﻿=== No Cookie Analytics – By Arfa ===
Contributors: arfarehman
Tags: analytics, gdpr, tracking, privacy, no cookies
Requires at least: 6.2
Tested up to: 6.9
Stable tag: 1.0.7
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Privacy-focused analytics with server-side tracking, dashboard reports, and no frontend cookies.

== Description ==
No Cookie Analytics – By Arfa tracks visits server-side without setting cookies in visitors'
browsers. Data stays in your WordPress database with an admin dashboard, reports, and optional
CSV export.

== Privacy ==
This plugin stores analytics records in your WordPress database (`wp_ncaba_hits`), including:

* Page URL/path
* Referrer host
* Browser/OS/device type
* Anonymized IP hash
* Session key
* Country code
* Timestamp

No raw IP address is stored in the plugin database.

Country detection behavior:

1. Uses server-provided geolocation headers when available (for example Cloudflare or GeoIP
   headers).
2. Optional external IP geolocation lookup can be enabled by admin consent in plugin settings.

When external geolocation is enabled, visitor IP is sent to:

* Service: [ipapi.co](https://ipapi.co/)
* Purpose: country lookup only

Site owners must disclose this in their privacy policy before enabling external lookup.

== External services ==

This plugin can optionally use the third-party service ipapi.co for country lookup. The lookup
is **disabled by default** and only runs after a site administrator explicitly enables the
"Allow External Geo Lookup" option in plugin settings.

* Service: ipapi.co (https://ipapi.co/)
* What is sent: the visitor's IP address (only when the option is enabled and no server-provided
  geo headers are available).
* When: at most once per visitor IP per day; the resolved country code is then cached locally.
* Why: to determine the visitor's country code for the analytics dashboard.
* Terms of Service: https://ipapi.co/terms/
* Privacy Policy: https://ipapi.co/privacy/

If the option is left disabled, the plugin never contacts ipapi.co.

== Features ==
* Server-side tracking
* GDPR-aware design (configure to your legal requirements)
* No frontend cookies
* Admin dashboard and home screen widget
* Pages, Referrers, and Users reports
* CSV export and settings import/export
* Local bundled frontend assets (no CDN required)

== Installation ==
1. Upload the `no-cookie-analytics-by-arfa` folder to `/wp-content/plugins/` (or install through the
   WordPress plugin installer).
2. Activate the plugin through the **Plugins** screen.
3. Open the **Analytics** menu in the admin area.

== Frequently Asked Questions ==

= Does this plugin set cookies? =

No. Tracking is performed on the server when pages are requested.

= Where is data stored? =

In a custom table in your WordPress database (`wp_ncaba_hits` by default).

== Changelog ==

= 1.0.7 =
* Removed UTF-8 byte order marks (BOM) from PHP sources so activation no longer sends accidental
  output to the browser.
* Uninstall: reliable table drop, clear all related and legacy cron hooks, and remove cached
  geo lookup transients.
* Deactivation: clear legacy cleanup cron hook names in addition to the canonical event.

= 1.0.6 =
* Renamed plugin to "No Cookie Analytics – By Arfa"; text domain and translation template are
  `no-cookie-analytics-by-arfa` (Domain Path: `/languages`).
* Main bootstrap file is `no-cookie-analytics-by-arfa.php`; directory slug `no-cookie-analytics-by-arfa`.
* PHP class and constant prefix `NCABA_*` (e.g. `NCABA_VERSION`, `NCABA_Activator`); runtime
  identifiers use lowercase `ncaba_*` / `ncaba-` (database table `{prefix}ncaba_hits`, options,
  hooks, AJAX, and asset handles). Legacy `cfaba_*`, `cfba_*`, and mistaken `NCABA_*` option keys
  or table names migrate automatically on upgrade.
* Plugin URI points to a reliable HTTPS profile page; localized admin strings and dashboard JS
  escaping improvements.
* Bumped tested-up-to header for current WordPress.

= 1.0.5 =
* Previous branding and slug iteration; see older releases for detail.

= 1.0.4 =
* Raised minimum WordPress version to 6.2 for safe `%i` identifier placeholders in
  `$wpdb->prepare()`.
* Hardened admin and cron SQL (prepared statements, `esc_like()` for `LIKE` patterns).
* Replaced `parse_url()` with `wp_parse_url()`; removed redundant `fclose()` on export stream.
* Settings import notices use per-user transients; validated upload temp files with
  `is_uploaded_file()`.
* Added readme short description; direct-access guard on settings view template.

= 1.0.3 =
* Bundled Chart.js and Poppins assets locally (removed CDN dependency).
* Added explicit admin consent toggle for external geolocation lookup.
* Updated privacy disclosure and reviewer-oriented readme details.

= 1.0.2 =
* Improved admin UI and tooltip behavior.

= 1.0.1 =
* Added richer visitor identity and dashboard/report improvements.

= 1.0.0 =
* Initial release.
