Skip to content

Privacy

Jump to bottom
Akayashuu edited this page Jun 19, 2026 · 2 revisions

Privacy

Privacy protection is built into the core of Takt, not bolted on afterwards. No cookie, no persistent identifier, no personal data leaves the browser. Visitors have nothing to accept.

When an event is not sent

Before any send, Takt checks four conditions in this order. If any is true, the event is silently dropped:

  • 1. Visitor opt-out — The visitor declined measurement: localStorage contains takt_ignore = '1'.
  • 2. Do Not Track — The browser sends the DNT header and respectDnt is on (default; turn it off with data-respect-dnt="false" or respectDnt: false).
  • 3. Localhost / private IP — The host is local or on a private network (localhost, ::1, 0.0.0.0, *.local, 127.*, 10.*, 192.168.*, 172.16–31.*) and excludeLocalhost is on (default).
  • 4. SamplingsampleRate (or data-sample-rate) is below 1 and this event falls outside the kept fraction.

The opt-out, DNT and localhost guardrails are on by default. In local development, nothing is reported: that's intentional, not a bug.

Giving control to the visitor

You can expose a "Don't track me" button that drives the opt-out. The choice is written to localStorage (key takt_ignore), so it persists across visits on this browser.

In an npm integration, use the dedicated functions:

import { optOut, optIn } from '@vskstudio/takt-core'

optOut() // sets takt_ignore='1' — no event is sent anymore
optIn()  // removes the flag — resumes tracking

On the snippet (CDN) side, the global window.takt only exposes track. So drive the opt-out directly via localStorage — the snippet reads this key before each send:

function toggleTracking() {
  if (localStorage.getItem('takt_ignore') === '1') {
    localStorage.removeItem('takt_ignore') // opt-in
  } else {
    localStorage.setItem('takt_ignore', '1') // opt-out
  }
}

URL scrubbing

By default, Takt strips the query string and hash from every URL before sending — the page URL, the referrer and outbound link destinations keep only origin + path. A token, email or identifier slipped into ?... or #... therefore never reaches analytics.

You can tune this: trackQuery keeps the whole query, queryParams keeps only an allowlist, and scrubUrl replaces the logic with your own function (npm). On the snippet, use data-track-query or data-query-params for the same effect.

What Takt does not collect

  • No cookie and no session-identifier storage.
  • No IP address kept on the client, no browser fingerprinting.
  • No query string or hash in URLs (stripped by default).
  • No personal data: keep your props anonymous and low-cardinality.

Because no personal data is processed, Takt integrates without a consent banner in most jurisdictions. Always check your own legal context.

Source: github.com/vskstudio/takt-core · npm @vskstudio/takt-core

Takt — @vskstudio/takt-core

React · Vue · Svelte wrappers: see the docs site.

Clone this wiki locally