Here’s a number you can check yourself, right now, without asking anyone’s permission: open a new tab, go to dashboard.simpleanalytics.com/open, and look at the monthly recurring revenue figure at the top. When I checked it while writing this, it read just over $50,000, updated — the page claimed — fifteen minutes earlier. No login. No sales call. No PDF one-pager with a testimonial stretched over a stock photo of a handshake. Just the number, live, the way Simple Analytics has been showing it to anyone who asks since at least February 2020.

That page is the strangest and most useful thing about this company, and it’s worth understanding before the more famous part of the story: a three-person, fully bootstrapped Google Analytics alternative that spent 2021 and 2022 watching European regulators dismantle Google Analytics’ legal footing, country by country, and built a real business out of being the compliant option standing there when each ruling landed.

The wedge: a script with almost nothing in it

In September 2018, Adriaan van Rossum was a freelance developer in the Netherlands doing what freelance developers did on every new client site: installing Google Analytics. He’d done it enough times, watching what the snippet quietly pulled off a visitor’s browser, that it started to bother him. GDPR had been in force for four months by then, since May 2018, and hadn’t yet been tested against a tool like Google Analytics in any regulator’s office — that was still more than three years away. Van Rossum wasn’t reacting to a ruling. He was reacting to installing the code.

For the wedge to be honest, it helps to see how small the actual product was: a script under 5 kilobytes that recorded pageviews, referrer, top pages, and screen width, stored no IP addresses, set no cookies, and asked visitors for no consent because it had no personal data to ask consent for. That was the whole thing. Van Rossum built it and, on September 19, 2018, posted it to Hacker News as “Show HN: I made a privacy-first minimalist Google Analytics.”

It hit the front page hard — 968 points, 263 comments — but the comments weren’t a coronation. Commenters pointed out that IP address plus screen width was still enough to fingerprint a device; others argued the category was too thin — no session tracking, no way to correlate two pageviews from the same visitor; a contingent of self-hosters said Matomo or raw server logs did the same job without trusting a third party at all. Those were reasonable objections, and versions of them are still made about this category today. What the launch proved wasn’t that the product was finished — it was that roughly 30 people, out of a front page’s worth of skeptics, cared enough to pay for the unfinished version immediately.

How the first customers actually showed up

The honest channel is Hacker News, twice — and then nothing dramatic for a long stretch after that.

The September 2018 launch converted straight out of the thread: about 30 paying customers within days, out of an audience that had spent the same afternoon publicly arguing about whether the product was any good. That’s a pattern worth naming because it recurs through this story — the buyers who mattered were the ones who read the objections and bought anyway, because the core pitch (a tool that structurally cannot collect what it never asked for) didn’t need to win every argument in the thread, just the one with the person paying.

The second Hacker News moment came seventeen months later and tells you something different. In February 2020, van Rossum posted “Simple Analytics hits $4k MRR and shares its numbers” — not a launch, not a growth hack, a founder posting his own figures to the same community that had shown up once before. Marketing analyst Harry Dry later used Simple Analytics as a case study specifically because its traffic graph tracked Hacker News activity so cleanly: useful, honest comments were functioning as a real, repeatable channel, not a one-time front-page lottery ticket.

What that channel didn’t do was compound quickly. By July 2020, van Rossum reported 471 paying customers and roughly $80,000 in annual recurring revenue in one of the company’s earliest public interviews — genuine progress, and proof this was still a side project run two or three days a week around paid freelance work. That’s the part a highlight reel skips: Simple Analytics spent something like four years as one person plus occasional contractors, climbing gradually toward $10,000–$11,000 in monthly recurring revenue, with no second full-time hire and no dedicated marketing effort. A perfectly fine outcome for a bootstrapped side project. Not yet the story this piece is about.

The growth machine

A late co-founder, and unusually good timing

It’s easy to compress this into “and then Iron Brands joined as co-founder,” which is true but hides the more useful version. Iron met Adriaan through Amsterdam’s Indie Hackers meetup while running his own company, Fiks, a student-internship marketplace. They talked; six months later, Iron agreed to spend one day a week on Simple Analytics while keeping Fiks running. Another six months after that — spent training his own replacement at Fiks — he moved over full time. The company’s own history dates his formal co-founder status to 2022, roughly four years after Adriaan started the company, not “shortly after founding” the way a compressed retelling tends to suggest. He’s since described what convinced him bluntly: he’d run a harder business before, and could feel the difference in how this one grew — product-market fit, in his words, is a gut feeling, and this was the first time he’d felt it.

Here’s the detail that makes the timing matter: Iron’s move to full-time co-founder, specifically to run marketing while Adriaan stayed on product, landed in 2022 — the exact year the European regulatory dominoes actually started falling in public. A four-year-old company with a genuinely differentiated, structurally compliant product had just added the one thing it didn’t have: someone whose entire job was making sure the world heard about it the moment the world had a reason to care.

The rulings, one by one

The regulatory chain that made 2022 the right year to have a marketer on staff started two years earlier, and it’s worth naming precisely, because “GDPR helped them” undersells how specific and dated the actual sequence was.

On July 16, 2020, the EU’s top court ruled in Schrems II that the EU–US Privacy Shield framework — the legal basis a huge share of American cloud and analytics tools relied on to move European user data across the Atlantic — was invalid. A month later, the Austrian privacy group noyb (founded by the same Max Schrems who brought that case) filed 101 nearly identical complaints across 30 European countries against companies still running Google Analytics or Facebook’s tracking tools, naming the European sites of Airbnb, Sephora, and Decathlon among the targets. The EU’s data protection board set up a coordination task force that September, then went quiet for sixteen months while regulators worked through the complaints in parallel.

Then, in a compressed stretch, the rulings actually landed:

  • December 22, 2021 (published January 13, 2022): Austria’s data protection authority ruled that a website using Google Analytics violated GDPR’s rules on international data transfers, and explicitly rejected the argument that “reasonable” safeguards were good enough — the first regulator to go that far.
  • January 2022: with a genuine irony, the EU’s own Data Protection Supervisor reprimanded the European Parliament’s website for essentially the same problem — running Google Analytics and Stripe without adequate transfer safeguards. The institution that had passed GDPR got caught by it.
  • February 10, 2022: France’s CNIL ruled the same way, finding Google Analytics transfers “illegal” under GDPR Article 44 and ordering a named site operator to come into compliance within a month.
  • April 22, 2022: the Dutch Data Protection Authority, which had been investigating since January, published a public statement warning that Google Analytics “may soon no longer be permitted.”
  • June 23, 2022: Italy’s Garante banned Google Analytics outright in a decision against Caffeina Media, with a 90-day compliance window.
  • Through July 2022: the pattern widened past Google Analytics specifically — a German procurement chamber found an AWS data-transfer arrangement unlawful, Ireland’s DPC moved toward ordering Meta to suspend transfers, and Denmark’s authority barred a municipality from using Google Workspace in schools.

Six regulators, five countries, roughly eight months, one shared legal theory. That’s not “Europe doesn’t like Google Analytics” as a vibe — it’s a specific, dated, checkable sequence, which is exactly the kind of thing a content-driven business can build a calendar around.

A content operation built to move at ruling speed

Simple Analytics’ response wasn’t one well-timed blog post. It was a habit of publishing within days of each ruling, addressed to the exact reader who’d just seen the headline and didn’t know what to do about it. Van Rossum’s LinkedIn article, “Will Google Analytics be banned in the EU?”, went up January 17, 2022 — the same week the Dutch authority’s statement was making news, days after Austria’s decision was published. Blog posts tracking the French ruling, the Italian ban, and later Sweden’s and Norway’s positions followed the same shape: dated, country-specific, published close enough to the news cycle to catch people actually searching for it. By August 2022, once the story had widened into a genuine multi-country trend, the company published one long roundup — “The Complete Overview: From 101 noyb Complaints to Banning Google Analytics” — laying out the entire chain above in a single dated timeline. It’s still live, edited as recently as 2023, and still ranks for the searches an anxious site owner types the moment a new ruling makes headlines.

Iron Brands has described the effect directly in one interview: the CNIL’s ruling specifically drove a measurable pickup in signups from France, and — because a compliance decision is, at bottom, a legal question — he’s said the company’s champions inside client organizations are as often the legal and compliance team as the marketing team. That’s a different sales motion than most analytics tools run, following directly from what the product structurally is: something you can hand to a compliance officer instead of arguing with one.

One more mechanic worth naming, because it’s easy to miss: the privacy-first design gives Simple Analytics a real technical edge at the exact moment regulators started scrutinizing consent — it doesn’t need a cookie banner to fire, since it doesn’t set cookies or collect anything personal enough to require consent. Publisher Hearst has reportedly used this directly, per one interview with Iron: running Simple Analytics before a visitor answers the consent prompt, capturing privacy-safe traffic from every visitor, then layering standard Google Analytics on top only for those who opt in. A tool that doesn’t legally need permission to run captures more of a site’s real traffic than one that does — and post-Schrems II, more visitors were declining, and more legal departments were asking why the analytics tool needed the banner at all.

The dashboard, running quietly the whole time

Here’s what’s easy to miss if you only look at 2022: the open, live financial dashboard predates the entire regulatory story by two years. Van Rossum was posting real MRR numbers to Hacker News in February 2020, back when the company had a few hundred customers and no second founder. The transparency wasn’t a response to the GDPR moment — it was already the operating style, and that turns out to matter, because it means the regulatory pitch and the transparency pitch reinforced each other instead of competing for the same attention.

Consider what a prospective customer is being asked to believe when they switch analytics tools for privacy reasons: trust this company with your visitors’ data instead of Google’s. A testimonials page doesn’t really answer that — testimonials are curated by definition, five good quotes selected out of however many customers exist. A live, Stripe-connected dashboard showing real revenue, real customer-happiness scores, and real month-to-month movement is different: it isn’t curated, it updates whether that week’s number is flattering or not, and a company willing to be that exposed about its own numbers is making an implicit argument about how it treats other people’s numbers too. For a privacy company, radical transparency about money is about as on-brand a trust mechanic as exists, and it costs nothing beyond the discomfort of doing it.

The numbers, stated plainly

Revenue. Simple Analytics’ own dashboard showed roughly $50,400 in monthly recurring revenue and $604,800 in annualized run rate when I checked it in July 2026, with 1,324 paying customers, updated — per the page — fifteen minutes earlier. A third-party Stripe-verified tracker, TrustMRR, showed a lower figure the same week: $39,778 MRR, alongside a lifetime cumulative-revenue figure the open dashboard doesn’t display — $1,772,565 since launch. Both are legitimate; the gap is most likely the dashboard’s stated method of summing revenue in a “unified currency” across multiple currencies rather than converting each to dollars. I’m citing both rather than picking the more flattering one. Worth noting too: not every chart on the dashboard is actually live — the detailed profit-and-expense breakdown was stamped “up to date until 832 days ago” when I looked, roughly two years stale, even though the headline revenue and customer figures update in real time. Check the current numbers yourself before quoting them — that’s the point of a live dashboard, and the honest caveat about what “live” covers here.

Customers. 1,324 on the open dashboard (1,311 on TrustMRR the same week) — a mix of self-serve individual site owners and enterprise-adjacent logos, including Bloomberg, Michelin, Hyundai, the UK government, the Bank of England, and the Scottish government, landed without a dedicated sales team.

Growth timeline. Roughly 30 paying customers within days of the September 2018 launch; 471 customers and about $80,000 ARR by July 2020; roughly $10,000–$11,000 MRR by 2022, when Iron Brands became full-time co-founder; organic blog traffic from Google growing from about 1,000 to nearly 7,000 monthly visitors over the following year; $24,000 MRR by early 2024; roughly $380,000 ARR by mid-2024; the current $40,000–$50,000-plus MRR range two years after that. No two of these checkpoints come from the same source, so weight the shape of the curve — years of slow, real growth, then a visible inflection once marketing had a dedicated owner — more than any single point on it.

Team. Three people: Adriaan van Rossum (founder), Iron Brands (co-founder), and one senior software engineer hired since. Zero outside investment, self-funded and profitable throughout.

Founding date. September 2018, per Simple Analytics’ own About page, corroborated by the actual Hacker News launch thread dated September 19, 2018. One founder interview places it in October instead — a small, unremarkable discrepancy more likely to be memory drift across a multi-year retelling than a real dispute about the date.

What’s transferable, and what isn’t

Not transferable: you cannot schedule a regulatory shock. Simple Analytics didn’t cause Schrems II, didn’t cause noyb to file 101 complaints, and didn’t cause six regulators to rule against Google Analytics inside an eight-month window. If your growth plan requires a specific court case or ruling to land on a specific timeline, you don’t have a growth plan — you have a hope. Nobody should read this and conclude the move is to wait for a regulator to hand them a market.

Transferable: watch for the regulatory shifts that make your alternative suddenly urgent, and have the infrastructure ready to move fast when one hits. The distinction that matters is between waiting for a shock and being positioned to exploit one you didn’t cause. Simple Analytics could publish a dated response to the Austrian ruling within days because the country-specific pages and the “is Google Analytics compliant” framing already existed as ordinary competitive content — the regulatory response wasn’t a new muscle, it was the existing content operation pointed at that week’s news instead of evergreen keywords. If you sell a compliant, safer, or more resilient alternative to an incumbent in any regulated category, build that specificity now, before you need it, so that when a regulator, a lawsuit, or a policy change makes your alternative newly urgent, you’re publishing that week, not that quarter.

Transferable: an open, live dashboard is a trust mechanic almost nobody uses, and it’s strongest when it matches what you sell. This one has nothing to do with regulation. Publishing real, current, unflattering-when-necessary numbers is available to any company at zero cost beyond the discomfort of doing it, and it’s a stronger trust signal than a testimonials page precisely because it can’t be curated. It works best when it’s thematically coherent with the product — a privacy company being transparent about its own revenue makes its privacy pitch more credible, the same way an accounting tool being transparent about its own books would, or a security company being transparent about its own incident history would. If what you sell is trust, consider selling proof of it instead of claims about it.

Honest tension, worth stating plainly: this is a crowded lane, and Simple Analytics is not the only option — arguably not even the biggest one. Plausible Analytics, based in Estonia, is also fully bootstrapped and open-source, runs with a team roughly three times the size of Simple Analytics’, and does something in the range of $3 million in annual revenue — several times Simple Analytics’ figure. Fathom Analytics, built by Paul Jarvis and Jack Ellis, is also bootstrapped, profitable, and privacy-first. None of the three real competitors in this category took venture money; this isn’t underdog-versus-funded-giant, it’s three bootstrapped companies of different sizes chasing the same “privacy-friendly Google Analytics alternative” position, and Simple Analytics is the smallest of the three. What carved out its share wasn’t being the only compliant option — it demonstrably wasn’t — it was moving faster and more specifically on the regulatory content than competitors covering the same rulings more generically, plus a transparency mechanic neither rival runs in quite the same literal, Stripe-linked way. “We’re also compliant” isn’t a wedge by itself in a category with real substitutes. The wedge was speed and specificity on the news, plus a trust mechanic nobody else copied.

What almost didn’t work: four years of flat-ish growth before anything compounded. Simple Analytics spent roughly four years — 2018 to 2022 — growing from zero to about $10,000–$11,000 MRR as a part-time, one-person-plus-freelancers operation, with a genuinely differentiated product and, for most of that window, no regulatory tailwind at all. The tailwind didn’t create the growth on its own, and neither did the product alone; it took someone whose actual job was turning attention into growth arriving in the same window the attention became available. Good product and good timing aren’t sufficient by themselves — something has to catch the wind.

Sources

Share this article
LinkedIn (opens in new tab) X / Twitter (opens in new tab)
Atticus Li

Experimentation and growth leader. CXL-certified CRO practitioner, Mindworx-certified behavioral economist (1 of ~1,000 worldwide). 200+ A/B tests across energy, SaaS, fintech, e-commerce, and marketplace verticals.