions and BigQuery don't migrate cleanly anywhere.

What's the difference between Umami and Plausible?

Umami is MIT-licensed (more permissive than Plausible's AGPL), has a permanent free Cloud Hobby tier, captures screen resolution out of the box, and is built on Next.js (vs Plausible's Elixir). Plausible has a longer track record, native funnels on the Business plan, and explicit Looker Studio integration. Both are excellent privacy-first choices.