Zenovay does not use cookies for its core analytics out of the box. Cookieless mode goes one step further: it stops the tracking script from writing anything at all to the visitor's browser.
What is cookieless mode?
Zenovay is already cookieless server-side. Cookieless mode is a per-website setting that prevents the tracking script from writing any cookies or localStorage on the visitor's device. In this mode the script uses in-memory identifiers that exist only for the current page and disappear when the page unloads.
New websites are created with cookieless mode switched on, so by default the script writes nothing to the browser. You can turn it off per website if you'd rather use a visitor cookie for more accurate returning-visitor counts (which then takes on a consent obligation).
This is the strictest client-side privacy setting Zenovay offers.
Trade-off: because nothing is stored in the browser, returning-visitor recognition drops (roughly 10-15%). The same person visiting twice is more likely to be counted as two new visitors.
Checking or enabling cookieless mode
Cookieless mode is controlled per website, from that website's settings. New websites already have it on; these steps let you confirm it or turn it on for an existing site.
Open your website's settings
Go to Domains, open the website you want to configure, then open its Settings and select the Advanced tab.
Toggle cookieless mode on
Find Zero Client-Side Storage Mode and switch it on.
Copy the updated snippet
Zenovay automatically adds
data-cookieless="true"to your install snippet. Replace your existing snippet on the site with the updated one (see below).
Script tag
With cookieless mode on, your install snippet carries the data-cookieless attribute:
<script
defer
data-tracking-code="YOUR_TRACKING_CODE"
data-cookieless="true"
src="https://api.zenovay.com/z.js"
></script>
The on/off switch for cookieless mode is the per-website setting above, which the script reads on every load. The data-cookieless="true" attribute applies that setting immediately on the very first hit, before the script has fetched your settings, so no storage is written even briefly. If the website setting is on but the attribute is missing, the script still runs cookieless once settings load; adding the attribute just makes it enforce from the first request.
Note: Zenovay respects Do Not Track (DNT) and Global Privacy Control (GPC) by default. No attribute is needed for that. Use
data-ignore-dnt="true"only if you need to override those signals and track anyway.
What changes in cookieless mode
| Behavior | Cookieless off | Cookieless on (default) |
|---|---|---|
| Page view tracking | Yes | Yes |
| Event tracking | Yes | Yes |
| Cookies / localStorage written | A visitor cookie is set for return detection | None |
| Visitor identifier | Persisted across the session | In-memory, page-scoped only |
| Returning visitor detection | Yes | Reduced (~10-15% fewer recognized) |
Page views, events, traffic sources, device and browser data, and country-level geography are all still collected. The main thing you give up is reliable returning-visitor and cross-page session continuity, because there is no browser-side identifier to tie visits together.
When to use cookieless mode
A good fit for
- Sites that want to avoid browser storage entirely
- Privacy-sensitive industries (healthcare, legal, government)
- Teams that prefer the strictest possible client-side footprint
Less ideal for
- Sites that depend heavily on accurate returning-visitor counts
- Multi-page journey analysis where session continuity matters
If you are unsure, you can turn cookieless mode on, watch your returning-visitor numbers for a week, and turn it back off if the trade-off isn't worth it for your site.
Respecting Do Not Track and Global Privacy Control
Zenovay honors both Do Not Track (DNT) and Global Privacy Control (GPC) automatically, independent of cookieless mode.
- When a visitor's browser sends a GPC signal (
navigator.globalPrivacyControl === true), the tracker stops tracking that visitor. - When a visitor's browser sends a DNT signal (
navigator.doNotTrack === "1"), the tracker stops tracking that visitor.
No attribute is required for either. If you have a specific, lawful reason to track despite these signals, you can override them:
<script
defer
data-tracking-code="YOUR_TRACKING_CODE"
data-ignore-dnt="true"
src="https://api.zenovay.com/z.js"
></script>
data-ignore-dnt="true" overrides both the DNT and GPC checks in the script. Use it deliberately.
Loading tracking only after consent
If you use a consent banner and only want to load analytics after the visitor agrees, load the script conditionally:
// Only load tracking after consent is granted
function handleConsent(granted) {
if (granted) {
const script = document.createElement('script');
script.defer = true;
script.src = 'https://api.zenovay.com/z.js';
script.setAttribute('data-tracking-code', 'YOUR_TRACKING_CODE');
document.head.appendChild(script);
}
}
You can combine this with cookieless mode by also setting data-cookieless="true" on the injected script.
Legal context
Cookieless mode reduces what Zenovay writes to a visitor's device, which can simplify your compliance posture:
- ePrivacy / cookie rules: rules that hinge on storing or reading information on a device have less surface area when no cookies or
localStorageare written. - GDPR / CCPA: less persistent identification on the device means a smaller data footprint.
Cookieless mode is a technical control, not legal advice. Whether you still need a consent banner depends on your jurisdiction, the rest of your stack, and how you use the data. Review your setup with your own legal or privacy advisor, and describe your analytics accurately in your privacy policy.
Troubleshooting
Returning visitors look lower than before
This is expected in cookieless mode. With no browser-side identifier, repeat visits are harder to link, so unique-visitor counts trend higher and returning-visitor counts trend lower. It's a trade-off, not a bug.
Verify DNT / GPC in the browser
You can check the signals the visitor's browser is sending from the console:
console.log('DNT:', navigator.doNotTrack);
console.log('GPC:', navigator.globalPrivacyControl);
If either is set and you have not added data-ignore-dnt="true", the tracker will not record that visit.