🍯 Corvura
Back to Blog
analytics privacy technical

Setting Up Analytics Without Cookies: A Technical Guide

· Corvura Team

Cookie consent banners are everywhere — and they're hurting your data. When 30-50% of visitors reject cookies, your analytics only show a fraction of your real traffic. There's a better way.

Corvura tracks website analytics without cookies, without storing IP addresses, and without needing a consent banner. Here's exactly how it works under the hood.

Why cookies exist (and why you don't need them)

Traditional analytics tools use cookies to identify returning visitors. When someone visits your site, a cookie like _ga=GA1.2.123456789.1234567890 gets set in their browser. On their next visit, the analytics tool reads the cookie and says "this is the same person."

The problem: GDPR classifies analytics cookies as non-essential. You need explicit consent before setting them. If the user doesn't consent, you get no data.

How Corvura tracks without cookies

Corvura uses two browser APIs instead of cookies:

1. sessionStorage for sessions

When the widget loads, it generates a random UUID and stores it in sessionStorage:

let sessionId = sessionStorage.getItem("fh_session_id");
if (!sessionId) {
  sessionId = crypto.randomUUID();
  sessionStorage.setItem("fh_session_id", sessionId);
}

sessionStorage is different from cookies in a critical way: it's automatically cleared when the browser tab closes. It's not sent to the server with every request. And under GDPR, it's not considered a tracking mechanism because it doesn't persist across sessions.

This gives us accurate session data (pages per visit, session duration) without any cross-session tracking.

2. localStorage for anonymous client IDs

For basic visit counting, Corvura generates a human-readable client ID and stores it in localStorage:

// Generates IDs like "happy-bear-742"
const clientId = `${randomAdjective}-${randomNoun}-${randomNumber}`;
localStorage.setItem("feedback_honey_client_id", clientId);

This ID is used to loosely deduplicate visits. It's not linked to any personal information — it's just a random string like "clever-penguin-891". If the user clears their browser data, they get a new ID. We never try to fingerprint or re-identify users.

3. No IP address storage

When a visit event hits our server, we need the IP address for one thing: geolocation (country/city). Here's how we handle it:

  1. The raw IP arrives with the request
  2. We use it to look up the approximate country and city
  3. We hash the IP with a daily rotating salt for uniqueness counting
  4. We store the country/city and the hash
  5. The original IP address is never stored

The daily salt rotation means the hash changes every day, so even the hash can't be used to track someone across days.

What we track

With this approach, Corvura captures:

Metric How Cookie needed?
Page views Event on script load No
Session duration Visibility API + sendBeacon No
Referrer document.referrer No
Browser/OS navigator.userAgent No
Country/City IP geolocation (IP not stored) No
Device type User agent parsing No
Bounce rate Sessions with only one page view No

What we don't track

  • Individual user journeys — We can't follow a specific user across sessions
  • Cross-device tracking — No way to link a phone visit to a desktop visit
  • Exact return visitor counts — The localStorage ID is a rough approximation
  • Ad attribution — No UTM parameter tracking (yet)

For most indie hackers, these limitations don't matter. You want to know how many people visited, where they came from, and what pages are popular. Cookieless analytics gives you all of that.

GDPR compliance

Under GDPR, you need consent for:
- Cookies used for analytics or advertising
- Processing personal data (like IP addresses)

Corvura sidesteps both requirements:
- No cookies → No cookie consent needed
- No IP storage → No personal data processing
- No cross-site tracking → Not subject to ePrivacy Directive

This means you can add Corvura to your site without a cookie banner. Your analytics start working immediately for 100% of visitors, not just the ones who click "Accept."

Try it yourself

Add Corvura to your site and check the analytics dashboard. You'll see real data from real visitors — all of them, not just the ones who accepted a cookie banner.

Sign up free — includes 1,000 analytics events/month.

For setup instructions, see our guides for React and Next.js.

Ready to collect user feedback?

Start collecting feedback in minutes. No credit card required.

Get Started Free