Analytics Transparency

Last updated: July 9, 2026

Almost every hosting company promises they respect your privacy. Very few tell you what their analytics actually do. This page tells you.

Short version

We run two analytics tools on our own infrastructure. Neither uses cookies. Neither tracks you across sites. Neither shares data with any third party. If you visit candorhost.com, we see roughly the same thing your ISP does — that a browser fetched a page. We do not know who you are.

The tools we run

Server logs, rendered by GoAccess

Every web server writes a line to a log file for every request it receives. This is standard practice going back to the 1990s and is how you tell whether your website is working. On Candor Host, those logs are read by GoAccess, an open-source log analyzer that runs on our server, on our metal, in Vint Hill, Virginia.

What it sees:

  • The URL you requested.
  • The referring URL (if your browser sent one — many now strip this by default).
  • Your user agent string (browser, OS).
  • Your approximate country and region (derived from your IP address).
  • The HTTP status code we returned (200 OK, 404 not found, etc.).
  • The size of the response in bytes.
  • The time of the request.

What it does not see:

  • No cookies. No JavaScript runs on your browser for this tool.
  • No fingerprinting.
  • No form field content.
  • No account information.
  • Your full IP address is anonymized to a /24 (v4) or /64 (v6) block after geolocation. We do not retain your precise IP.

Where the data lives:

  • The log file itself is on our web server. Standard Nginx log rotation retains 7 days.
  • The rendered dashboard is on a private URL, protected by HTTP basic auth, accessible only to Candor Host staff.
  • Nothing leaves web1.

Umami, for pageview counts and referrers

We run Umami, an open-source, cookie-free web analytics platform, on our own infrastructure. When you visit a page on candorhost.com, a tiny JavaScript file loads from analytics.candorhost.com and reports a single pageview event.

What it sees:

  • The URL of the page you visited.
  • The referring URL you came from.
  • Your screen size.
  • Your browser and OS.
  • Your approximate country (derived from IP; the IP itself is not stored).
  • The time of the visit.
  • Any UTM parameters in the URL (so we can tell which of our own social posts, emails, or ad campaigns worked).
  • Custom events we define — e.g., a click on the pricing CTA.

What it does not see:

  • No cookies of any kind. Verify this by opening your browser's dev tools while on candorhost.com.
  • No cross-site tracking. Umami has no ability to link a visit here to your activity on any other site.
  • No persistent user identifier. Each pageview is anonymous.
  • No IP address storage.
  • No fingerprinting.

Where the data lives:

  • The Umami database runs in a container on web1. The data does not leave our infrastructure.
  • Only Candor Host staff can access the Umami dashboard.

What we also use, hosted by others

Google Search Console

We register candorhost.com with Google Search Console so we can see which search queries lead to our site, what our position is on results pages, and which pages Google has indexed. Search Console runs on Google's servers. It shows us aggregate query data (e.g., "37 people searched for 'siteground alternative' and clicked our page"). It does not reveal who searched.

Bing Webmaster Tools

Same as above for Bing, DuckDuckGo, and ChatGPT-search results.

Neither Search Console nor Bing Webmaster requires us to add tracking code to candorhost.com. They only need us to verify domain ownership.

What we do not use

  • Google Analytics. Uses cookies, tracks visitors across sites, requires a cookie banner in most jurisdictions. Blocked by our privacy policy.
  • Facebook Pixel, Twitter Pixel, LinkedIn Insight Tag. Retargeting infrastructure. We don't run retargeted ads and we have no reason to install them.
  • Hotjar, FullStory, Mouseflow, or any session recording tool. These record your mouse movements, clicks, scrolls, and can capture form data. We consider this invasive and don't use it.
  • Any third-party heat-mapping, A/B testing, or personalization tool that requires cookies or persistent identifiers.

What we log for security, separately

Standard access logs are retained for 90 days for security investigations, as noted in Section 10 of our Privacy Policy. This is separate from analytics — it's how we investigate abuse reports and DDoS incidents. Log-format identical to what GoAccess reads.

Do Not Track and Global Privacy Control

Because we do not track visitors across third-party sites, DNT and GPC signals do not change what we collect. We follow the same practices for every visitor.

How to see what we see

You can inspect exactly what Umami sends by opening your browser's dev tools, going to the Network tab, and reloading candorhost.com. Look for the request to analytics.candorhost.com/api/send. The payload is a JSON object showing exactly what we recorded for your visit — no cookies attached, no persistent ID, just the pageview data described above.

We think you should be able to do this on any hosting company's website. Not many make it easy.

Contact

Questions about what we track? Email legal@candorhost.com.