Umami is a simple, fast, privacy-focused alternative to Google Analytics

2025-02-1319:56348168github.com

Umami is a simple, fast, privacy-focused alternative to Google Analytics. - umami-software/umami

Show article

Umami is a simple, fast, privacy-focused alternative to Google Analytics.

A detailed getting started guide can be found at umami.is/docs.

A server with Node.js version 18.18 or newer
A database. Umami supports MariaDB (minimum v10.5), MySQL (minimum v8.0) and PostgreSQL (minimum v12.14) databases.

git clone https://github.com/umami-software/umami.git
cd umami
yarn install

Create an .env file with the following:

DATABASE_URL=connection-url

The connection URL format:

postgresql://username:mypassword@localhost:5432/mydb
mysql://username:mypassword@localhost:3306/mydb

The build step will create tables in your database if you are installing for the first time. It will also create a login user with username admin and password umami.

By default, this will launch the application on http://localhost:3000. You will need to either proxy requests from your web server or change the port to serve the application directly.

To build the Umami container and start up a Postgres database, run:

Alternatively, to pull just the Umami Docker image with PostgreSQL support:

docker pull docker.umami.is/umami-software/umami:postgresql-latest

Or with MySQL support:

docker pull docker.umami.is/umami-software/umami:mysql-latest

To get the latest features, simply do a pull, install any new dependencies, and rebuild:

git pull
yarn install
yarn build

To update the Docker image, simply pull the new images and rebuild:

docker compose pull
docker compose up --force-recreate

Read the original article

Comments

By marvinblum 2025-02-1710:096 reply

You can find a nice list of privacy-respecting analytics tools on European Alternatives [0], including mine, Pirsch [1].

I've been in this space for ~3 1/2 years, so if you have any questions, please let me know :)

[0] https://european-alternatives.eu/category/web-analytics-serv...

[1] https://pirsch.io

By eitland 2025-02-1710:359 reply

Not related to you, but from a description in the first link, in the description for Plausible:

> Because it does not use cookies their is no need to show cookie banner for this service.

This is IMO a rather fundamental misunderstanding of the current situation.

I'd be hesitant to using a product from someone who I think have misunderstood completely what the rules are about. (Again, IMO and also IANAL but I have followed GDPR more closely than most people.)

GDPR is about collection information, as far as I can see, the technical detailsbof how you do it doesn't matter. It could be pure magic and would still be illegal.

By birjolaxew 2025-02-1713:492 reply

I've actually had this discussion with Plausible directly back in 2022[1], and more recently with the lawyer they had write a blog post[2] on the topic. I wrote an article on it, that was recently discussed here on HN [3].

The response from Plausible is essentially "we've checked with legal council, and stand by the statement". The conversation with the lawyer started out well, but he stopped responding when I asked about the ePD, not GDPR.

There generally seems to be a lot of confusion, even in legal circles, about what ePD requires informed consent for. Many think that only PII requires consent, or think that anonymization bypasses it. That amount of confusion makes it very easy for a layman (e.g. Plausible) to find _someone_ willing to back up their viewpoint.

The EDPB released a guideline in 2023 that explicitly states that what Plausible et al. are doing is covered by the ePD's consent requirement, but that's a little too late: the implementations in member countries already differs massively on whether it's covered[4].

1: https://github.com/plausible/analytics/discussions/1963 2: https://plausible.io/blog/legal-assessment-gdpr-eprivacy 3: https://news.ycombinator.com/item?id=42792485 4: https://matomo.org/faq/general/eprivacy-directive-national-i...

By taw9838373 2025-02-1716:54

> There generally seems to be a lot of confusion, even in legal circles, about what ePD requires informed consent for.

That seems to be true, going by this comment section and the other ones I've seen.

It's hard to get a non-hyperbolic answer to the question: if everyone is so confused, what's the real-world consequence of best-effort implementation?

Some would say it's the ultimate responsibility of the app owner to understand the law, but how much further can you go than hiring a lawyer?

If more diligence needed to be done than that none of us would get anything built, we'd all just be running around researching the laws around these dumb popups.

What are the real-world consequences of making a mistake here? What kind of boundary would you have to trip over to actually get the authorities to prosecute you for not having a consent popup or doing it badly?

By progmetaldev 2025-02-1723:421 reply

That is unfortunate, and seems to be similar to ADA compliance, as far as what is truly compliant and what is not. It seems like it is up to the courts to decide (speaking as an American, I know GDPR is a European law). I try to do as much as possible to keep up to date with ADA compliance and best practices, but when it comes to tooling around scanning for non-compliance, there seems to be differences. I believe that showing that you made an effort to comply is usually enough to avoid a lawsuit, but it would be nice if things like this were spelled out more clearly for those that need to implement these features.

