Sovereign Web Analytics — Self-Hosted or Managed Cloud
Open Source · Managed Cloud · MIT Licensed
Sovereign Web Analytics.
Self-host HitKeep on your own infrastructure or use managed cloud in the EU or US. The same auditable single-binary product sits underneath both options — no PostgreSQL, no Redis, no ClickHouse, no multi-service analytics stack to babysit.
Live demo — click around, it’s real data. Your data, your server, your rules.
The main overview stays compact with card-level toggles: switch the pages card between Top Pages, Landing Pages, and Exit Pages, and switch the audience card between Countries and Languages.
Not a SaaS. Not a Vendor.
Yours.
Most analytics tools are built around the assumption that sending your visitors’ data to a third-party cloud is acceptable. For government agencies, healthcare organizations, financial services firms, and security-conscious teams, it is not. HitKeep is built on the opposite assumption.
Deploy on classified or air-gapped networks. No outbound connections required. Full source code available under MIT license for security review and procurement processes.
Cookie-free tracking processes no personal identifiers. Data never leaves your HIPAA-compliant infrastructure. No third-party data processors to disclose.
Full data sovereignty. Export your complete analytics history in open formats (Parquet, JSON, CSV) at any time. No vendor lock-in. Audit your data pipeline end to end.
Single binary with minimal attack surface. RBAC across all sites. WebAuthn hardware key authentication. Kubernetes StatefulSet with PVC. Health and readiness probes.
Everything Needed.
Nothing Extra.
Conversion tracking, multi-step funnels, hardware-key authentication, and automated reports — all built in, all running on your server.
Goals & Conversion Tracking
Multi-Step Funnels
Period Comparison
TOTP & Passkeys (WebAuthn)
Scheduled Email ReportsCompliant by Design,
Not by Configuration
Cookie-free by default, operator-controlled retention, open-format exports, and region choice help support GDPR programs. Compliance still depends on your lawful basis, notices, and contracts.
HitKeep makes no outbound network calls from the server process. Your traffic data, your user list, your analytics — none of it leaves your network unless you export it.
Choose your jurisdiction: on-premise on your own hardware, EU region (Frankfurt, strict GDPR), or US region. You decide where the data physically resides.
A single Linux binary with zero external service dependencies. No database setup, no container registry pull, no external service calls. Runs well in disconnected or tightly controlled network environments on supported Linux hosts.
Hardware security key authentication (YubiKey, FIDO2) and platform authenticators (Face ID, Windows Hello). TOTP included as a second option. Not a paid add-on.
Full source code under MIT license on GitHub. Audit the entire codebase. No proprietary binaries, no obfuscated code, no telemetry hidden in dependencies.
One Binary.
Everything Included.
One binary (~80 MB). Runs on Linux, macOS, Windows, and ARM. No runtime, no package manager, no container required.
curl -L …/hitkeep-linux-amd64 -o hitkeep && chmod +x hitkeepSet your domain and a JWT secret. No database provisioning. DuckDB and NSQ are embedded and start automatically.
./hitkeep -public-url=“https://analytics.example.com” -jwt-secret=”…“Add a lightweight privacy-first snippet to your site. Analytics flows into your embedded DuckDB database, with open-format exports and retention controls under your control.
<script async src=“https://analytics.example.com/hk.js”></script>Built Different.
On Purpose.
Your analytics live in hitkeep.db — one file on your server. Export everything in JSON, CSV, or Parquet. No retention limits. No vendor lock-in.
DuckDB and NSQ are embedded directly into the binary. No containers to orchestrate. No databases to provision. One process, one file to back up.
Conversion goals (path or event-based), multi-step funnels, and UTM campaign attribution — all with fast timeseries rollups over DuckDB’s columnar storage.
The audience card toggles between countries and languages, and the pages card toggles between top pages, landing pages, and exit pages.
Generate read-only share links for stakeholders, clients, or public dashboards. No account required to view. Revoke any time.
Scheduled digest emails and per-site reports. The built-in Report Worker dispatches over your SMTP server — no external cron jobs or queue services.
GDPR, CCPA/CPRA, and PECR-aware deployment options with self-hosting, EU/US region choice, retention, takeout, and documented privacy trade-offs.
Start on a single $4 VPS. Scale to a Leader/Follower cluster with HashiCorp Memberlist gossip protocol. Health and readiness probes for Kubernetes.
Ready to own your analytics?
Deploy in under two minutes or let us run it for you.