Analytics Without Cookies

Why no cookies?

The ePrivacy Directive (and its national implementations like PECR in the UK) requires explicit consent before storing or accessing information on a user's device. This means any analytics tool that uses cookies — even first-party cookies — triggers the consent requirement and needs a cookie banner.

With VulpaSoft, this requirement is eliminated. We store nothing on the user's device: no cookies, no localStorage, no sessionStorage, no IndexedDB, no fingerprinting tokens.

How sessions are identified

Instead of persistent cookies, VulpaSoft uses a daily-rotating SHA-256 hash to group page views into sessions. The hash is computed server-side from non-identifying request attributes (IP + User-Agent) combined with a salt that rotates every 24 hours.

This means: the same visitor on the same day produces the same session hash (allowing us to group their page views), but the next day they get a completely new hash. There is no way to track a visitor across days, and the hash cannot be reversed to recover the original IP address.

What this means for your data

Cookie-free vs fingerprinting

Cookie-free does not mean fingerprinting. VulpaSoft does not collect device characteristics (screen resolution, installed fonts, WebGL renderer, etc.) to create a persistent identifier. Our daily-rotating hash is deliberately designed to prevent cross-session tracking, which is the opposite of what fingerprinting achieves.