I have recently gone through a conversation with a client that has been told in NY state (in the US) that something similar to GDPR is coming for those that deal with PII. Both the client and the agency I work for have added various scripts to the website for dynamic forms, tracking (Google Analytics), and newsletter functionality. It's at a point where everything that is 3rd party has to be discovered first, then seeing if there is the ability to anonymize everything (either by default, or with a user consent dialog). Even with current laws, it seems intentional to keep things vague.

By eszed 2025-02-1820:11

Agreed. The company I work for has fought off two "ADA trolls" in the past ~3 years. I'm fully behind accessibility, and we design/develop our website specifically to conform with best-practice; I get, and generally accept, that civil remedies are (currently) the only way to enforce any kind of compliance. I nevertheless call the lawyers targeting us trolls, because their technical analysis was beyond incompetent, and their understanding of accessibility issues woefully out of date. It cost a few days of my + developer time, and I don't know how much lawyer-time, to make them go away.

We (I'm in the US) badly need clarifying regulation. Until then, compliance will mainly be about preventing yourself from being low-hanging fruit for opportunistic litigation - which, to be clear, can generate productive results, but is clearly inefficient.

By uallo 2025-02-1711:02

It is not entirely clear who wrote these descriptions. Maybe it was not the vendor. At least their website https://plausible.io/ has a much better wording.

   > No need for cookie banners or GDPR consent
   > 
   > Plausible is privacy-friendly analytics. All the site measurement is carried out absolutely anonymously. Cookies are not used and no personal data is collected. There are no persistent identifiers. No cross-site or cross-device tracking either. Your site data is not used for any other purposes. All visitor data is exclusively processed with servers owned and operated by European companies and it never leaves the EU.

By marvinblum 2025-02-1710:412 reply

Correct, it's not so much about Cookies, but how data is collected and what is stored.

We have done a privacy risk analysis with an external lawyer and data protection officer, and concluded that Pirsch is in line with GDPR as we do not collect nor store personal identifiable information (PII). Processing stuff like IP addresses for example is legal as long as they are not stored and only cached for a reasonable amount of time (a few milliseconds in our case).

If you're interested, we have extensive documentation on this. You can reach out to support@pirsch.io to get it :)

If anyone is interested in doing something similar. This did cost us about 8,000 € in Germany.

By anonzzzies 2025-02-1715:101 reply

I guess because you store their fingerprint (for uniques) only 24 hours, it is ok?

By marvinblum 2025-02-1715:17

This also factors in, yes. If we would store it indefinitely, there is the risk of profiling (estimating who someone is by their behaviour).

By michpoch 2025-02-1722:211 reply

> This did cost us about 8,000 € in Germany.

The apparently extensive legal assessment you just described costed just 8'000 euro?

I am sorry but that had to be some hasty review at best. Do you take the full legal risk in case any of your customers would be found in violation of privacy laws because of using your service?

For reference, with similar hourly rates as Germany, reviewing a standard apartment-purchase contract cost me ~3500 euro.

By marvinblum 2025-02-180:092 reply

We had someone with a lot of experience in this field working for very large German corporations and got a discount/startup bonus. I wouldn't call it cheap.

Imagine starting a business in Germany. How are you suppose to pay 30-50k for legal questions before selling anything?

By michpoch 2025-02-2018:45

> I wouldn't call it cheap

The moment someone sues your customers, or some European agency will gets onto them, that 8000 euro opinion is all you're basing your company's legal security on. In that context, yes, this is being very cheap.

By account42 2025-02-1914:211 reply

Analytics and other forms of tracking are not required to do do business. Don't try to skirt the law and you won't have as many legal questions to answer.

By XCSme 2025-02-2117:03

So, if I run ads or a marketing campaign, I shouldn't be able to know if it brings a positive ROI or not?

Let's assume I pay $1000 for Google Search Ads, wouldn't it help the business to know that "from my sales, $800 came from Google Search Ads"?

People do this all the time, even in real life, with coupon codes fliers for example.

By wongarsu 2025-02-1712:562 reply

You need consent for (not functionally necessary) cookies because of the ePrivacy Directive (the "cookie law"). Additionally, you also need consent for processing, storing or sharing personally identifying information (PII) because of the GDPR. Usually you do both in the same consent popup.

Plausible doesn't store visitor's IPs or any other PII, and doesn't set any cookies. The reasoning given in the quoted paragraph is incomplete, but the result is correct. You only need to mention them in your privacy policy, they don't require any opt-in popups

By robin_reala 2025-02-1713:31

PII isn’t a concept in GDPR. GDPR talks about personal data, which on its own might not be identifying, but which in combination with other personal data can successfully identify a person.

