This project uses a privacy-first analytics model with an explicit opt-in consent default and a local-only event buffer.
- Default state: analytics is disabled.
- No cookies are required.
- No device fingerprinting or cross-site identity is used.
- Consent is stored locally in
localStorageonly:- key:
lemmings.analytics.consent.v1 - values:
grantedordenied
- key:
Runtime query overrides:
?analytics=1enables consent for the session and storesgranted.?analytics=0(or?analytics=off) disables consent and storesdenied.?analyticsOff=1forces runtime disable regardless of consent.
Analytics events are schema-locked and low-cardinality:
visitor.page_viewgameplay.level_selectgameplay.midi_togglegameplay.saved_leveleditor.actionruntime.boot_error
Only bounded enum/boolean/integer fields are captured. Free-form text payloads and high-cardinality identifiers are intentionally excluded.
Events are stored in a fixed-size in-memory ring buffer and mirrored to
localStorage:
- key:
lemmings.analytics.buffer.v1 - schema version:
1 - explicit export/import API for local workflows:
window.__LEMMINGS_ANALYTICS__.exportBuffer()window.__LEMMINGS_ANALYTICS__.importBuffer(data, { replace })window.__LEMMINGS_ANALYTICS__.clearBuffer()
This supports development telemetry with no backend service.
Managed beacon delivery is optional and disabled by default.
Enable only when all conditions are met:
- consent is granted,
- a valid HTTPS endpoint is configured,
- managed beacon is explicitly requested.
Runtime controls:
?analyticsBeacon=1requests managed beacon delivery.?analyticsSample=<0..1>sets managed-beacon sampling.
Endpoint sources:
- runtime override (
__LEMMINGS_ANALYTICS_BEACON_ENDPOINT__) <meta name="lemmings-analytics-endpoint" content="https://...">
Hard-disable (deployment-wide):
__LEMMINGS_ANALYTICS_HARD_DISABLED__ = true- or
<meta name="lemmings-analytics" content="off">
Runtime disable:
__LEMMINGS_ANALYTICS_DISABLED__ = true- or query
?analyticsOff=1
Even when analytics code is present, these switches keep collection disabled.