Visitor Geolocation for Analytics — Without the Cookie Banner

Get country, region, city, ISP, and device context from the server — before any JS runs, before any cookie is set.

Privacy-first analytics is the new default. Plausible, Umami, Fathom, PostHog self-hosted — they all avoid third-party cookies. But they still need to answer one question your product manager asks every Monday: “Where are our users?” IP geolocation answers that at the server, with no tracking pixels and no banner.

The business problem

Traditional analytics used third-party cookies + GeoIP databases shipped with the client. GDPR, PECR, and ITP killed that pattern:

• Client-side GeoIP DBs (Maxmind-in-browser) leak the full user IP into your page source.
• Cookie-based analytics need a consent banner, which 15–40% of users reject.
• Self-hosted analytics tools often claim no-cookie but can’t tell you where the visitor is.

IP geolocation at the server returns country / region / city / ISP / timezone from the IP alone — no fingerprinting, no cookie, no consent banner needed (recital-free processing under GDPR Art. 6(1)(f) legitimate interest, because the IP is a transient network identifier, not stored with personal data).

Implementation

Server-side logging (append to every page-view event)

// Express / Fastify middleware
import { ipgeoLookup } from "./lib/ipgeo.js";

app.use(async (req, res, next) => {
  const ip = req.ip;
  const geo = await ipgeoLookup(ip);

  // Log the event; drop IP after lookup to stay consent-free
  analytics.track("pageview", {
    path: req.path,
    country: geo.country_code,
    region: geo.region,
    city: geo.city,
    asn: geo.asn,
    is_mobile_network: geo.connection_type === "mobile",
    timestamp: Date.now()
    // NOTE: no raw IP stored → no personal data under most GDPR interpretations
  });
  next();
});

Plausible / PostHog enrichment

If you self-host Plausible or PostHog, swap their bundled MaxMind DB for a lookup call:

// Plausible plugin (or any custom ingestion endpoint)
export async function enrichEvent(event) {
  const geo = await ipgeoLookup(event.ip);
  return {
    ...event,
    country_code: geo.country_code,
    region: geo.region,
    city: geo.city,
    isp: geo.org,
    is_eu: geo.is_eu,
    timezone: geo.timezone
  };
}

Batch enrichment (historic log backfill)

# Pipe a CSV of IPs into our batch endpoint (100 per call)
jq -c '{ips: .}' ips.json \
  | curl -X POST https://api.ipgeo.10b.app/v1/lookup/batch \
    -H "Authorization: Bearer $IPGEO_API_KEY" \
    -H "Content-Type: application/json" \
    -d @-

Useful for enriching archived server logs, S3 access logs, or Cloudflare logpush output.

Why IP Geo API for this use case

• One call = 20+ analytic dimensions. Country, country-code, region, region-code, city, zip, lat, lon, timezone, currency, calling-code, languages, is_eu, continent, asn, org, connection_type.
• No bundled MaxMind DB = no ops. No weekly download, no database deploys, no version drift between your staging and prod.
• EU-processed lookups. All requests handled on Hetzner Nürnberg; no US processor, no SCC paperwork.
• Batch endpoint (100 IPs per call) — ~100× cheaper than individual calls for log-enrichment jobs.
• Under 40 ms median latency — doesn’t add tail-latency to page-view logging.

Pricing math

For most analytics deployments, you cache lookups for 1+ hours per IP, so the cost scales with unique IPs, not page-views.

A blog with 300 K monthly unique visitors → € 0 (free tier, assuming aggressive caching). A high-traffic media site with 5 M uniques → € 99.

Honest trade-offs

• City accuracy is 60–85%, not 100%. IP-to-city maps are derived from public registries and traceroute data — they’re excellent at country, good at region, okay at city, and never at street-level. Don’t make product decisions that rely on city precision.
• Mobile carriers often geolocate to a central POP. Dutch KPN mobile IPs often report “Amsterdam” regardless of where the user actually is. Treat mobile IPs as “country-only accurate”.
• Corporate proxies collapse all employees to one location. If you’re a B2B SaaS and ACME Corp’s office VPN is in London, all ACME users look like London. That’s either a feature (company-level segmentation) or a bug (personal location) — know which you need.

Privacy note

IP geolocation without storing the raw IP past the lookup is widely considered pseudonymous processing under GDPR. Best practice:

1. Look up the IP on request.
2. Store only the aggregated dimensions (country, region, city).
3. Drop the raw IP before the event reaches your warehouse.

This removes the “personal data” classification for the stored event and simplifies your privacy policy.

Related use cases

• Geo-personalization — ./geo-personalization.md
• Geo-pricing — ./geo-pricing.md
• Compliance — ./geoblocking-compliance.md

Read also

Five narrative deep-dives comparing IP Geo API to the providers most often shortlisted in the IP-geolocation market:

• IP Geo API vs ipinfo.io in 2026: When the EU Alternative Wins (and When It Doesn’t) → — code-level migration sketch + 2026 pricing math at 100K / 1M / 10M req/mo.
• IP Geo API vs MaxMind in 2026: SaaS vs DB Download — Which Stack Wins? → — when GeoIP2 binary still wins, when EU-hosted SaaS wins, and how the math changes at 1M+ req/mo.
• IP Geo API vs ipstack in 2026: HTTPS-on-Free, EU Hosting, and the Security Module Question → — why HTTP-only free tiers break browser-side calls, bundled threat-detection vs add-on Security Module.
• IP Geo API vs ipapi.co in 2026: Free-Tier Generosity vs Predictable Latency → — how the bundled-everything pricing model plays out at 100K / 1M req/mo.
• IP Geo API vs ipgeolocation.io in 2026: Bundled Endpoints, Bundled Threat-Detection, and the EU-Residency Question → — separately-priced Security API vs bundled threat block, USD vs EUR billing, ~600B vs ~1.4KB payload.
• IP Geo API vs IP2Location in 2026: REST-First vs Database-Download — Which Model Wins for Your Stack? → — REST-only managed API vs annual BIN/CSV/MMDB licensing, IP2Proxy bundling cost, EU residency.
• IP Geo API vs DB-IP in 2026: REST-First vs DB-Download — Which EU Vendor Wins for Your Stack? → — attribution-free free tier, EU-edges-only, bundled threat detection vs per-axis subscription stack.

Plus seven hands-on migration guides for teams switching from an incumbent provider — code-level field-shape walkthroughs, edge-cache patterns, and rollback notes:

• Migrate from MaxMind GeoIP2 to IP Geo API (2026 walkthrough) → — drop the weekly .mmdb sync, swap to a REST call with the same field shape, edge-cache patterns + CSV→JSON field map.
• Migrate from ipinfo.io to IP Geo API (2026 walkthrough) → — loc-string parsing, org ASN+name regex split, and Authorization-header edge-stripping gotchas.
• Migrate from ipstack to IP Geo API (2026 walkthrough) → — HTTP→HTTPS scheme flip, security.* empty-vs-populated branch behaviour, connection.asn integer typing.
• Migrate from ipapi.co to IP Geo API (2026 walkthrough) → — per-day rate-limit fragmentation, org ASN+name regex, attribution-backlink scrub for paid-tier customers.
• Migrate from ipgeolocation.io to IP Geo API (2026 walkthrough) → — separately-billed Security API SKU consolidation, apiKey-in-URL log-leak hardening, and latitude/longitude string-vs-number gotchas.
• Migrate from IP2Location to IP Geo API (2026 walkthrough) → — BIN/CSV/MMDB-download decommission, IP2Proxy SKU consolidation, USD-annual-prepay-to-EUR-monthly billing migration, and proxy_type enum-vs-split-booleans gotchas.
• Migrate from DB-IP to IP Geo API (2026 walkthrough) → — MMDB/CSV-download decommission, IP-to-Threat / Anonymous / Datacenter SKU consolidation, CC-BY-4.0 attribution-backlink scrub, and countryCode3 ISO-3 vs ISO-2 gotchas.

Get started

Free tier: 1 000 lookups / day → /pricing. Sign up at https://ipgeo.10b.app/pricing.

Industry deep-dives

• IP Geolocation for Fintech — KYC, Sanctions Screening, Fraud, and EU Residency → — fintech-specific deep-dive: the three IP-control surfaces (KYC country-of-origin, OFAC/EU sanctions, payment-fraud risk), EU-hosted GDPR posture, EUR billing, ASN-level hosting detection, and ≤40 ms median EU-edge latency for 800-1200 ms PSP authorisation budgets.

