Privacy & Compliance
Boxy is built from the ground up to respect visitor privacy. Here's how it works.
No Cookies
Boxy does not use cookies, localStorage, or any client-side storage. This means:
- No cookie consent banners needed
- No GDPR cookie consent requirements
- No tracking across websites
Cookieless Visitor Identification
Boxy identifies unique visitors using a privacy-preserving hash generated from:
- User-Agent string
- Accept-Language header
- Screen resolution
- Timezone
- A daily rotating salt
This hash is generated server-side and never stored in the visitor's browser. Because the salt rotates every 24 hours, the same visitor gets a new identifier each day — making it impossible to track individuals over time.
No Personal Data
Boxy does not collect or store:
- IP addresses (used for country detection only, then discarded)
- Names or email addresses (unless explicitly sent via
boxy.identify()) - Fingerprints that persist across days
- Any data that could identify an individual visitor
GDPR Compliance
Boxy is compliant with GDPR without requiring consent because:
- No personal data is processed — the visitor hash is anonymous and ephemeral
- No cookies are set — no consent required under the ePrivacy Directive
- No cross-site tracking — data is scoped to a single site
- Data ownership — you own your analytics data, not us
Under GDPR, analytics tools that don't process personal data and don't use cookies do not require consent. Boxy falls into this category.
CCPA Compliance
Boxy is compliant with CCPA because:
- No personal information is sold or shared with third parties
- No persistent identifiers are used
- Visitors cannot be re-identified from the data collected
Data Ownership & Retention
- Your data, your rules — all analytics data belongs to you
- Data retention — active data is kept for 90 days in the analytics engine, then archived
- Data deletion — delete a site and all its data is permanently removed
- No third-party access — your data is never shared with advertisers or data brokers
Hosting & Infrastructure
All data is processed on Cloudflare's edge network:
- Edge processing — analytics events are processed at the nearest Cloudflare data center
- No single point of failure — distributed across 300+ global locations
- EU data residency — data can be configured to stay within EU boundaries
Comparison with Other Tools
| Feature | Boxy | Google Analytics | Plausible |
|---|---|---|---|
| Cookies | None | Multiple | None |
| Consent required | No | Yes | No |
| Script size | <1KB | ~45KB | ~1KB |
| Data ownership | You | You | |
| Open source | Yes | No | Yes |