Docs · Reference

Script configuration

The one-line snippet works with no options. Everything below is optional — set it with a data-* attribute on the <script> tag.

Subdomain tracking

By default Statlark scopes the visitor cookie to your registrable domain (e.g. .example.com), so a visitor who lands on your marketing site and later signs up on app.example.com stays the sameperson and keeps their original attribution. It works out of the box — no configuration — and falls back to the current host if a domain can’t be resolved.

<!-- Default: the visitor cookie is scoped to your registrable domain, so a
     visitor who moves from www.example.com to app.example.com stays one person. -->
<script defer src="https://statlark.com/script.js" data-website-id="sl_xxxx"></script>

<!-- Force an explicit cookie domain, or "none" to opt out (host-only). -->
<script defer src="…" data-website-id="sl_xxxx" data-cookie-domain=".example.com"></script>

Set data-cookie-domain to pin an explicit domain, or to none to opt out and keep the cookie host-only. Once you track across subdomains, a Subdomains breakdown appears on the Visitors tab.

All options

  • data-website-id — your site id (sl_…). Required.
  • data-api — a custom collector endpoint (for a first-party proxy).
  • data-cookie-domain — cookie scope: unset = auto (registrable domain), an explicit domain, or none for host-only.
  • data-allow-localhost (set to true) —count visits from localhost and private hosts (off by default).
  • data-honor-dnt (set to true) —respect the browser’s Do Not Track signal and don’t track those visitors.
  • data-outbound (set to false) — turn off automatic outbound-link tracking.
  • data-disable-payments (set to true) —make statlark.payment() a no-op.
  • data-debug (set to true) —log every tracked hit to the console; data-disable-console silences all output.
  • data-cookieless (set to true) — GDPR cookieless mode; see below.

Cookieless / GDPR mode

Set data-cookieless="true" and Statlark sets no cookies and no device storage at all. Instead, the hosted collector derives a visitor id server-side by hashing the request with a random salt that rotates and is discarded daily. Statlark keeps no copy of the salt or the IP once the day rolls over, so it can’t re-link a visitor from one day to the next.

This is designed for the EU “no information stored on or read from the user’s device” exemption, so it can run without a cookie-consent banner. It is not legal advice — confirm it fits your situation with your DPO before relying on it.

A few trade-offs to know:

  • No long-horizon attribution. Because the salt rotates daily, a visitor who returns on a later day counts as new — you keep same-day visitor and conversion counts, not multi-day returning-visitor paths.
  • Sessions on multi-page sites.With no device storage the tracker can’t stitch a visit across full page loads, so on a traditional multi-page site each page view counts as its own session (single-page apps are unaffected). Visitor and conversion counts stay accurate; session counts run high.
  • Hosted collector only.The id is derived in Statlark’s edge collector, so cookieless mode needs the default install — it cannot be combined with a first-party proxy.

The visitor ID

Statlark stores a first-party visitor id in the _slk_vid cookie. Read it with getVisitorId() — handy for tying a server-side goal or payment to the same visitor.

// The current visitor id (the _slk_vid cookie), or null when the tracker isn't
// running (Do Not Track / localhost / self-excluded). Use it to key a
// server-side goal or payment to the same visitor.
const id = window.statlark?.getVisitorId();