• IP Geolocation for Ad-Tech — RTB Enrichment, SIVT/IVT Filtering, and Click-Fraud Attribution → — ad-tech-specific deep-dive: the three IP-control surfaces (RTB bid enrichment with ≤40 ms latency budget + OpenRTB 2.6 device.geo/device.ext, SIVT/IVT filtering with IAB-confirmed datacenter ASN block-list, click-fraud post-back attribution + risk scoring), EU-hosted GDPR + ePrivacy + IAB-TCF v2.2 posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for iGaming — Licence-Jurisdiction Enforcement, VPN-Circumvention Scoring, and Self-Exclusion Register Routing → — iGaming-specific deep-dive: the three IP-control surfaces (licence-jurisdiction enforcement with hard-fail-closed posture across MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, anti-circumvention scoring with residential-proxy ASN block-list covering Bright Data + Oxylabs + Smartproxy + IPRoyal, self-exclusion register routing to GamStop/CRUKS/ROFUS/Spelpaus/OASIS by IP-country), EU-hosted GDPR + EGBA posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for SaaS Monetization — Geo-Pricing, EU-VAT/DAC7 Tax-Routing, Trial-Abuse Scoring, and OFAC/EAR Export-Controls → — SaaS-specific deep-dive: the four IP-control surfaces (PPP-anchored geo-pricing with ≤40 ms checkout-flow budget, EU-VAT-MOSS + OECD DAC7 tax-routing to the right Stripe/Adyen/Braintree/Paddle tax-id, trial-abuse detection with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, and OFAC SDN + EAR export-controls feature-gating), EU-hosted GDPR posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for Streaming Media — Content Licensing, VPN-Bypass Defence, CDN POP Steering, and SSAI Ad-Insertion → — Streaming-media-specific deep-dive: the four IP-control surfaces (per-territory licensing enforcement with hard-fail-closed HTTP 451 on ambiguous resolve, VPN/proxy/Tor circumvention defence with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, CDN POP steering and adaptive bitrate-ladder selection across Akamai/Cloudflare/Fastly/BunnyCDN/Lumen, and SSAI ad-insertion targeting with sports blackout windows via Haversine GPS-distance), ≤40 ms session-init budget on EU edges, studio-grade 24-month audit trail, threat fields on every plan, ASN-level granularity, and EU-hosted GDPR + AVMSD (Directive 2018/1808) posture.

• IP Geolocation for E-commerce — Tax-Jurisdiction Routing, BIN-vs-IP Carding Defence, PPP-Adjusted Currency Display, and Shipping-Zone Fulfilment Routing → — E-commerce-specific deep-dive: the four IP-control surfaces (EU OSS distance-sales 27-rate map + UK VAT 20% + CH-VAT 7.7% + NO MVA 25% + US Wayfair 13-state nexus + CA GST/HST per-province + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE at checkout; BIN-vs-IP carding + refund-fraud 6-factor weighted score at place-order with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3; PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country; 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates), ≤40 ms checkout-first-paint budget, DAC7/GDPR/EU OSS audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, and Cross-Border Pharma + DEA Schedule Gating → — Healthcare-specific deep-dive: the four IP-control surfaces (cross-border telehealth licensure match at consult-init w/ US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC + HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO; HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow; EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy → fall-back to EU-FRA highest protection; cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval requirement for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom), ≤40 ms consult-init budget, HIPAA/GDPR Art. 9/Schrems II/DEA/EU FMD audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Travel + Hospitality — Geo-Rate Enforcement + Dynamic-Pricing per Booking Origin, OTA Carding + ATO Defence, OFAC/EU CONSILIUM/UK OFSI Sanctions Screening at Booking-Init, and GDS + EU OSS / DAC7 Reporting → — Travel/hospitality-specific deep-dive: the four IP-control surfaces (geo-rate enforcement + dynamic-pricing per booking origin w/ 8-tier pricebook T1 EU-Lux 1.00x → T8 Africa 0.75x + VPN/proxy/Tor fall-back to T2_NA_LUX anti-arbitrage + SANCTIONS_HARDSTOP on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO HTTP 451 at search-render + BIN-billing-country pin at checkout; OTA carding + ATO defence at booking checkout w/ corporate-travel-platform ASN allowlist AS-CWT/Amex GBT/BCD/FCM/Egencia/Navan/Amadeus/Sabre fast-lane + consumer-OTA reject on VPN/Tor/relay + residential-proxy ASN block Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + 6-factor carding score threshold ≥70; OFAC + EU CONSILIUM + UK OFSI sanctions screening at booking-init w/ sanctioned-origin hard-stop regardless of session residency + EU 6AMLD compelled-disclosure on VPN/proxy + US-Cuba 31 CFR §515 General License gate + luxury-segment AML thresholds yacht €10K / private jet €20K / villa €5K/night / heli €3K + PEP screen + source-of-funds eval; GDS + inventory routing + EU OSS / DAC7 reporting w/ Amadeus EU/UK + Sabre US/CA + Travelport APAC + 27 EU-MS destination-VAT rates DE 19% → HU 27% + NO 25% + CH 8.1% + UK 20% + DAC7 Directive 2021/514 reportable-platform-operator evidence-log 5-year retention + Jan-31 lead-MS annual report), ≤40 ms search-render budget, OFAC/EU CONSILIUM/UK OFSI/DAC7/EU OSS/HOTREC audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.