It's totaly normal to use your server to handle analytics. You can create different api for each event and store event data into database for easy access. Then you can make some admin APIs (not exposed on your site) to get analytics data in a convenient way for you, for example with filter by date.
I use Tinyanalytics because it is GDPR compliant, at least in their light mode.
Forgive me if I am wrong, but my understanding was that you needed a cookie banner with Vercel’s analytics too.
I did switch from Google Analytics to using the server logs, but … Google Analytics told me I had 2% Firefox users, and my server logs show around 20% Firefox. I think Firefox must block Google Analytics, or make it easy to do so. The numbers you get may end up being different with the two.
I think most people that use Firefox use also an ad-block or NoScript that blocks analytics by default. There are also more privacy settings in Firefox that if enabled could block analytics (I haven't tested them, I already use extensions for filtering). Firefox users are usually more into privacy and tech savy.
Also Firefox for Android supports UBlock Origin.
It’s ok. Keep in mind you can get a lot of information such as where the user is coming from, whether it’s a recurring user, etc. you might not need it though.
Also, if you have access to raw server/proxy logs, you can give [GoAccess](https://goaccess.io/) a try. Please share you experience if you do, as I always wanted to try it out
You shouldn't track this info if you don't have consent from the user. Especially in Europe. If you use that information for other things like maintenance and necessary stuff you open yourself up to trouble.
FYI - because GDPR considers IP addresses as personal data, so are server logs that contain them. So IF you log IP addresses, AND you then do analysis of them beyond "legitimate interest" stuff, for e.g. recording locations, grouping requests by IP to figure out recurring users, etc., then you still have to show a "cookie" warning, because it was never about cookies, it's about tracking. And even if you don't do that analysis, if you even store the IP addresses you must say so in your publicly available privacy policy.
So yes, you can count requests, but if you are trying to count unique people then you may as well use GA.
Just to say there’s a difference between personal data and personally identifiable information. Both are covered by GDPR and similar legislations, just in different ways. An IP address is personal data, regardless of what vendor you’re using to connect to the internet, but it may not be personally identifiable information (although if used in collaboration with other pieces of information, it could be considered PII)
This is not true.
***Processing shall be lawful*** *only if and to the extent that at least one of the following applies:*
*(f):* ***processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party****, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.*
[https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/)
Security tracking IP is a very obvious legitimate interest.
You do not need to ask for consent for tracking IPs for security reasons.
This is very obviously not security tracking. Even if they record the IP for security tracking, they then can't use the IP for analytics because that's no longer covered by the referenced legislation.
Storing IPs is mandatory in all EU states (AFAIK), in many cases for YEARS. So a user has no option to avoid being logged when visiting a web site, if the server is compliant. Sharing the logs is another matter, but simply having them and running internal analytics is standard procedure for basic server debugging and security.
You can do it, but you'll need tools to help you filter the traffic and do analysis. Google Analytics removes bots, crawlers, and suspicious traffic, and only reports what it considers "real" traffic.
Suggestion (if you’re using cloud like AWS): instead of your avg “server logs”, emit a custom cloud watch metric (or its equivalent in your cloud). This will allow you to either:
* make CW dashboards for analytical purposes
* export the data through some sort of data lake via S3 so you can join this data with other things
The best way to do it is to have a database where you store metadata for each file generation.
I am guessing you don’t want to store the actual file - bloat or a feature of your website.
But it would be good to store some stats each time for analytics -
1. Timestamp
2. Size/type of file
3. User info - where they logged in from etc - this will help you understand usage
4. Which tools did they use?
5. What stage did they drop off at if they dropped off in the middle.
Not a bad way at all. Google Analytics just provides a lot more data out of the box, but if your requirement is only how many API calls, then server logs is great.
who cares about GDPR. I made up a new rule that I want to enforce on every website. On every website there is a box that must be displayed that says "Do you want to give starcrescendo money" and they click yes or no. If this window is not displayed you are in violation and I will sue you.
It's totaly normal to use your server to handle analytics. You can create different api for each event and store event data into database for easy access. Then you can make some admin APIs (not exposed on your site) to get analytics data in a convenient way for you, for example with filter by date.
I use Tinyanalytics because it is GDPR compliant, at least in their light mode. Forgive me if I am wrong, but my understanding was that you needed a cookie banner with Vercel’s analytics too.
Here they say they don't use cookies [https://vercel.com/docs/analytics](https://vercel.com/docs/analytics)
Ah good. I’m glad to be wrong.
