---
title: "Best Privacy-First Analytics Compared: Plausible vs Fathom vs Umami + 4 More"
description: "We ran AST analysis on 7 privacy-first analytics tools and catalogued exactly which browser APIs each one touches. See how Plausible, Fathom, Umami, Cloudflare, Rybbit, Databuddy, and Vercel Analytics compare on privacy, performance, and GDPR compliance."
canonical_url: "https://nuxt-scripts.zhcndoc.com/learn/privacy-first-analytics-compared"
last_updated: "2026-03-19"
---

"Privacy-first" is a marketing label. The code tells a different story.

We decompiled every privacy-first analytics script in the [Nuxt Scripts](https://github.com/nuxt/scripts) registry and ran AST analysis to catalogue exactly which browser APIs each one touches at runtime. No marketing claims, no privacy policy excerpts - what the script does.

The finding: **even among the best privacy-first analytics tools, the API surface ranges from 2 to 7 browser APIs.** That gap determines what data leaves your users' browsers.

## How We Compared These 7 Privacy-First Analytics Tools

<tracking-matrix>



</tracking-matrix>

All seven providers share one critical property: **zero cookies**. That's the baseline for any privacy-first Google Analytics alternative. But the similarity ends there.

The tools fall into three groups based on how many browser APIs they access:

- **Minimal (2 APIs):** <link-script slug="plausibleAnalytics">



</link-script>

, <link-script slug="fathomAnalytics">



</link-script>

, <link-script slug="vercelAnalytics">



</link-script>
- **Medium (3–4 APIs):** <link-script slug="umamiAnalytics">



</link-script>

, <link-script slug="cloudflareWebAnalytics">



</link-script>
- **Broader (6–8 APIs):** <link-script slug="rybbitAnalytics">



</link-script>

, <link-script slug="databuddyAnalytics">



</link-script>

None of these providers use fingerprinting APIs (canvas, WebGL, audioContext) or set cookies. The differences are in how much device and session context they collect alongside pageview data. Rybbit and Databuddy also use `localStorage` for persistent identifiers - still cookie-free, but with cross-session tracking capability.

<note>

For comparison, GA4 uses 8 APIs including `cookies`, `mutationObserver`, and `intersectionObserver`. The best privacy-first analytics tools use 2–8x fewer APIs than traditional analytics. See the [full performance comparison](/learn/analytics-script-performance) for size and execution benchmarks.

</note>

## Plausible Analytics Review

<link-script slug="plausibleAnalytics">



</link-script>

 is the most popular privacy-first Google Analytics alternative. It touches **2 browser APIs**: `localStorage` (for session deduplication) and `fetch`.

<analytics-review best-for="Teams that want the smallest privacy surface with the best standalone dashboard." privacy="Generates a daily hash from the visitor's IP, user agent, and a rotating salt. Plausible <a href='https://plausible.io/data-policy'>purges the salt every 24 hours</a>, making it impossible to reconstruct cross-day visitor chains - satisfying GDPR's anonymization threshold." script-key="plausibleAnalytics" self-hosting="Available. The most minimal footprint of any self-hostable privacy analytics option.">



</analytics-review>

## Fathom Analytics Review

<link-script slug="fathomAnalytics">



</link-script>

 matches Plausible's minimal API surface with **2 APIs**: `localStorage` and `sendBeacon`.

<analytics-review best-for="High-traffic sites that want flat pricing and strong EU data residency guarantees." privacy="<a href='https://usefathom.com/compliance/eu-isolation'>EU Isolation</a> routes all EU visitor data through EU-based infrastructure, adding a layer of DPA compliance beyond the cookie-free baseline." script-key="fathomAnalytics" self-hosting="No (SaaS only).">



</analytics-review>

## Umami Analytics Review

<link-script slug="umamiAnalytics">



</link-script>

 is an open-source, self-hostable privacy analytics tool. It uses **3 APIs**: `localStorage`, `fetch`, and `screen` (for viewport dimensions).

<analytics-review best-for="Developers who want full data ownership with minimal operational cost." privacy="Cookie-free, no persistent identifiers. Collects screen dimensions on top of the minimal baseline." script-key="umamiAnalytics" self-hosting="MIT licensed, supports PostgreSQL or MySQL. Lowest operational overhead of any self-hosted option.">



</analytics-review>

## Cloudflare Web Analytics Review

<link-script slug="cloudflareWebAnalytics">



</link-script>

 uses **4 APIs**: `userAgent`, `sendBeacon`, `xhr`, and `performanceObserver` - the extra APIs power built-in Core Web Vitals collection.

