Date

Security Practices

Swetrix is an open-source, privacy-first web analytics platform. We are deeply committed to safeguarding the data you entrust us with. Our infrastructure is built to give you full ownership of your data, enable seamless compliance with privacy regulations like the GDPR and CCPA, and eliminate the need for intrusive tracking practices. Transparency and data security are the foundation of everything we build.

TL;DR

Here’s a brief summary of our data security practices:

  • All data is encrypted in transit via HTTPS and strict security headers
  • All visitor data is irreversibly hashed
  • All visitor data is hosted in the EU on EU-owned servers (Germany)
  • User passwords and recovery codes are hashed using bcrypt
  • Sensitive integration keys (e.g., Google Search Console, Paddle, Stripe) are encrypted at rest using AES-256 and Rabbit algorithms
  • You can enable two-factor authentication (2FA)
  • You can configure Single Sign-On (SSO)
  • Our website status is actively monitored and publicly accessible
  • Our codebase is open source, transparent, and can be publicly audited
  • We don’t collect or store personal data about website visitors that can be used to identify individuals
  • We don’t use cookies, browser cache, or local storage for tracking visitors
  • We don’t store debit or credit card details
  • We do not sell your data and only share it with trusted service providers where strictly necessary

Here’s a more detailed overview of the technical and organizational security measures we use to secure Swetrix and protect your data.

Data minimization

We believe that web analytics can, and should, be performed without compromising visitor privacy. We operate on a data-minimization principle: Swetrix only measures the minimum data points necessary to provide you with actionable insights. We never collect, track, or store personal data that could be used to identify an individual.

By relying on privacy-friendly techniques instead of cookies, persistent identifiers, or cross-site tracking mechanisms, we ensure your website visitors’ privacy is respected at all times while still delivering accurate analytics.

Personal data & IP handling

We do not use cookies, local storage, or browser cache, nor do we attempt to extract device identifiers or other signals from your visitors devices. The data we process cannot be used to identify any single individual.

To calculate unique visitors for the day, we temporarily utilize the incoming IP address and User-Agent in memory. We do not store these raw values. Instead, they are passed through a secure hashing function alongside a daily rotating salt and the specific website ID:

hash(salt + website_id + ip_address + user_agent)

The output is an irreversible, random string that acts as an anonymous session identifier. Once generated, we map this to a random 64-bit number to link pageviews within the same session. The raw IP address, User-Agent, and the generated hash are immediately discarded and never touch our databases, disk, or system logs. The salt is automatically rotated and securely destroyed, ensuring it is cryptographically impossible to trace data back to an individual.

For full details, please look at our Data Policy.

Data encryption in transit and at rest

To protect against access, modification, or theft of data, all data is encrypted in transit and secured at rest.

  • In transit: We enforce strict HTTPS across all our services. We use industry-standard security headers including Strict-Transport-Security (HSTS), X-XSS-Protection, X-Content-Type-Options: nosniff, and restrictive Referrer-Policy to mitigate common web vulnerabilities.
  • At rest: Passwords and 2FA recovery codes are hashed and salted using bcrypt. Highly sensitive integration tokens (such as Google Search Console OAuth tokens and custom revenue API keys for Paddle and Stripe) are strongly encrypted at rest in our databases using AES-256-CBC and Rabbit encryption algorithms.

Server location

All analytics data collected is stored and processed on secure servers located in the European Union (Germany), hosted by Hetzner Online GmbH. This ensures that all website data is covered by the European Union’s strict data protection laws.

Data ownership and portability

You retain full ownership and control of your website data. We obtain no rights from you to your website data. We do not sell your data and only share it with trusted service providers where necessary to operate and provide the service. You can export your analytics data at any time using our APIs.

Data deletion

You are fully in control of any website data we collect on your behalf. You can permanently delete your website data or your entire Swetrix account at any time from your dashboard. Upon deletion, all associated data is permanently and irreversibly removed.

Data sharing controls

You retain full control over how your data is shared. Swetrix allows you to invite team members, assign granular permissions, create shared links, configure email reports, or choose to make specific dashboards publicly accessible.

User identification and authorization

Passwords are hashed and salted with bcrypt. You can enable two-factor authentication (2FA) as an extra security layer for your account. We also natively support Single Sign-On (SSO).

Internal access controls

The Swetrix team does not access customer data on a routine basis. Access is strictly limited to situations where it is necessary, such as explicit customer support requests or critical system maintenance. Access to infrastructure is role-restricted to specific individuals.

Subprocessors

We use a limited number of subprocessors where strictly necessary to provide the service. These are carefully selected and bound by data protection agreements:

  • Hetzner Online GmbH (Germany): Infrastructure and server hosting.
  • Functional Software Inc. / Sentry (United States): Error tracking and monitoring.
  • Paddle: Payments and subscription management.

For more details on subprocessors, see our Privacy Policy and Data Processing Agreement.

Payment information

Payments are securely handled by Paddle. We do not process or store any payment or credit card details on our servers.

Physical security

Swetrix is hosted within data centers provided by Hetzner, which maintains strong physical and environmental security controls, including strict access restrictions, surveillance, and redundancy systems.

Availability and infrastructure monitoring

We monitor our application performance and infrastructure to maintain reliability and availability. You can view our current system status, historical uptime, and incident reports publicly at any time on our status page.

You can audit our entire code base

Our core platform, tracking scripts, and dashboards are 100% open source and publicly available on our GitHub. This allows independent verification of our security, encryption, and privacy practices by anyone.

Software quality assurance

To maintain high security and quality standards, we deploy updates frequently through automated CI/CD pipelines. All code changes undergo automated testing and rigorous review. We utilize modern AI-assisted tools during our development process to catch potential vulnerabilities, improve code quality, and maintain a robust architecture before any code is released.

Reporting security problems

We take security seriously. If you discover a vulnerability or have any security concerns, please report it to us directly so we can address it responsibly.

Contact

If you have any questions about our security practices, please contact us at security@swetrix.com.

Last updated: March 27, 2026