=== Trackless ===
Contributors: dominikshaim
Tags: analytics, privacy, cookieless, woocommerce, statistics
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.1.5
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Cookieless server-side analytics. No cookies, no JS, no banner: traffic, sources and devices; with WooCommerce also orders, revenue and margin.

== Description ==

Trackless measures your site's traffic — and, on WooCommerce stores, your real revenue and margin — entirely server-side. No cookies, no JavaScript snippet, no consent banner slowing your pages down. You read the reports in your Trackless account dashboard.

**How visitors are counted (privacy by design):**

* The visitor key is a daily-rotating HMAC-SHA256 hash of IP + User-Agent + day, keyed with a secret salt that exists only on your server. It cannot be reversed and changes every day.
* The raw IP address is never stored and never transmitted — only a keyed hash.
* Global Privacy Control (the `Sec-GPC` browser signal) is honoured: opted-out visitors are not tracked at all.
* No data is written to the visitor's browser — no cookies, no localStorage, no fingerprinting scripts.

**What it measures:**

* Visits and sessions with source / medium / campaign and a GA4-style channel group
* Page views and events: product view, category view, search, add to cart, cart, checkout, 404
* Device, browser, OS, country and language (one row per visitor per day)
* With WooCommerce: orders, revenue, refunds, payment and shipping methods, first-order flag, order attribution (WooCommerce 8.5+ Order Attribution), ordered items — including per-unit purchase cost for margin reporting if you store it (`_wc_cog_cost`, `_alg_wc_cog_cost`, `_cost` or the `trackless_wholesale_price` filter)

Events are collected into a small queue table in your own database and flushed once a day via WP-Cron (or manually with the "Send now" button). The delivery is HMAC-SHA256 signed and idempotent, so retries are safe.

WooCommerce is optional: on a plain WordPress site you get cookieless web analytics; with WooCommerce you also get the e-commerce metrics.

= External service: Trackless (please read) =

This plugin is a connector for **Trackless** (https://trackless.cz), a hosted analytics service. It is **not** a standalone statistics plugin — the reports live in your Trackless account, and the plugin sends data to the service's ingest endpoint at `https://trackless.cz/ingest`.

**When data is sent:** only after you enter your API key **and** explicitly tick the Data Processing Agreement (DPA) consent checkbox in the plugin settings. Until you do both, the plugin collects and sends nothing.

**What is sent (once a day, HMAC-signed):**

* Anonymous traffic aggregates: hashed visitor identifiers (keyed HMAC, daily-rotating), hashed IPs, page URLs, referrers, UTM parameters and click IDs, device/browser/OS, country code, language
* With WooCommerce: order data including order ID, totals and refunds (amounts), currency, payment method, shipping method, order status, attribution, and line items with prices and (if configured) per-unit purchase costs
* Site metadata: site name, domain, timezone, currency, order statuses, product categories, carriers, payment gateway names

**Terms and pricing:** Trackless is a paid service with a 30-day free trial; you need a Trackless account and API key to use this plugin.

* Terms of Service: https://trackless.cz/en/obchodni-podminky
* Data Processing Agreement (DPA): https://trackless.cz/en/zpracovatelska-smlouva

== Installation ==

1. Install the plugin from the WordPress.org directory (Plugins → Add New → search for "Trackless"), or upload the ZIP via Plugins → Add New → Upload Plugin. Activate it.
2. Create a Trackless account at https://trackless.cz (30-day free trial) and copy your API key from Account management.
3. Go to Settings → Trackless, paste the API key, tick "Enable data collection and sending" and confirm the Data Processing Agreement. Save.
4. (Optional) Click "Send now" to deliver the first batch immediately; afterwards data is sent automatically once a day via WP-Cron.

== Frequently Asked Questions ==

= Does it work without WooCommerce? =

Yes. On a plain WordPress site you get the full cookieless traffic analytics (visits, sources, pages, devices, countries). WooCommerce only adds the e-commerce part: orders, revenue, margin and product events.

= Do I need a cookie consent banner for this plugin? =

The plugin itself stores nothing in the visitor's browser — no cookies, no localStorage — and only ever processes a keyed, daily-rotating hash instead of raw identifiers. So this plugin does not give you a reason to add a consent banner. (Whether the rest of your site needs one is a separate question, and this is not legal advice.)

= What about Global Privacy Control and Do Not Track? =

Global Privacy Control (`Sec-GPC: 1`) is honoured: such visitors are not tracked at all. The deprecated Do Not Track signal is intentionally ignored, matching common industry practice.

= Will it slow down my site? =

No measurable effect. A page view costs one INSERT into a local queue table — there is no JavaScript, no external request during the visit. Everything is sent to Trackless once a day in the background (WP-Cron).

