From HealthTech to Open Source: Building a sovereign web analytics engine in a single binary
Source: Dev.to
A year ago I was working with a HealthTech client that needed web analytics. Strict patient‑privacy laws and GDPR made Google Analytics impossible, and the usual self‑hosted open‑source options (Plausible, Umami) felt too heavy: they require managing a full stack of PostgreSQL, ClickHouse, Redis, Node.js or Elixir. I wanted enterprise‑grade performance with the simplicity of a single file.
The result is HitKeep – a privacy‑first analytics platform that runs as a single ≈12 MB Go binary. It has been ingesting millions of hits in production for that client, and the core has now been polished and open‑sourced.
Motivation & Background
- Data sovereignty is the core feature: your data never leaves your infrastructure.
- No third‑party requests from the dashboard; everything is self‑contained.
- Designed for environments where privacy and security are non‑negotiable (e.g., HealthTech).
Architecture
Storage (Embedded DuckDB)
HitKeep embeds DuckDB, a lightning‑fast columnar OLAP database that lives in a single file (hitkeep.db).
- Handles heavy aggregations far better than row‑based databases.
- Roughly 1 M raw hits occupy ~120 MB.
Ingestion (Embedded NSQ)
Synchronous writes to a columnar store cause lock contention.
- HitKeep includes an in‑memory NSQ broker.
- The HTTP handler enqueues hits in microseconds; a background consumer batches writes to DuckDB.
Clustering (Memberlist)
For high availability, HitKeep offers native clustering via HashiCorp Memberlist (gossip protocol) for leader election.
Frontend
- The Angular dashboard and the 2 KB tracking script are compiled directly into the Go binary using
embed.FS. - No external assets or CDN dependencies.
Data Sovereignty & Security
Zero Third‑Party Requests
- The dashboard makes no outbound calls.
- Site favicons are proxied server‑side via DuckDuckGo, preventing IP leakage.
- Fully air‑gap compatible.
WebAuthn & 2FA
- Built‑in support for hardware security keys (Passkeys/YubiKey) and TOTP (authenticator apps).
API Clients
- Bearer‑token generation for CI/CD pipelines or custom dashboards.
- All API traffic stays within your network.
Features
- Cookie‑less by default; optional respect for Do‑Not‑Track headers.
- Traffic, referrers, devices, countries.
- Custom events & conversion goals.
- Multi‑step funnels with drop‑off analysis.
- Automatic UTM campaign attribution.
- Scheduled email reports (sent via your own SMTP, no external cron).
- One‑click Takeout API: export raw data as Parquet, CSV, JSON, or NDJSON.
- Internationalized UI (English, German, Spanish, French, Italian).
Limitations & Roadmap
- No eCommerce revenue tracking.
- No cross‑device identity stitching (by design, for privacy).
- UI still needs polishing.
- Upcoming: bring‑your‑own SSO (OIDC/SAML).
Getting Started
You can self‑host HitKeep for free.
- GitHub (source & screenshots):
- Documentation:
Documentation & Community
- Full docs are available at .
- If you find the project useful, a star on GitHub is greatly appreciated.
HitKeep Cloud (Managed Option)
Prefer not to manage a server? HitKeep Cloud will offer fully managed, single‑tenant instances hosted in the EU (Frankfurt) or the US.
- Early‑access waitlist: