What we collect

Panelbear doesn't collect any personal data and does not use tracking cookies.

We do not track people across websites and all session data is isolated per website. This means that the same visitor will seem like a completely different one on each site.

Even though privacy regulations are constantly changing, we’re constantly adapting to remain compliant with them, this includes GDPR, PECR and CCPA. Additionally anything we collect is safely stored within the EU, which simplifies data storage both legally and infrastructure-wise.

One of our top concerns is keeping your data safe. Data is always encrypted, both while on transit and at rest. We have automated vulnerability scanning, and frequent security reviews. You can read more about our security practices here.

Data collected

Our analytics script only collects the information listed below.

Property/Site ID

This is the unique identifier for your web property. We use this to associate the incoming data with your website. This ID is not bound to a single website, giving you flexibility in case you change domain names or have multiple ones for the same website.


We collect the hostname for which the analytics events triggered, for example: blog.panelbear.com.


This is the path to the page being visited. For security and privacy reasons we do not include the query string or hash fragment. For example the page "/profile?id=1187&name=Eve" will be cleaned and stored as /profile.


The page referrer tells you how did the visitor arrive to the current page. For security purposes it is not always included by the browser and we sanitize it further to not include query params or the hash fragment.


Used to determine the campaign source. It can be set in the URL by using one of the common query params: ref, source or utm_source. For example utm_source=newsletter.


The campaign query param is used to identify a specific product promotion or campaign, for example utm_campaign=summer_sale.


The medium query param is used to identify the medium by which the visitor was referred, for example utm_medium=email.

Browser Family

We derive the browser family from the user agent, for example Safari. It's important to note that we do not store the raw user agent.

Device Type

We derive the device type from the user agent, for example Mobile.

Operating System

We derive the OS family from the user agent, for example iOS.

Screen dimensions

We collect the width and the height of the device used to display your content, for example 800x400. It's rounded to the nearest 100th pixel as part of the anonymization process.


We use timestamps to be able to provide you the dashboards and visualizations on Panelbear. Without them you wouldn't be able know how your site performs over time.

Page load time

The page load time provides you insights into how fast your site loads across different countries, devices and pages. It is measured using standard browser API's, if available, and stored up to millisecond precision. For example 248ms.


We derive the visitor's country from the request IP as a ISO 3166-1 Alpha-2 code. For example Germany will stored as DE. We do not store any location information more granular than the country.

Preferred language

The preferred language as reported by the visitor's browser. For example en-US.


The timezone as reported by the visitor's browser. For example America/Costa_Rica.

Connection speed

The effective connection speed of the user's device. This helps you understand the strain your website might put on their data volume or how long it might take to load on their device. The collected metric is determined using a combination of recently observed round-trip time and downlink values, as reported by the browser. Some examples are slow-2g, 2g, 3g, and 4g.

How do you count sessions?

We use self-expiring session IDs to provide you with various useful insights such as: unique visitors, session duration, bounce rate, among others. These sessions expire after 30 minutes of inactivity or 24 hours, whichever happens first.

To be able to group together events made by the same visitor, this feature requires some form of temporary association between the visitor and the session data it generates. For this, we anonymize all incoming data as soon as it reaches our servers and use self-expiring cryptographic tokens to make it practically impossible for anyone to pinpoint which visitor generated the session data. This means not even Panelbear is able to trace back the data back to an individual.

Unlike many other analytics providers, we don't store long term browser fingerprints or user hashes as session identifiers. Our session IDs encode zero personal information in them, making them useless in the rare event of a data leak. Additionally the session data has been carefully stripped out of the personal data it might carry.

Do you store IP addresses or cookies?

We do not store raw IP addresses as part of the visitor session data, and we don't use tracking cookies.

That said, you should be aware that requests to any website automatically include an Internet Protocol (IP) address in the request headers, this is how the internet works and it's not particular to us.

Just like any other website that takes security seriously, we do use IP addresses to prevent abuse using rate-limiting and to power many other security features which protect our customers and also their visitors, this includes but is not limited to temporary access logs and active logged in session verification. Additionally IP addresses are used to derive other highly anonymized data such as the visitor's country and as part of our anonymous session tracking mechanism.

To clarify, we do not store raw IP addresses for purposes other than security and prevent abuse, and they are in no way stored longer than necessary. We do not sell or share this data with any third-party.