= Do I need a Trackless account? Is it free? =

You need an account at https://trackless.cz — the plugin is only a connector to the Trackless service. The service is paid, with a 30-day free trial; see the pricing on the website.

== Screenshots ==

1. Plugin settings — paste your API key, agree to the Data Processing Agreement, and fine-tune self-referral domains. Excluded IP addresses are managed in your Trackless account and applied automatically. Nothing is collected or sent until you opt in.
2. Status panel — see how many events are queued and when traffic and orders were last sent, and flush the queue immediately with the "Send now" button.
3. Guided setup — until your API key is in place, a one-step reminder links straight to the Trackless settings.
4. Example dashboard in your Trackless account (sample data): traffic, revenue, margin and conversion, an order-based pricing band, and GA4 channel groups — the reports this plugin feeds.

== Changelog ==

= 1.1.5 =
* Bot/crawler detection now runs server-side in Trackless: the plugin forwards the visitor's User-Agent and the app decides what is a bot, so the rule is identical across every site and module and is updated centrally without a plugin release. The local bot User-Agent list and the central bot-pattern sync have been removed.
* Excluded IP addresses are now configured only in Trackless (Můj účet). The local excluded-IP field has been removed; the plugin applies the centrally managed list it receives via the ingest response (single addresses and CIDR ranges, IPv4 and IPv6). The IP match still runs on your server, because that is the only place the real visitor IP is seen — Trackless itself only ever receives a salted, irreversible hash.

= 1.1.4 =
* Bot/crawler filter is now managed centrally in your Trackless account: the User-Agent list you keep there is applied automatically by the plugin (taking precedence over the local default). One place to maintain it across all your sites; your local list is kept as a fallback.

= 1.1.3 =
* Excluded IP addresses now also accept CIDR ranges (IPv4 and IPv6), not just single addresses.
* IP addresses you exclude centrally in your Trackless account are now applied by the plugin automatically, alongside your local list. Your local list is kept.

= 1.1.2 =
* Expanded the default bot User-Agent filter to match the PrestaShop module: SEO crawlers, monitoring/uptime services, headless browsers and common HTTP libraries are now filtered out by default, for cleaner human-only stats. Any custom list you saved is kept.

= 1.1.1 =
* New setting: Excluded domains (self-referral) — return visits from payment gateways keep their original source. Pre-filled with common gateways.
* New setting: Filtered robots (User-Agent) — the bot filter is now editable.
* Clearer wording of the developer-only multi-currency note.

= 1.1.0 =
* Internationalization: all user-facing strings are translatable (text domain `trackless`), English source strings, bundled Czech and Slovak (cs_CZ, sk_SK) translations.
* readme rewritten for the WordPress.org plugin directory, including the external-service disclosure.
* Hardening pass: stricter capability checks (`manage_options` on save and send), escaping of all admin output, sanitization of all inputs, fuller uninstall cleanup (salt, transients, cron).

= 1.0.1 =
* Visitor fingerprint and IP hash switched to keyed HMAC-SHA256; the order `ip_hash` now uses the identical construction as the tracker (cross-day attribution join).
* Fix: corrupt queue rows are deleted on fetch instead of being re-scanned forever.
* Fix: `trackless_conversion_rate` filter values NAN/INF are clamped to 1.
* Fix: X/Twitter is matched exactly (x, x.com, t.co) — sources merely containing the letter "x" are no longer classified as social.
* Fix: plain HTTP clients (curl, wget, python-requests) are treated as bots and not tracked.
* Fix: 3-letter geo header country codes (e.g. AUT) are skipped instead of being cut to a different country's 2-letter code.

= 1.0.0 =
* Initial release: cookieless server-side traffic analytics; with WooCommerce also orders, revenue and margin.

== Upgrade Notice ==

= 1.1.5 =
Bot/crawler detection moved server-side: the plugin now forwards the User-Agent and Trackless decides what is a bot. Excluded IP addresses are now managed in your Trackless account (the local field is removed) and applied automatically by the plugin. The local bot list and central bot-pattern sync are removed.

= 1.1.4 =
The bot/crawler filter can now be managed centrally in your Trackless account and is applied automatically. Your local settings are kept.

= 1.1.3 =
Excluded IPs now support CIDR ranges and exclusions you manage centrally in your Trackless account. Your settings are kept.

= 1.1.2 =
Larger default bot filter (SEO crawlers, monitoring, headless browsers, HTTP libraries). Your settings are kept.

= 1.1.1 =
Two new settings: excluded self-referral domains (pre-filled with payment gateways) and an editable bot User-Agent filter. Settings are kept.

= 1.1.0 =
Translation-ready (English strings + Czech and Slovak translations), WordPress.org-ready readme and a security hardening pass. No data-format changes; settings are kept.
