Script configuration
The one-line snippet works with no options. Everything below is optional — set it with a data-* attribute on the <script> tag.
Subdomain tracking
By default Statlark scopes the visitor cookie to your registrable domain (e.g. .example.com), so a visitor who lands on your marketing site and later signs up on app.example.com stays the sameperson and keeps their original attribution. It works out of the box — no configuration — and falls back to the current host if a domain can’t be resolved.
<!-- Default: the visitor cookie is scoped to your registrable domain, so a
visitor who moves from www.example.com to app.example.com stays one person. -->
<script defer src="https://statlark.com/script.js" data-website-id="sl_xxxx"></script>
<!-- Force an explicit cookie domain, or "none" to opt out (host-only). -->
<script defer src="…" data-website-id="sl_xxxx" data-cookie-domain=".example.com"></script>Set data-cookie-domain to pin an explicit domain, or to none to opt out and keep the cookie host-only. Once you track across subdomains, a Subdomains breakdown appears on the Visitors tab.
All options
data-website-id— your site id (sl_…). Required.data-api— a custom collector endpoint (for a first-party proxy).data-cookie-domain— cookie scope: unset = auto (registrable domain), an explicit domain, ornonefor host-only.data-allow-localhost(set totrue) —count visits fromlocalhostand private hosts (off by default).data-honor-dnt(set totrue) —respect the browser’s Do Not Track signal and don’t track those visitors.data-outbound(set tofalse) — turn off automatic outbound-link tracking.data-disable-payments(set totrue) —makestatlark.payment()a no-op.data-debug(set totrue) —log every tracked hit to the console;data-disable-consolesilences all output.data-cookieless(set totrue) — GDPR cookieless mode; see below.
Cookieless / GDPR mode
Set data-cookieless="true" and Statlark sets no cookies and no device storage at all. Instead, the hosted collector derives a visitor id server-side by hashing the request with a random salt that rotates and is discarded daily. Statlark keeps no copy of the salt or the IP once the day rolls over, so it can’t re-link a visitor from one day to the next.
This is designed for the EU “no information stored on or read from the user’s device” exemption, so it can run without a cookie-consent banner. It is not legal advice — confirm it fits your situation with your DPO before relying on it.
A few trade-offs to know:
- No long-horizon attribution. Because the salt rotates daily, a visitor who returns on a later day counts as new — you keep same-day visitor and conversion counts, not multi-day returning-visitor paths.
- Sessions on multi-page sites.With no device storage the tracker can’t stitch a visit across full page loads, so on a traditional multi-page site each page view counts as its own session (single-page apps are unaffected). Visitor and conversion counts stay accurate; session counts run high.
- Hosted collector only.The id is derived in Statlark’s edge collector, so cookieless mode needs the default install — it cannot be combined with a first-party proxy.
The visitor ID
Statlark stores a first-party visitor id in the _slk_vid cookie. Read it with getVisitorId() — handy for tying a server-side goal or payment to the same visitor.
// The current visitor id (the _slk_vid cookie), or null when the tracker isn't
// running (Do Not Track / localhost / self-excluded). Use it to key a
// server-side goal or payment to the same visitor.
const id = window.statlark?.getVisitorId();