---
title: "GDPR and cookieless tracking"
description: "How XPmetric tracks visitors without cookies, consent banners, or cross-site identifiers on your site."
source: "https://xpmetric.com/docs/gdpr-cookieless"
---
XPmetric is designed so **your site's visitors** don't need cookie banners for analytics. This page explains how tracking works on sites you instrument with `p.js`.

For XPmetric's own legal terms, see the [Privacy Policy](/privacy).

## No cookies on your tracked site

The `p.js` tracking script:

- Sets **no cookies** on your domain
- Uses **no cross-site identifiers**
- Does **not** fingerprint across websites

Visitor identity on your site is a **hashed fingerprint** derived from browser signals. The hash **rotates daily** so XPmetric cannot build long-term individual profiles.

## No raw IP storage

IP addresses are used only for country/city geolocation at ingest time and are **not stored** in analytics tables.

## What you collect as site owner

Per pageview, XPmetric stores:

- Page URL and path
- Referrer and UTM parameters
- Device type, browser, OS
- Country and city (from geoip)
- Custom events you explicitly fire

You are the data controller for your visitors' analytics. XPmetric processes this data on your behalf as a processor — see our [Privacy Policy](/privacy) and [Terms](/terms).

## GDPR rights

Your visitors can exercise rights through you as the site owner. XPmetric account holders can export or delete their own account data from **Settings**.

## Do I need a cookie banner?

**For XPmetric analytics alone — no.** You may still need consent for other tools (ads, embedded widgets, other analytics). XPmetric replaces GA4 without adding consent friction for analytics.

## Related

- [Get started](/docs/getting-started) — install the tracker
- [Privacy Policy](/privacy) — legal terms for XPmetric the service
