=== Trackless ===
Contributors: dominikshaim
Tags: analytics, privacy, cookieless, woocommerce, statistics
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.2
Stable tag: 1.1.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Cookieless server-side analytics. No cookies, no JS, no banner: traffic, sources and devices; with WooCommerce also orders, revenue and margin.

== Description ==

Trackless measures your site's traffic — and, on WooCommerce stores, your real revenue and margin — entirely server-side. No cookies, no JavaScript snippet, no consent banner slowing your pages down. You read the reports in your Trackless account dashboard.

**How visitors are counted (privacy by design):**

* The visitor key is a daily-rotating HMAC-SHA256 hash of IP + User-Agent + day, keyed with a secret salt that exists only on your server. It cannot be reversed and changes every day.
* The raw IP address is never stored and never transmitted — only a keyed hash.
* Global Privacy Control (the `Sec-GPC` browser signal) is honoured: opted-out visitors are not tracked at all.
* No data is written to the visitor's browser — no cookies, no localStorage, no fingerprinting scripts.

**What it measures:**

* Visits and sessions with source / medium / campaign and a GA4-style channel group
* Page views and events: product view, category view, search, add to cart, cart, checkout, 404
* Device, browser, OS, country and language (one row per visitor per day)
* With WooCommerce: orders, revenue, refunds, payment and shipping methods, first-order flag, order attribution (WooCommerce 8.5+ Order Attribution), ordered items — including per-unit purchase cost for margin reporting if you store it (`_wc_cog_cost`, `_alg_wc_cog_cost`, `_cost` or the `trackless_wholesale_price` filter)

Events are collected into a small queue table in your own database and flushed once a day via WP-Cron (or manually with the "Send now" button). The delivery is HMAC-SHA256 signed and idempotent, so retries are safe.

WooCommerce is optional: on a plain WordPress site you get cookieless web analytics; with WooCommerce you also get the e-commerce metrics.

= External service: Trackless (please read) =

This plugin is a connector for **Trackless** (https://trackless.cz), a hosted analytics service. It is **not** a standalone statistics plugin — the reports live in your Trackless account, and the plugin sends data to the service's ingest endpoint at `https://trackless.cz/ingest`.

**When data is sent:** only after you enter your API key **and** explicitly tick the Data Processing Agreement (DPA) consent checkbox in the plugin settings. Until you do both, the plugin collects and sends nothing.

**What is sent (once a day, HMAC-signed):**

* Anonymous traffic aggregates: hashed visitor identifiers (keyed HMAC, daily-rotating), hashed IPs, page URLs, referrers, UTM parameters and click IDs, device/browser/OS, country code, language
* With WooCommerce: order data including order ID, totals and refunds (amounts), currency, payment method, shipping method, order status, attribution, and line items with prices and (if configured) per-unit purchase costs
* Site metadata: site name, domain, timezone, currency, order statuses, product categories, carriers, payment gateway names

**Terms and pricing:** Trackless is a paid service with a 30-day free trial; you need a Trackless account and API key to use this plugin.

* Terms of Service: https://trackless.cz/en/obchodni-podminky
* Data Processing Agreement (DPA): https://trackless.cz/en/zpracovatelska-smlouva

== Installation ==

1. Install the plugin from the WordPress.org directory (Plugins → Add New → search for "Trackless"), or upload the ZIP via Plugins → Add New → Upload Plugin. Activate it.
2. Create a Trackless account at https://trackless.cz (30-day free trial) and copy your API key from Account management.
3. Go to Settings → Trackless, paste the API key, tick "Enable data collection and sending" and confirm the Data Processing Agreement. Save.
4. (Optional) Click "Send now" to deliver the first batch immediately; afterwards data is sent automatically once a day via WP-Cron.

== Frequently Asked Questions ==

= Does it work without WooCommerce? =

Yes. On a plain WordPress site you get the full cookieless traffic analytics (visits, sources, pages, devices, countries). WooCommerce only adds the e-commerce part: orders, revenue, margin and product events.

= Do I need a cookie consent banner for this plugin? =

The plugin itself stores nothing in the visitor's browser — no cookies, no localStorage — and only ever processes a keyed, daily-rotating hash instead of raw identifiers. So this plugin does not give you a reason to add a consent banner. (Whether the rest of your site needs one is a separate question, and this is not legal advice.)

