Skip to main content
All posts

GDPR-Compliant Analytics Without the Cookie Banner: Our Self-Hosted Setup

· 4 min read ·
infrastructure self-hosting gdpr analytics

Most businesses have the same analytics story: Google Analytics (or GA4) is installed because it’s free and ubiquitous. A cookie consent banner gets added because legal requires it. A fraction of users click “accept.” The data becomes increasingly incomplete as more people decline or use ad blockers. And somewhere in the background, visitor data is being processed on US servers under terms that have faced repeated legal challenges in Europe.

There’s a cleaner approach — one that doesn’t require cookie banners, keeps data on EU infrastructure, and still gives you the numbers that matter.

Why self-hosted analytics is a different category

Cloud analytics tools share your visitor data with their own infrastructure. For GDPR compliance, this means you’re relying on standard contractual clauses, adequacy decisions, and the terms of a third party to justify that data transfer. That’s a defensible position in many cases, but it’s not the strongest one.

Self-hosted analytics doesn’t transfer data to anyone. Visitor events go from your site to your server. That’s it. You have full control over retention, access, and deletion. Cookie banners exist because analytics sets persistent identifiers — self-hosted privacy-first tools like Plausible don’t use cookies or persistent IDs at all, which removes the GDPR consent requirement for tracking entirely.

Two tools for two different needs

We run two analytics tools side by side, because they answer different questions.

Plausible is designed for traffic and content analytics. How many people visited, which pages, from which sources, on which devices. It’s privacy-first by design: no cookies, no cross-site tracking, no personal data collected. The tracking script is under 1 KB. It doesn’t require a cookie banner under GDPR.

Rybbit focuses on conversion and product analytics — user journeys, funnels, retention. If you’re running an e-commerce store or a SaaS and need to understand where users drop off in a flow, Plausible’s session model is too lightweight. Rybbit handles this.

Both run on a single Hetzner VPS. Combined server cost: the same €16/month we’re already paying.

What to know about Plausible CE

Plausible CE is the self-hosted community edition. Compared to Plausible Cloud, there are a few things to be aware of:

The 404 tracking extension does not exist in CE. The Plausible UI lets you select it in your tracking script configuration, but the script URL it generates returns HTTP 404. Don’t use script.404.js or any combination that includes 404 — it will break your tracking entirely. Valid combinations include script.outbound-links.js, script.tagged-events.js, and combinations thereof.

CSP configuration: if your site has a Content Security Policy, Plausible needs entries in both script-src (where the script file is hosted) and connect-src (where it sends data). Both point to your Plausible domain. Missing either causes silent failure.

What to know about Rybbit on Coolify

Rybbit has a split architecture: a Next.js frontend and a separate backend API server. The Coolify one-click deployment starts both containers, but the backend isn’t publicly accessible by default. The frontend tries to reach /api routes that don’t resolve, which causes the signup form to appear blank (the form is there but hidden with opacity: 0).

The fix is to expose the backend container via Traefik, routing Host(yourdomain) && PathPrefix(/api) to port 3001 — without stripping the prefix. Once that’s done and the SERVICE_URL environment variable is corrected to HTTPS, everything works as expected.

After creating your first account, set DISABLE_SIGNUP=true in the environment.

What this actually looks like in practice

Running both tools adds about 30–40 minutes of setup time beyond a basic VPS deployment. After that, the ongoing overhead is close to zero. Both tools run quietly, send data to their own databases on the same server, and don’t require maintenance unless you’re doing a version upgrade.

The compliance position is clean: visitor data never leaves your infrastructure, nothing is shared with third parties, and Plausible’s cookie-free design means no consent management is needed for that tool.

For businesses operating under GDPR in the EU, this is a meaningfully stronger position than relying on cloud analytics tools — without meaningfully more cost.

If you want this stack set up and maintained without dealing with the deployment details, we handle it as part of our infrastructure service.

Want to learn more?

See how we set up and operate GDPR-compliant self-hosted infrastructure at a fraction of SaaS costs.

Learn more
← All posts