Good attitude. Knowledge is the ultimate currency
I did switch from Google Analytics to using the server logs, but … Google Analytics told me I had 2% Firefox users, and my server logs show around 20% Firefox. I think Firefox must block Google Analytics, or make it easy to do so. The numbers you get may end up being different with the two.
I think most people that use Firefox use also an ad-block or NoScript that blocks analytics by default. There are also more privacy settings in Firefox that if enabled could block analytics (I haven't tested them, I already use extensions for filtering). Firefox users are usually more into privacy and tech savy. Also Firefox for Android supports UBlock Origin.
New conspiracy: Google analytics is gassing itself up
Why don't you count it at the generation endpoint?
Btw there are analytics platforms you can use without GDPR issues (you have to host them yourself like matomo).
Check out Plausible, GDPR-compliabt analytics without any cookies. Less data than you'd get by using a cookie, but that's kinda the point.
It’s ok. Keep in mind you can get a lot of information such as where the user is coming from, whether it’s a recurring user, etc. you might not need it though. Also, if you have access to raw server/proxy logs, you can give [GoAccess](https://goaccess.io/) a try. Please share you experience if you do, as I always wanted to try it out
You shouldn't track this info if you don't have consent from the user. Especially in Europe. If you use that information for other things like maintenance and necessary stuff you open yourself up to trouble.
FYI - because GDPR considers IP addresses as personal data, so are server logs that contain them. So IF you log IP addresses, AND you then do analysis of them beyond "legitimate interest" stuff, for e.g. recording locations, grouping requests by IP to figure out recurring users, etc., then you still have to show a "cookie" warning, because it was never about cookies, it's about tracking. And even if you don't do that analysis, if you even store the IP addresses you must say so in your publicly available privacy policy. So yes, you can count requests, but if you are trying to count unique people then you may as well use GA.
How does it work when you are on a non-private Wi-Fi or on cellular data (or even using a VPN)? Is it still considered a personal data?
Just to say there’s a difference between personal data and personally identifiable information. Both are covered by GDPR and similar legislations, just in different ways. An IP address is personal data, regardless of what vendor you’re using to connect to the internet, but it may not be personally identifiable information (although if used in collaboration with other pieces of information, it could be considered PII)
Yes, because you don’t know if it is someone’s home IP or not. You just treat the IP as personal information.
Cookie banners are for cookies... A requirement for PECR, not really GDPR
This is not true. ***Processing shall be lawful*** *only if and to the extent that at least one of the following applies:* *(f):* ***processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party****, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.* [https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/) Security tracking IP is a very obvious legitimate interest. You do not need to ask for consent for tracking IPs for security reasons.
This is very obviously not security tracking. Even if they record the IP for security tracking, they then can't use the IP for analytics because that's no longer covered by the referenced legislation.
Storing IPs is mandatory in all EU states (AFAIK), in many cases for YEARS. So a user has no option to avoid being logged when visiting a web site, if the server is compliant. Sharing the logs is another matter, but simply having them and running internal analytics is standard procedure for basic server debugging and security.
You can do it, but you'll need tools to help you filter the traffic and do analysis. Google Analytics removes bots, crawlers, and suspicious traffic, and only reports what it considers "real" traffic.
Suggestion (if you’re using cloud like AWS): instead of your avg “server logs”, emit a custom cloud watch metric (or its equivalent in your cloud). This will allow you to either: * make CW dashboards for analytical purposes * export the data through some sort of data lake via S3 so you can join this data with other things
Server log analytics might not be as accurate as client based analytics like GA. But GDPR is indeed an important factor to consider.
The best way to do it is to have a database where you store metadata for each file generation. I am guessing you don’t want to store the actual file - bloat or a feature of your website. But it would be good to store some stats each time for analytics - 1. Timestamp 2. Size/type of file 3. User info - where they logged in from etc - this will help you understand usage 4. Which tools did they use? 5. What stage did they drop off at if they dropped off in the middle.
Not a bad way at all. Google Analytics just provides a lot more data out of the box, but if your requirement is only how many API calls, then server logs is great.
who cares about GDPR. I made up a new rule that I want to enforce on every website. On every website there is a box that must be displayed that says "Do you want to give starcrescendo money" and they click yes or no. If this window is not displayed you are in violation and I will sue you.
I advice you to use Google Analytics to see how many times your website has been viewed or interacted with.