<analytics-review best-for="Sites already on Cloudflare that want free analytics with built-in CWV monitoring." privacy="Cookie-free. Cloudflare processes data on their infrastructure but does not sell or share it." script-key="cloudflareWebAnalytics" self-hosting="No (tied to Cloudflare).">



</analytics-review>

## Rybbit Analytics Review

<link-script slug="rybbitAnalytics">



</link-script>

 is an open-source privacy analytics tool that touches **6 APIs** including `localStorage`, `performanceObserver`, `screen`, and `languages`.

<analytics-review best-for="Teams that want self-hosted analytics with Core Web Vitals built in." privacy="Cookie-free. Uses <code>localStorage</code> for user IDs, which persists across sessions until manually cleared. Includes CWV collection." script-key="rybbitAnalytics" self-hosting="Open-source and self-hostable.">



</analytics-review>

## Databuddy Analytics Review

<link-script slug="databuddyAnalytics">



</link-script>

 touches the most APIs at **8**: `localStorage`, `sessionStorage`, `performanceObserver`, `screen`, `languages`, `userAgent`, `sendBeacon`, and `fetch`.

<analytics-review best-for="Teams that want the most device context possible while staying cookie-free." privacy="Cookie-free. Uses both <code>localStorage</code> and <code>sessionStorage</code> for state. Broader device signal collection than other privacy-first tools, but no fingerprinting APIs." script-key="databuddyAnalytics" self-hosting="Open-source and self-hostable.">



</analytics-review>

## Vercel Analytics Review

<link-script slug="vercelAnalytics">



</link-script>

 is the most minimal option, touching **2 APIs**: `userAgent` (device classification) and `fetch`.

<analytics-review best-for="Vercel-hosted apps that want zero-config analytics with the absolute smallest footprint." privacy="Cookie-free by default. Minimal data collection - no <code>localStorage</code>, no session state. An opt-in <code>enableCookie</code> flag exists but defaults to off." script-key="vercelAnalytics" self-hosting="No (tied to Vercel platform).">



</analytics-review>

## Performance Comparison: All 7 Privacy-First Analytics Tools

Fewer APIs and smaller scripts translate directly to less main-thread work:

<privacy-performance-table>



</privacy-performance-table>

Every privacy-first analytics provider stays under **2ms of script execution** and **10ms of task duration**.

The three providers that collect Core Web Vitals (Cloudflare, Rybbit, Databuddy) carry larger decoded sizes (25–30 KB) because the `performanceObserver` integration adds measurement code. That's a reasonable tradeoff if you want CWV data without a separate monitoring tool.

## GDPR Compliance: Why Cookie-Free Analytics Win in 2026

### The Consent Banner Problem

EU cookie acceptance rates dropped to [40–58% across member states](https://www.cnil.fr/en/cookies-and-other-tracking-devices-how-do-i-comply-with-the-rules) in 2026 (CNIL guidance, February 2026). Cookie-based analytics like GA4 and default Matomo lose 40–60% of their traffic data to "Reject All" clicks. All seven privacy-first analytics tools in this comparison capture close to 100%.

<chart-consent-impact>



</chart-consent-impact>

### Matomo's CNIL Exemption

[Matomo is the only analytics platform](https://www.cnil.fr/en/cookies-and-other-tracking-devices) with a formal consent exemption from France's data protection authority. The exemption requires IP masking, 13-month cookie caps, and no third-party data sharing. However, Matomo's default configuration uses cookies - you must explicitly configure cookie-free mode to qualify.

## First-Party Mode: Recovering Ad-Blocked Data

25–45% of users block trackers ([Blockthrough Ad-Block Report 2026](https://blockthrough.com)). Even privacy-first scripts hosted on known domains (`plausible.io`, `cloud.umami.is`) get blocked at the DNS level.

Nuxt Scripts' first-party mode proxies analytics traffic through your own domain:

```ts
// nuxt.config.ts
export default defineNuxtConfig({
  scripts: {
    registry: {
      plausibleAnalytics: {
        domain: 'yourdomain.com'
      }
    }
  }
})
```

Requests go to `yourdomain.com/_scripts/plausible` instead of `plausible.io/js/script.js`. Indistinguishable from a first-party request to most blockers. Data accuracy returns to near 100%.

## Which Privacy-First Analytics Tool Should You Choose?

<privacy-picker-table>



</privacy-picker-table>

For most apps: **start with , , or **. Add <link-script slug="cloudflareWebAnalytics">



</link-script>

 or <link-script slug="rybbitAnalytics">



</link-script>

 if you need Core Web Vitals. Only reach for GA4 or Matomo if you need specific features that privacy-first analytics tools don't offer.

---

**Last reviewed:** March 2026

### Related Resources

- [Analytics Script Performance Comparison](/learn/analytics-script-performance)
- [Choosing the Right Analytics for Nuxt](/learn/choosing-analytics-nuxt)
- [Nuxt Scripts Documentation](https://scripts.nuxt.com)