Privacy

Last updated: 19 April 2026

vibestat is built to be the analytics tool you can run without lawyers, cookie banners or guilt. This page is plain English; it is not a substitute for legal advice.

What we collect

• The path of the page being viewed (e.g. /pricing) — query strings can be stripped via data-exclude-search.
• The hostname of the referrer (e.g. news.ycombinator.com) — never the full referrer URL.
• Device class (mobile / tablet / desktop), browser family and OS family.
• Country, derived from the request edge headers if present.
• Web Vitals (LCP, FCP, CLS, INP, TTFB) reported by the visitor's browser.
• UTM tags found in the URL.
• A non-reversible visitor hash that resets daily (see below).

What we don't collect

• No cookies. No localStorage identifiers. No fingerprinting.
• No IP address is ever stored in the database.
• No raw User-Agent string is stored.
• No personal data, account data, or cross-site graph.

How visitor hashing works

On each request we compute SHA-256(daily-salt | site-id | ip | user-agent) and keep only the first 24 hex chars. The daily salt is rotated every UTC day from a private seed (VIBESTAT_SALT_SEED). Because the salt rotates, the same person browsing on two different days produces two unrelated hashes — so cross-day re-identification is mathematically infeasible.

Do Not Track

The tracker checks navigator.doNotTrack and exits without sending any beacon if it is enabled.

Your data, your dashboard

Your owner token lives only in your browser's localStorage. We have no account database, no recovery email and no way to access your dashboard if you lose the token. Treat it like a password. You can paste the token into another browser to sync access.

Deletion

Deleting a site from the dashboard removes the site row and every associated event in the same transaction. There is no soft-delete and no admin override.