Privacy Stack

Build web products without cookie banners.

An opinionated, evidence-rated reference for the privacy-first developer stack. Every tool recommendation is production-tested. Every legal claim is sourced. The site itself is the reference implementation.

160+ sources · Evidence-rated · Zero cookies · Cookieless analytics only

Guides

01

The Legal Foundation

Six conditions that eliminate cookie banners under GDPR and ePrivacy law. Evidence-based legal framework covering EU regulations, DPA interpretations, and global applicability including CCPA, LGPD, and emerging standards.

Validated 02

Analytics Without Cookies

Detailed comparison of cookieless analytics platforms. How daily-rotating IP+UA hash visitor counting works, what you lose versus GA4, what you gain, and when to choose Plausible vs Fathom vs Matomo. CNIL compliance framework.

Validated 03

The Performance Dividend

Quantified benefits of eliminating tracking scripts and consent banners. HTTP Archive data on JavaScript overhead, impact on Core Web Vitals (LCP, INP, CLS), self-hosted fonts optimization. The compounding performance cycle.

Validated 04

Third-Party Elimination

Practical techniques for eliminating third-party dependencies without sacrificing functionality. Self-hosted fonts, facade patterns for embedded content, bot protection without external tracking, and WebAuthn-based authentication. Every external resource is simultaneously a GDPR liability and a performance hit.

Supported 06

The Framework Stack

Complete stack architecture for privacy-respecting web applications. Why Astro for content, SvelteKit for applications, Cloudflare Pages for hosting, security headers with CSP, and the rationale for each choice.

Supported

Recommended Toolkit

The Privacy-First Stack

Every tool below meets the six conditions. Production-ready as of March 2026.

Plausible Analytics No cookies

Cookieless, <1KB script, EU-hosted cloud or self-host. Funnels, goals, UTM attribution.
Fathom Analytics EU-isolated

SaaS with intelligent EU data routing. Unlimited retention. Strong ecommerce integrations.
Cloudflare Turnstile Strictly necessary

Free, invisible bot protection. Proof-of-work + behavioral analysis. No Google data sharing.
ALTCHA Self-hosted

Zero external calls. Proof-of-work with Argon2/Scrypt. GDPR/CCPA/PIPL compliant by design.
Astro Zero JS default

Island architecture. Content Collections with Zod validation. Ships zero client JS by default.
Cloudflare Pages Minimal cookies

Static + edge SSR. Free tier. Workers for edge compute. WAF for security. Web Analytics included.

About this site

Privacy Stack is itself the reference implementation

This site practices what it documents. It runs on Astro, deploys to Cloudflare Pages, uses no cookies, and loads no third-party resources.

Every claim is evidence-rated. Where the evidence is strong, we say so. Where it's thin or speculative, we say that too. The research behind this site synthesizes 160+ sources across three AI models, with 60 fact-checked claims.

About evidence ratings

Validated — Confirmed through multiple independent sources, empirical data, or legal precedent.

Supported — Backed by moderate evidence; architecturally sound but not yet broadly tested.

Emerging — Early-stage evidence; promising direction but unproven at scale.

Forward-looking — Based on announced protocols or trends; speculative but directionally grounded.

Built by Narain. Research conducted March 2026.