Telemetry
Opt-in, transparent, anonymous admin panel usage data.
Overview
Echelon Analytics can optionally send anonymous usage data from the admin panel only to the Echelon project. This helps the project understand which admin features are used and prioritize development. Telemetry is opt-in — it is never enabled without your explicit consent.
The short version
- Telemetry tracks admin panel page visits only (which admin pages you use)
- No visitor data, no page content, no PII is ever shared
- You are prompted on first admin access — "opt in" or "no thanks"
- You can change your choice anytime in Settings or via an environment variable
- A persistent status indicator (🟢📞 / 🔴📞) in the nav bar shows the current state
What telemetry collects
When enabled, the admin panel loads the standard Echelon tracking script pointed at ea.islets.app with data-site="ea". This tracks:
- Admin page visits (e.g.
/admin,/admin/visitors,/admin/settings) - Browser viewport size and device type (desktop/mobile)
- Country code (derived from IP by the receiving server, not sent by your instance)
This is the same privacy-preserving tracking that Echelon provides to your own sites — daily-rotating HMAC visitor IDs, no cookies by default, no fingerprinting.
What telemetry does NOT collect
- No visitor/user data from your tracked sites
- No page content, titles, or URLs from your tracked sites
- No database contents or query results
- No PII (names, emails, IPs are never stored by the receiving server)
- No experiment names, campaign details, or business data
- No configuration values or environment variables
How to control telemetry
First-run prompt
On first admin access (fresh database), a banner asks you to opt in or decline. Your choice is stored in the database and remembered across restarts.
Settings toggle
Go to Settings in the admin panel. The "Telemetry" section has a toggle to enable or disable telemetry at any time.
Environment variable (killswitch)
Set ECHELON_TELEMETRY to override the database setting:
| Value | Effect |
|---|---|
true | Force telemetry on (Settings toggle shows "locked") |
false | Force telemetry off — hard killswitch (Settings toggle shows "locked") |
| (unset) | Respect the per-instance database setting |
Example:
ECHELON_TELEMETRY=false deno task start
Status indicator
The admin nav bar always shows the current telemetry state between the theme selector and the logout link:
| Indicator | Meaning |
|---|---|
| 🟢📞 | Telemetry is active — admin usage data is being sent |
| 🔴📞 | Telemetry is inactive — nothing is sent |
| (hidden) | Undecided — the opt-in banner is shown instead |
Clicking the indicator opens this page.
View the telemetry data
The telemetry data is sent to ea.islets.app, which is a public Echelon Analytics instance running with ECHELON_PUBLIC_MODE=true. You can visit the admin dashboard without logging in and see exactly what data is collected across all participating Echelon instances.
How anonymization works
All telemetry data is anonymized before storage using ECHELON_ANONYMIZE_SITES. The receiving instance never stores identifiable data about tracked instances. Specifically:
| Field | Anonymization |
|---|---|
| Visitor ID | HMAC-SHA256 with daily-rotating key → consistent per-day hash (not reversible) |
| Session ID | Mapped to a Norwegian fisherman name (e.g. "Torstein Sjømann", "Olav Sildekong") |
| Country code | Mapped to a fictional exoplanet name (e.g. "Kepler-442b", "Proxima-b") |
| Referrer | Replaced with a fictional NSA intranet URL (e.g. https://nsa-intranet.gov/ops/PRISM-a3f2) |
| UTM params | Mapped to operation codenames (e.g. "operation-mockingbird") |
| Experiments | Hashed to experiment-<hash> / variant-<hash> |
| Event data | Stripped to {} (may contain identifying info) |
| Path | Kept as-is (admin panel paths like /admin/visitors are not sensitive) |
All mappings are deterministic within a day (same input → same output), so analytics aggregation works correctly. The mappings rotate daily and are not reversible.
MCP server
The MCP server at ea.islets.app also serves the already-anonymized data. AI agents querying the telemetry database via MCP tools will only ever see anonymized records.
Origin exemption
If your instance uses ECHELON_ALLOWED_ORIGINS to restrict tracking to specific domains, the telemetry site ID (ea) is automatically exempted from origin checks. This ensures telemetry works regardless of your origin restrictions, while still respecting your opt-in/out choice.
Data Collection Policy
This is the complete, authoritative policy for Echelon Analytics telemetry data collection. No data is collected beyond what is described here.
What is collected
- Admin page paths — which admin pages you visit (e.g.
/admin,/admin/visitors). No visitor-facing page paths from your tracked sites are ever sent. - Viewport size and device type — browser window dimensions and desktop/mobile classification.
- Country code — derived server-side from your IP address by the receiving instance. Your IP is never stored.
- Behavioral events — standard Echelon events (scroll depth, session timing, clicks) from admin pages only.
What is NOT collected, under any circumstances
- No data from your tracked sites (visitor counts, page content, URLs, analytics results)
- No personally identifiable information (names, emails, usernames, passwords)
- No IP addresses (used transiently for country lookup, then discarded)
- No database contents, configuration values, or environment variables
- No experiment names, campaign details, UTM parameters, or business data
- No cookies (telemetry uses cookieless tracking by default)
How data is transmitted
When telemetry is enabled, the admin panel includes the standard Echelon tracking script (ea.js) pointed at ea.islets.app with data-site="ea". This is the exact same tracking script your own sites use — no special telemetry-only code paths exist. Pageviews go to /b.gif (pixel beacon) and behavioral events go to POST /e (sendBeacon), both protected by the same proof-of-work challenge system.
How data is stored
The receiving instance at ea.islets.app runs with ECHELON_ANONYMIZE_SITES=ea, which anonymizes all telemetry records before they are written to the database. The original values never touch disk. See the anonymization details above.
Data retention
Raw telemetry records are retained for 90 days (the default ECHELON_RETENTION_DAYS). Daily rollups aggregate the data and raw records are purged after the retention window. All stored data is anonymized.
Verify it yourself
Every claim on this page is verifiable:
- The code is open source — the telemetry implementation lives in the public repository. The relevant files are
lib/telemetry.ts(opt-in resolution),lib/anonymize.ts(pre-storage anonymization),lib/beacon.tsandlib/events-endpoint.ts(anonymization intercept at write time), andlib/config.ts(configuration). - The collected data is publicly available for analysis — ea.islets.app/admin runs in public mode with no login required. Visit the dashboard and inspect the actual stored data yourself. You will see Norwegian fisherman names, exoplanet countries, and NSA intranet referrers — not real values.
- The code running on
ea.islets.appis the same code in the repository — no private fork, no secret modifications.
Found a problem?
If you believe telemetry collects more than what is described here, or if you find any issue with the anonymization, please open a GitHub issue. Telemetry trust is non-negotiable — any valid concern will be addressed immediately.
📞 "Transparency is the best policy! That's why the nav bar always shows whether telemetry is on or off — no hidden tracking, ever." -🦭