Privacy & Compliance
How VibePing handles data, GDPR compliance, and our no-cookies policy.
VibePing is built to give you useful analytics without the privacy baggage. No cookies, no fingerprinting, no consent banners. Here's exactly what we collect, what we don't, and how that affects compliance.
No Cookies, No Fingerprinting
VibePing doesn't set any cookies. Not first-party, not third-party, none. We also don't do browser fingerprinting — no canvas fingerprinting, no audio context tricks, no font enumeration, nothing.
Sessions are tracked using a random UUID stored in sessionStorage. This ID exists only for the current browser tab and is automatically wiped when the tab closes. It cannot be used to track users across sites, across tabs, or across visits. It's just there so we can group events that happen during a single page session.
What Data IS Collected
When VibePing is installed on your site, these data points are sent with each event:
- Page URL — the page the user is on
- Referrer — where they came from (the HTTP referer header)
- Screen size — viewport dimensions
- Browser language — the
navigator.languagevalue - User agent — browser and OS info (used for browser/device breakdowns)
- Error stack traces — when JavaScript errors occur (file, line, column, message, stack)
- Performance metrics — page load timing (LCP, FCP, CLS, TTFB) via the Performance API
- Session duration — calculated from the sessionStorage-based session
- Custom event data — whatever you pass to
track()calls
All of this is standard technical data that doesn't identify individual people.
What Data is NOT Collected
- IP addresses — not stored. Your IP hits our ingestion endpoint (that's how the internet works), but we don't log or store it
- Names or emails — not collected unless you explicitly call
identify() - Device IDs — no hardware identifiers, no persistent device tracking
- Cross-site tracking — impossible without cookies or fingerprinting. VibePing has zero knowledge of what users do on other sites
- Location data — no IP-based geolocation, no GPS data
GDPR Compliance
The GDPR requires consent for collecting personal data. Here's why VibePing sidesteps most of these requirements:
No consent banner needed. Since VibePing doesn't use cookies and doesn't collect personally identifiable information by default, you don't need a cookie consent banner for VibePing. The ePrivacy Directive (the "cookie law") applies to cookies and similar tracking technologies — sessionStorage UUIDs that die when the tab closes don't fall into this category.
No personal data processing by default. Under GDPR, personal data means anything that can identify a natural person. Page URLs, screen sizes, and browser languages can't identify anyone on their own. As long as you're not sending PII through custom events, VibePing operates outside the scope of personal data processing.
Data is processed in the US. VibePing Cloud uses Supabase for data storage, which runs on AWS infrastructure. VibePing hosts data in EU and US regions — contact us if you need a specific residency guarantee.
Right to deletion. If a user requests their data be deleted, contact us and we'll remove their data. Since we don't store IP addresses or personal identifiers by default, there's usually nothing to tie data back to a specific person — but if you've used identify(), we can find and delete records linked to the user ID you provided.
The identify() Privacy Note
VibePing has an identify() method that lets you associate events with a specific user:
identify({
userId: 'usr_abc123',
email: 'jane@example.com',
plan: 'pro'
});If you use this, you're opting into sending personal data. This changes the privacy equation:
- You may need consent from the user before calling
identify() - The data you send through
identify()is stored alongside their events - You become responsible for only sending data you have a legal basis to collect
Our recommendation: only call identify() for logged-in users who have agreed to your terms of service. Don't call it for anonymous visitors. And never pass data through identify() that you don't have a clear reason to collect.
Data Retention
Events and analytics data are stored in your Supabase database (or Supabase Cloud for VibePing Cloud users). Currently, there is no automatic data deletion policy — data is kept indefinitely.
We plan to add configurable retention policies to VibePing Cloud in the future.
VibePing vs. Google Analytics
The practical difference for most developers:
| VibePing | Google Analytics | |
|---|---|---|
| Cookies | None | Multiple first-party and third-party cookies |
| Consent banner needed | No | Yes (in EU, UK, and many other jurisdictions) |
| PII collection | None by default | IP addresses, client IDs, user IDs |
| Cross-site tracking | Not possible | Built-in via Google's ad network |
| Data shared with third parties | No | Yes (Google uses data for ad targeting) |
| GDPR compliance effort | Minimal | Significant (consent management, DPA, data processing agreements) |
Google Analytics has been ruled non-compliant with GDPR by multiple European data protection authorities. VibePing avoids these issues entirely by not collecting the data that causes the problems in the first place.
If you've been putting off adding analytics because you didn't want to deal with cookie banners and privacy policies, VibePing is the fix. Install it, get your data, and move on to building your product.