Hey HN — I built Respectlytics because I was frustrated that every mobile analytics SDK quietly collects device IDs, ad identifiers, and IP addresses, then makes you retroactively figure out compliance.

There are some solutions out there claiming that they are compliant with certain privacy regulations but when I dig into it, I observe that they actually are not that compliant as they claim to be. I believe Respectlytics is one of the most (if not the most) privacy focused mobile analytics solutions out there but compliance is a huge topic and I leave the decision to the legal teams/advisors of users/companies.

Instead of the "trust me bro" motto, I decided to make Respectlytics totally open-source so that people do not need to trust my word, they can verify it in the code itself.

The idea of Respectlytics builds upon Return of Avoidance (ROA) which relies on data minimization in analytics data collection: What if you just... didn't collect that data in the first place?

Respectlytics stores exactly 5 fields per event: event_name, session_id, timestamp, platform, and country. That's it. IP addresses are used transiently for country lookup and immediately discarded. Session IDs rotate latest every 2 hours (or every app start) and live only in RAM — never written to disk. Multi-session tracking is architecturally disabled.

What's open source:

4 mobile SDKs (Swift, Flutter, React Native, Kotlin) — MIT licensed Analytics server (Django + PostgreSQL) — AGPL-3.0 Self-hosting is simple: docker compose up -d. No ClickHouse, no Kafka, no Redis. Just PostgreSQL.

There's also a managed SaaS if people don't want to run infrastructure, but the self-hosted Community Edition has no artificial limits.

I'd love feedback on the architecture decisions — especially the choice to reject extra fields at the API level rather than just ignoring them silently.