= What about Global Privacy Control and Do Not Track? =

Global Privacy Control (`Sec-GPC: 1`) is honoured: such visitors are not tracked at all. The deprecated Do Not Track signal is intentionally ignored, matching common industry practice.

= Will it slow down my site? =

No measurable effect. A page view costs one INSERT into a local queue table — there is no JavaScript, no external request during the visit. Everything is sent to Trackless once a day in the background (WP-Cron).

= Do I need a Trackless account? Is it free? =

You need an account at https://trackless.cz — the plugin is only a connector to the Trackless service. The service is paid, with a 30-day free trial; see the pricing on the website.

== Screenshots ==

1. Plugin settings — paste your API key, agree to the Data Processing Agreement, and fine-tune tracking: excluded IPs (single addresses or CIDR ranges), self-referral domains and the bot User-Agent filter. Nothing is collected or sent until you opt in.
2. Status panel — see how many events are queued and when traffic and orders were last sent, and flush the queue immediately with the "Send now" button.
3. Guided setup — until your API key is in place, a one-step reminder links straight to the Trackless settings.
4. Example dashboard in your Trackless account (sample data): traffic, revenue, margin and conversion, an order-based pricing band, and GA4 channel groups — the reports this plugin feeds.

== Changelog ==

= 1.1.4 =
* Bot/crawler filter is now managed centrally in your Trackless account: the User-Agent list you keep there is applied automatically by the plugin (taking precedence over the local default). One place to maintain it across all your sites; your local list is kept as a fallback.

= 1.1.3 =
* Excluded IP addresses now also accept CIDR ranges (IPv4 and IPv6), not just single addresses.
* IP addresses you exclude centrally in your Trackless account are now applied by the plugin automatically, alongside your local list. Your local list is kept.

= 1.1.2 =
* Expanded the default bot User-Agent filter to match the PrestaShop module: SEO crawlers, monitoring/uptime services, headless browsers and common HTTP libraries are now filtered out by default, for cleaner human-only stats. Any custom list you saved is kept.

= 1.1.1 =
* New setting: Excluded domains (self-referral) — return visits from payment gateways keep their original source. Pre-filled with common gateways.
* New setting: Filtered robots (User-Agent) — the bot filter is now editable.
* Clearer wording of the developer-only multi-currency note.

= 1.1.0 =
* Internationalization: all user-facing strings are translatable (text domain `trackless`), English source strings, bundled Czech and Slovak (cs_CZ, sk_SK) translations.
* readme rewritten for the WordPress.org plugin directory, including the external-service disclosure.
* Hardening pass: stricter capability checks (`manage_options` on save and send), escaping of all admin output, sanitization of all inputs, fuller uninstall cleanup (salt, transients, cron).

= 1.0.1 =
* Visitor fingerprint and IP hash switched to keyed HMAC-SHA256; the order `ip_hash` now uses the identical construction as the tracker (cross-day attribution join).
* Fix: corrupt queue rows are deleted on fetch instead of being re-scanned forever.
* Fix: `trackless_conversion_rate` filter values NAN/INF are clamped to 1.
* Fix: X/Twitter is matched exactly (x, x.com, t.co) — sources merely containing the letter "x" are no longer classified as social.
* Fix: plain HTTP clients (curl, wget, python-requests) are treated as bots and not tracked.
* Fix: 3-letter geo header country codes (e.g. AUT) are skipped instead of being cut to a different country's 2-letter code.

= 1.0.0 =
* Initial release: cookieless server-side traffic analytics; with WooCommerce also orders, revenue and margin.

== Upgrade Notice ==

= 1.1.4 =
The bot/crawler filter can now be managed centrally in your Trackless account and is applied automatically. Your local settings are kept.

= 1.1.3 =
Excluded IPs now support CIDR ranges and exclusions you manage centrally in your Trackless account. Your settings are kept.

= 1.1.2 =
Larger default bot filter (SEO crawlers, monitoring, headless browsers, HTTP libraries). Your settings are kept.

= 1.1.1 =
Two new settings: excluded self-referral domains (pre-filled with payment gateways) and an editable bot User-Agent filter. Settings are kept.

= 1.1.0 =
Translation-ready (English strings + Czech and Slovak translations), WordPress.org-ready readme and a security hardening pass. No data-format changes; settings are kept.
