🩺 Vitals
- 📦 Version: v3.1.0 (Released 2026-04-16)
- 🚀 Velocity: Active (Last commit 2026-05-04)
- 🌟 Community: 36.5k Stars · 7.0k Forks
- 🐞 Backlog: 128 Open Issues
🏗️ Profile
- Official: umami.is
- Source: github.com/umami-software/umami
- License: MIT
- Deployment: Docker | SaaS
- Data Model: PostgreSQL / MySQL
- Jurisdiction: USA 🇺🇸 (Umami Software, Inc. — Delaware / San Francisco)
- Compliance (SaaS): GDPR Ready (CCPA — architectural, no formal audit)
- Compliance (Self-Hosted): Self-Hosted (User Managed)
- Complexity: Low (2/5) - Single container + database; ~2kb tracking script
- Maintenance: Low (2/5) - Modern Next.js stack; minimal operational overhead
- Enterprise Ready: High (4/5) - Unlimited sites, events, and team members in self-hosted; Cloud tiers gate team collaboration and SLAs
1. The Executive Summary
What is it? Umami is an open-source web analytics platform built by Umami Software, Inc. (Delaware/San Francisco). Its defining architectural decision is the elimination of cookies and PII collection — visitor data is anonymised at the point of capture, removing the consent banner requirement under GDPR and CCPA and eliminating the 30–50% traffic undercounting that cookie-consent-dependent tools produce. The MIT-licensed self-hosted deployment stores all analytics events in the operator's own PostgreSQL or MySQL database with no feature gating. The managed Umami Cloud offers US and EU (Germany) hosting regions.
The Strategic Verdict:
- 🔴 For Ad-Tech and Retargeting Workflows: Not a fit. Umami does not track user identity or cross-site behaviour — integrations with Google Ads retargeting audiences or Lookalike campaigns require GA4 or a dedicated CDP.
- 🟢 For Accurate, Compliant Traffic Measurement: Strong Buy. Cookie-less architecture captures 100% of traffic regardless of ad blocker or consent tool configuration. For EU-regulated organisations, the absence of PII collection removes the legal basis complexity that makes GA4 a liability under GDPR enforcement.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Google Analytics (SaaS) | Umami (Self-Hosted) |
|---|---|---|
| Licence Fee | $0 (data is the product) | $0 (MIT) |
| Data Accuracy | 30–50% loss (consent/blockers) | 100% capture (cookie-less) |
| GDPR Liability | High (US data transfer risk) | Eliminated (no PII collected) |
| Data Ownership | Google-managed | 100% sovereign |
| Consent Banner | Required | Not required |
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Installation: A single Docker container backed by PostgreSQL or MySQL. The tracking script is approximately 2kb — negligible page weight impact. Alternatively, Umami can be deployed to Vercel or any Node.js-compatible serverless platform in under ten minutes. Self-hosted deployments have no event limits, no website limits, and no team member restrictions.
- Scalability: PostgreSQL-backed deployments handle millions of monthly events efficiently. For high-traffic properties, horizontal scaling is supported via connection pooling; the stateless Next.js application layer scales independently of the database.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & CLOUD Act (USA 🇺🇸): Umami Software, Inc. is a Delaware C-Corp headquartered in San Francisco — full US CLOUD Act exposure for the managed Umami Cloud offering. The Cloud service offers EU data residency via a Germany-hosted region, which eliminates CLOUD Act exposure for European operators requiring EU-only data processing. Self-hosted deployments eliminate Umami's data holding entirely; all analytics events reside in the operator's own database infrastructure.
- The Compliance Shift: Umami's GDPR and CCPA posture is architectural rather than certification-based — cookie-less tracking with no PII collection removes the consent banner requirement and significantly reduces data controller obligations under both frameworks. No SOC 2 or ISO 27001 audits have been published; for regulated environments requiring third-party attestation, this gap must be addressed through infrastructure-level compensating controls. For self-hosted instances, database encryption at rest, network access controls, and log retention policies are the operator's responsibility; the cookie-less anonymisation is inherited automatically from the application layer.
- License Risk (MIT — Maximally Permissive; No Open-Core): MIT licence imposes no copyleft requirements, no network use clauses, and no commercial use restrictions. All functional capabilities — unlimited websites, unlimited events, team members, and custom data retention periods — are available in the self-hosted deployment at no cost. There is no open-core model; Umami Cloud sells managed hosting and SLA convenience, not unlocked analytical features.
4. Market Landscape
🏢 Proprietary Incumbents
- Google Analytics (GA4): The dominant free web analytics platform — effectively free because visitor behaviour data feeds Google's advertising intelligence. For organisations with GDPR exposure or data sovereignty requirements, GA4's US data transfer obligations and PII collection model are the primary migration drivers to Umami.
- Mixpanel: The product analytics and event-tracking incumbent for SaaS teams. Per-seat pricing and event volume limits apply at scale; all behavioural data resides in Mixpanel's cloud. Umami covers the web traffic measurement layer; teams requiring deep funnel analysis and user-level product telemetry will evaluate Mixpanel and Umami as complementary rather than competing tools.
🤝 Open Source Ecosystem
- Matomo: The established privacy-focused web analytics platform — feature-parity with GA4 including goal tracking, e-commerce reporting, and session recordings. Preferred when full GA4 feature equivalence is required; Umami is the choice when simplicity and zero-configuration compliance are the priority.
- PostHog: The standard for product-led growth and behavioural analytics — session replay, feature flags, A/B testing, and funnel analysis in a single platform. Complementary to Umami rather than a direct replacement; PostHog covers product telemetry where Umami covers traffic measurement.