By youngtaff 2025-02-1717:22

Regardless of whether they store it Plausible is exposed to the visitors IP address though isn't it?

By jgalt212 2025-02-1716:56

At the end of the day it comes down to enforcement. If the rules make no sense, and they can't be enforced. They might as well not exist.

By velcrovan 2025-02-1719:182 reply

I'm curious: running a static website with no JS-based analytics whatsoever — only Apache logs in standard format (so including IP address and user agent string) — does GDPR require consent banners in this case? If so, doesn't essentially every website require consent banners due to the way websites work?

By xorcist 2025-02-1722:37

GDPR does not require a consent banner. If you want to process the user's personal data outside what is strictly necessary, you need permission. One way to get that permission is for the user to specifically consent to it. It does not have to be a banner. (In fact, many banners out there are probably not enough for informed consent anyway, as they provide no information about what data is collected or any reasonable way to opt out.)

Personally identifiable information has nothing to do with javascript, or analytics. Do you have GET requests with parameters containing enough to identify a specific individual? Then your logs are sensitive and you must have a valid contract, informed consent, or provide some important service where this information is necessary.

There are gray areas which can make this difficult, but you the basic idea is enough information to identify an individual. A basic website where you log that IP address A viewed home.html is not enough. The knowledge that a 55 year old woman with particular name on a particular street address has an interest in photograhy and shoe size 9 probably is. The line is somewhere in between.

By input_sh 2025-02-1711:511 reply

GDPR is about collecting personally identifiable information, which is distinct from aggregate data that you can't trace back to the individua. Recital 26:

> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

So details definitely matter. Some self-hosted analytics do this by getting rid of the last octet of the IP address, though I doubt that's been tested in courts.

By anonzzzies 2025-02-1715:022 reply

If you can figure how many unique visitors your have, you have a problem. That must somehow fingerprint you.

By input_sh 2025-02-1718:041 reply

I posted a quotation straight from the recital of the GDPR that says anonymised data does not matter. I even gave a reference that you can look up. The recital even ends with this:

> This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

There is no ambiguity here, aggregate data is completely fine as long as I can't trace it back to you with a reasonable amount of effort.

By anonzzzies 2025-02-184:36

A DPO would disagree with you depending on the circumstance; if you know a user is unique then you have a fingerprint; if you keep that fingerprint forever, when the user comes back to the site, it's trivial to know it is that user.

By tonyhart7 2025-02-1715:05

Anonim jwt guest literally did this same thing noo??? I mean if you just track anonim data

what I mean is you can track unique visitor of your app without privacy breach because you use anonim data

By tasuki 2025-02-189:041 reply

If I install the Apache web server and accidentally expose the machine to the internet, am I violating GDPR by not having a cookie banner on the "Apache Default Page"?

By eitland 2025-02-1915:00

Probably not.

But of you can still find a way to identify users from server logs, then probably yes.

By Reubensson 2025-02-1710:41

Yeah, not using cookies is irrelevant if you use other means to track user. Also people like to think they need to show the "cookie banner" for all cookies regardless of how they are used.

By andiareso 2025-02-1715:021 reply

Is Pirsch a fork of Plausible? It looks nearly identical.

By marvinblum 2025-02-1715:121 reply

No, they are comparable, but it's an independent tool. When we started, Plausible wasn't as big as it now is. We also had a focus on deeper integrations via API from the get go, a nicer dashboard, and a few other minor details.

I basically started this for my personal use as a library for Go, which it still is:

https://marvinblum.de/blog/server-side-tracking-without-cook...

By vladkens 2025-02-1715:591 reply

Pricing page looks completely same with Plausible. But prices is less which is good

By marvinblum 2025-02-1717:031 reply

Funny enough, they seem to have "copied" our structure. I remember when it basically was just a slider, without tiers.

By ksec 2025-02-182:19

Yes because I remember I suggested to them their pricing structure were not simple. Although I am not sure who started the slider pricing UX.

By randomQ11333 2025-02-1710:401 reply

how do you calculate the session duration? is it the delta between two page hits or similar events?

i tried a couple of the smaller analytics tools, like plausible, simpleanalytics, umami etc... and one thing that i always disliked was the way the session duration was calculated - i have a lot of longer articles where the visitor stays for a long time and then leaves. most of these tools will count that as a bounce, as there is no two hits to calculate the delta between. but for me it is a very important metric to get accurate numbers on, which is impossible with that implementation for sites like mine (very few but long page visits, not a lot of navigation between pages).

do you handle this the same way? that would be a feature i'd be willing to switch my current tool out for.

By marvinblum 2025-02-1711:05

Yeah, we also use the delta. However, you can send a custom event on close to update the session duration. The session won't be counted as bounced in our system then and the time is updated.

https://docs.pirsch.io/advanced/events

By tonyhart7 2025-02-1713:341 reply

these are good list however very few of them offer for Apps like mobile,dekstop etc

By marvinblum 2025-02-1714:071 reply

For Pirsch, we have a PWA you can install right from your mobile browser :)

By tonyhart7 2025-02-1714:541 reply

Yeah but its PWA, that's the problem

By willsmith72 2025-02-1715:361 reply

What's wrong with a PWA?

By satvikpendem 2025-02-1719:432 reply

They simply don't work as well as non-web apps. People continue to insist that they do, but from my experience, they just don't have the same smoothness as a native app to show that it's not a web app.

By willsmith72 2025-02-1720:571 reply

sure for something you're spending hours on like instagram. for my business data analytics, I don't care. If I'm doing any serious work I'm on laptop anyway, mobile is just for casual checks

a native mobile app is a gigantic time, productivity, and cash investment. if a business can get most of the value from a PWA, they will be far better off investing that time and innovation into other parts of their business than building a native app for the "smoothness"

By satvikpendem 2025-02-1721:10

There are lots of ways to make it cross platform pretty easily if you plan to do so from the beginning, such as React Native and Flutter. Even now, if the site is in React, it is not too difficult to port it all to RN, which also has a web version that is quite similar to React proper. Plus, RN and Flutter have PWA support already too.

By bryanhogan 2025-02-1720:081 reply

Do you have examples of such apps? Generally curious since I would assume that there might be other factors at play that make such apps "not smooth".

By satvikpendem 2025-02-1720:11

Try something simple like Instagram via the browser versus as an app, it's simply smoother on the app. I would have to dig up more examples but IG immediately comes to mind as a recent experience.

By TZubiri 2025-02-1714:362 reply

I'll have a basic "how is this different than the thing they are copying" please.

By marvinblum 2025-02-1715:20

I guess you have to sign up to a few, test them on your site, and decide which one to use. In the end, they are all slightly different.

If you would like to self-host or have other specific requirements, you can quickly reduce the list to a couple of options of course.

By euph0ria 2025-02-1712:441 reply

Does it require cookie and/or gdpr consent from the user to use these privacy analytics tools?

By marvinblum 2025-02-1714:08

No. You can learn more about it here:

https://docs.pirsch.io/privacy

By Benjamin_Dobell 2025-02-1716:021 reply

I just shut down a companion app for a game I'd reverse engineered — developed over the last 2-3 months. The companion app, among other things:

- Generated insights — https://bizarre.gg/meta

- Show detailed interactive gameplay logs (from "Umami" analytic events) — https://bizarre.gg/runs/00493ccf-5b96-523c-beb4-06e8154cc158

Thread w/ development overview: https://news.ycombinator.com/item?id=43080066

I used Umami and mention it in the video. Admittedly, it was a mistake for my use case. I had to heavily modify Umami due to lack of features and performance issues. There are a also lot of bugs in the project which are immediately revealed simply by enabling TypeScript strict flags, and some more linting rules. Granted, I was not really using Umami exactly as intended. I do think it's great this project exists, and whilst I had to heavily modify it for my use case, I did at least help the upstream project diagnose one issue: https://github.com/umami-software/umami/pull/2946#issuecomme...

By echelon 2025-02-1720:081 reply

The company that made the game (Tempo Games) sent you a cease and desist?

That's not very friendly of them.

By SeanAnderson 2025-02-1721:581 reply

They also gave him a job offer, but yes, Tempo has been pretty aggressive in trying to keep their game from getting "solved" by third party tooling collecting analytics on the game.

By account42 2025-02-1914:27

An honest job offer or a "please travel to a jurisdiction where we can more thoroughly fuck you over" offer?

By rckt 2025-02-179:232 reply

Been using it for my personal website for over a year as a self-hosted solution. Not great if you want just to set it up and forget about it. There are breaking changes every now and then on every part, DB and the FE. So at some point it just broke for me and stopped showing relevant data. I ended up switching to piratepx as it was enough for me to see if there were any visits.

By ayewo 2025-02-1711:001 reply

Same here. My self-hosted instance is broken right now and I've not been able to find time to fix it. The pace of change was easy to keep up with when it was just 1 guy.

Now it appears they have built an entire team and raised some VC to build out their SaaS.

By ksec 2025-02-181:08

>Now it appears they have built an entire team and raised some VC to build out their SaaS.

Is that the case? Just FYI there was a scam claiming to be them and raising funds about Web 3 and Crypto.

By wallawe 2025-02-1714:51

Can vouch for this as well. The API has breaking changes all the time and there's no notice whatsoever. We'll transition away soon.