HowManyVisitors

How it works

…and how we don't track you. The whole story, in plain English.

  1. 1

    The image is the call

    A visitor's browser fetches the counter SVG. That one request is the visit. With the basic embed there's no JavaScript at all — no beacon, no XHR, nothing to audit. (The optional JS embeds run one short line; see step 5.)

  2. 2

    The worker

    The server enqueues a background job and returns the SVG immediately. A separate worker parses the User-Agent into browser/OS/device buckets, finds the city from the IP, computes the daily visitor hash, and writes one row. The raw IP and full User-Agent are used once, in memory, and never stored. Not your email, not a fingerprint — nothing that picks you out of a lineup.

  3. 3

    The visitor hash

    Counting daily uniques needs an ID that's:

    • deterministic within a day
    • unrelated across days
    • sealed per site
    SHA-256(daily_salt + site_id + ip + user_agent)

    A fresh 256-bit salt is generated at 00:00 UTC each day. The hash is one-way, so no hash reverses to an IP. After midnight, even we couldn't link today's visitors to yesterday's if we wanted to. And because the site ID is in the hash, visiting two HowManyVisitors-equipped sites produces two mathematically unrelated IDs — cross-site tracking is impossible by construction.

  4. 4

    The aggregates

    Pageviews and uniques increment atomically on every visit. Breakdowns recompute nightly from raw visits, which are kept 30 days. Aggregates persist forever, so all-time stats never disappear — but they're just numbers: "12 visitors from Berlin," never who.

  5. 5

    The embeds — and the JavaScript question

    Pure static —
    a plain <img>. Zero JavaScript runs on your visitor's machine. Works in RSS, email, AMP, text browsers.
    JS-enhanced —
    runs one short line of inline JavaScript on your page — the snippet box shows you every character of it. It checks navigator.doNotTrack and navigator.globalPrivacyControl first and counts nothing if either is on; otherwise it adds the page path and referrer to the image URL. That's all the JavaScript does. No cookies, no localStorage, no fingerprinting — with or without it.
    Invisible —
    the same one-liner, rendering a 1×1 transparent SVG instead of the counter.

DNT, GPC, GDPR, CCPA — all respected

No cookies, no localStorage, no PII, no cross-site identifiers — so there's nothing requiring consent under standard interpretations of GDPR/CCPA. The JS embeds honor Do Not Track and Global Privacy Control; the static embed has no code to opt out of in the first place.

No legal review needed. No cookie banner. Just drop in the snippet. The number goes up.

Get your counter →