Introduction and Scope
9ping Analytics is a privacy-first, self-hostable web analytics tool that lets an operator measure traffic on their own websites by embedding a small JavaScript tag, without third-party advertising cookies or fingerprinting.
This policy explains what data the software collects, how it is used, and the choices and rights available to both the operators who run an instance and the visitors of the websites that embed the tag.
Because the software is self-hosted, each instance is run independently by its operator, and this policy describes the behavior of the software itself rather than the practices of any single central company.
Who Is the Data Controller
For visitor data collected through a given website, the data controller is the operator who installs and runs that 9ping Analytics instance on their own server, not the authors of the software.
The operator decides which websites embed the tag, which custom events are sent, and how the resulting statistics are used, and is therefore responsible for compliance with applicable data protection laws.
You can identify and contact the operator of this instance through the contact details published by the operator on the website where the analytics tag is used.
What Visitor Data We Collect
When you visit a website that embeds the 9ping Analytics tag, the software records the page URL or path and the page title.
It records the referrer along with the derived traffic source and any referral keyword (such as utm_term or a residual search-engine query term).
It generates a coarse visitor identifier and a session identifier that are cookieless-friendly and may be ephemeral; these are not advertising identifiers.
It derives your browser, operating system, and device type from the user-agent string, and records your screen size and language.
It records an anonymized IP address (the last IPv4 octet is zeroed or the IPv6 address is truncated) and only a coarse region such as local, LAN, or unknown.
It records any custom events the operator chooses to send via the window.tj() function, the page load time measured by the browser performance API, and timestamps.
What We Explicitly Do Not Do
9ping Analytics does not use third-party advertising cookies and does not build advertising profiles.
It does not fingerprint visitors and does not attempt to track them across unrelated websites.
It does not sell or share visitor data, and it stores IP addresses only in anonymized form.
It does not perform precise geolocation or GeoIP city lookups, and it filters out known bots while logging named search-engine crawlers separately as spider statistics.
Account Data for Operators
Operators who use the dashboard create an account that stores a username, an optional email address, and a password that is stored hashed with bcrypt or argon.
To support mandatory two-factor authentication, the account also stores one-time recovery codes in hashed form and a TOTP secret, along with an API key for programmatic access.
This account data is used solely to authenticate the operator, secure the dashboard, and provide access to the analytics features.
Legal Bases for Processing
Where the GDPR applies, the operator typically relies on legitimate interest to measure and improve the performance of their own website using privacy-preserving, anonymized analytics.
Where consent is required by applicable law, the operator is responsible for obtaining it before the tag collects data, and for honoring any withdrawal of that consent.
Each operator must inform their own visitors about the use of 9ping Analytics, for example through their own privacy notice, and provide any legally required choices.
Data Retention
Detailed hit records are retained for approximately 180 days and are then removed.
Daily aggregate statistics are kept longer so that historical charts and long-term trends remain available.
Spider logs for named search-engine crawlers follow the same 180-day retention window as detailed hit records.
International Data Transfers
Because the software is self-hosted, all collected data stays on the server controlled by the operator and is not transmitted to the software authors or to any central service.
Any international transfer that may occur depends solely on where the operator chooses to host their instance, and is under the operator control.
Your Rights
Depending on your jurisdiction, you may have the right to access, correct, export, or delete personal data that relates to you.
Because each instance is controlled by its operator, you exercise these rights by contacting the operator of the instance that collected the data.
The operator can locate, export, or delete the relevant records, taking into account that IP addresses are already stored only in anonymized form.
Security Measures
The software enforces two-factor authentication with TOTP, stores passwords and recovery codes as hashes, and protects forms with CSRF tokens.
It applies a strict Content Security Policy, security headers, and rate limiting, and anonymizes visitor IP addresses to reduce the impact of any incident.
No system can be guaranteed to be completely secure, but these measures are designed to protect data against unauthorized access and misuse.
Children
9ping Analytics is a website measurement tool intended for website operators and is not directed at children under the age of 16.
The software does not knowingly collect personal data from children, and it does not build profiles of individual visitors.
Changes to This Policy
This policy may be updated from time to time to reflect changes in the software or in legal requirements.
When changes are made, the revised version is published with an updated date, and continued use of the software constitutes acceptance of the updated policy.
Contact
For questions about this policy or about data collected on a specific website, please contact the operator of this instance using the contact details they publish.
For general information about the 9ping Analytics software, refer to the project website at https://9ping.dev.