Where exactly does Matomo anonymize IP addresses? Is it on the IIS server, before the database, or only when showing on the Matomo dashboard?


We are testing out a self-hosted implementation of Matomo and due to privacy/GDPR reasons we want to be extra sure we know exactly where the IP anonymization takes place so that we can be sure we’re not keeping any logs with full IPs either in the database or anywhere else.

Does it get anonymized before it ever touched any application logs (in the IIS server)? Does it get anonymized before or after any logs are put into the database? Or is it anonymized before it shows up on the Matomo dashboard?

Any help at all would be greatly appreciated.

Thanks in advance,

IIS server logs and Matomo databases are two different things. My understanding is that Matomo anonymizes the IP address before it gets stored as a hashed version of it in the database.


Hi Dana, thats not so simple. The IP must be send to the server for a request. Also, the IP is send to the server. Many server logs the request. Apache: access.log. Matomo grab the IP via PHP


on this point and shortened before save it in the database:

Thanks both for the responses.

@melbao Does this mean the request that the IP sends would still not be anonymized until it hits the Database - for example when the request goes through our application load balancer logs before it hits the database?

I do not know your system and for this reason I cannot make any statement about it. Some web hosts and server providers anonymize the IP immediately, some only disguise it, and some not at all.

Without IP, the Internet does not work. Even a domain is only a mask for an IP. IPs are addresses, like postal addresses. Without an address, mail cannot be delivered. Every click on the Internet is an order. Delivery times are at the speed of light. If you don’t tell the pizza delivery guy where to deliver, the pizza won’t arrive.

However, with tracking it is a bit different, as nothing is ordered and nothing is delivered, only information is sent. That’s why tracking is not so popular, because it has no direct benefit for the website viewer.

For more info on masking IPs you need to ask the server operators.


@melbao Thanks so much for that explanation, that makes sense. I think in this case we’ll operate under the assumption that the IPs aren’t masked until it hits the database. Thanks again for the detailed response.

If you need geolocation, have also a look at the following link, in section ** Geolocation Considerations when IP masking**: