SysRadar

Descrição

SysRadar is a server-side, privacy-first alternative to Google Analytics and Plausible — built in Brazil, hosted in Brazil, fully LGPD/GDPR-compliant.

Unlike GA4 (which requires cookies and complicated LGPD setup) and Plausible (which only sees human visitors with JavaScript enabled), SysRadar captures 100% of real requests to your server: humans, AI bots (ClaudeBot, GPTBot, PerplexityBot), SEO crawlers (Ahrefs, Semrush), attackers (sqlmap, nuclei, wpscan), RSS readers, uptime monitors — all categorized in real time.

Why this matters in 2026

• 30 to 60% of your traffic is bots. You never knew — because GA4 and Plausible filter bots automatically. But it’s your server serving those bots, your bandwidth, your cost.
• AI crawlers (Claude, GPT, Perplexity) are indexing your content right now. If you don’t know what they are reading, you can’t optimize. The first sites to appear in AI answers will win the next decade of SEO.
• Attackers are continuously scanning /wp-admin/, /xmlrpc.php, /.env. Wordfence Free does not block them. Cloudflare lets them through. You don’t even know they exist.
• Web Vitals (LCP, CLS, INP) — Google ranks search results by them. Lighthouse on your machine ≠ real user. SysRadar measures with RUM (Real User Monitoring) data.

What the plugin does

1. Injects the tracker (one line of JS, ~2KB minified, async) into the <head> of all front-end pages via the wp_head hook
2. Auto-detects WooCommerce, Elementor, Yoast SEO, Rank Math, Contact Form 7, BuddyPress, LearnDash, bbPress, All-in-One SEO
3. Auto-excludes: admin pages, AJAX, REST API, cron jobs, and logged-in users with edit-posts capability (admins/editors)
4. Honors DNT: 1 (Do Not Track) optionally
5. Compatible with cache plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache, Cloudflare APO)
6. Custom domain support (Pro+ plan): use analytics.yoursite.com to bypass aggressive ad-blockers
7. Zero queries to the WordPress database (settings stored in wp_options)

Who is it for

• Bloggers and content creators — discover which AI crawlers are indexing your content (ChatGPT, Claude, Perplexity)
• E-commerce (WooCommerce) — real channel attribution, price-scraper detection, per-product Web Vitals
• Agencies — manage analytics for multiple client sites in a single dashboard (Agency plan)
• Developers — Web Vitals degradation alerts, automatic JS error capture, REST API access

Privacy & compliance

• IP anonymization runs in the plugin, before transmission — last octet zeroed (IPv4) / last 80 bits zeroed (IPv6) inside your WordPress install, so SysRadar never receives identifiable IP addresses
• First-party cookies only (_rdid, _rds) — no cross-site tracking, no fingerprinting. Cookieless mode is available as a one-click toggle
• Split tracking toggles (since v1.1.1) — disable the front-end pixel and the server-side beacon independently
• GDPR/LGPD-friendly: no data brokers, no impression auctions, no persona-building
• Optional Honor DNT (Do Not Track) support
• Servers located in Brazil; data processed under LGPD
• No dependency on Google, Facebook, or any ad-tech vendor

Privacy policy snippet for site owners

You are the data controller for visitors of your site. The paragraph below is a starting point you can paste (and adapt) into your own privacy policy when this plugin is active. Replace the example placeholders with your specifics.

Analytics — SysRadar. We use SysRadar (operated by SysWP, Brazil) for privacy-first server-side analytics. SysRadar receives the page URL you visit, the referrer URL, your user-agent, anonymized IP (last octet zeroed before it leaves our server), Web Vitals metrics (LCP / FCP / TTFB / CLS / INP), and security telemetry on suspicious requests. SysRadar never sets third-party cookies and is configured here in [cookieless mode / standard mode]. We process this data under [legitimate interest in security monitoring / your consent for analytics], depending on the feature. SysRadar privacy policy: https://radar.syswp.com.br/privacy/. To exercise your LGPD/GDPR rights, contact us at [your email].

If you enable cookieless mode in the plugin settings, the _rdid and _rds first-party cookies are not set and you typically do not need a cookie consent banner for SysRadar.

Data subject rights walkthrough

Under LGPD (Brazil) Art. 18 and GDPR (EU) Art. 15–17, your visitors can request access to, correction of, deletion of, and portability of their personal data. Because SysRadar minimizes data at source (anonymized IPs, no names, no emails, no persistent cross-site identifier), most data subject requests are quick to answer:

• Access: show the visitor the categories of data collected — see the table in the plugin’s Settings → SysRadar page and the SysRadar privacy policy at https://radar.syswp.com.br/privacy/.
• Correction: SysRadar does not collect identifiable data that can be “corrected” in the LGPD/GDPR sense. If a visitor still requests correction, document the request and respond confirming the data is anonymized.
• Deletion: events are automatically purged after your plan retention window (7 to 180 days). For earlier deletion of events tied to a specific anonymized IP, the site owner can email contato@syswp.com.br with the timeframe and the IP prefix.
• Portability: the site owner can export all events for their site via the dashboard → Account → Export Data.
• Objection / withdrawal of consent: if the visitor enabled DNT in their browser and you have “Honor DNT” turned on in the plugin, they are automatically not tracked. They can also block first-party cookies in their browser.

Pricing

Free permanent plan with 1 site. Automatic 7-day Pro trial on signup (no credit card). Full pricing and plan details at https://radar.syswp.com.br/pricing.

Roadmap

v1.2 (Q3 2026)

• Mini-dashboard in WP admin showing last 24h numbers
• Web Vitals widget in the WP admin

v1.3 (Q3 2026)

• Auto-detection of SysWP ecosystem siblings + single sign-on via SSO HMAC
• Integration with SysRadar API to fetch config remotely

v1.4 (Q4 2026)

• Server-side events (S2S) — captures even with the most aggressive ad-blockers
• Block AI crawlers directly from the plugin (optional)

External services

This plugin connects to the SysRadar service at https://radar.syswp.com.br. There are two distinct outbound transmissions, both fully disclosed below.

(1) Front-end JS pixel

• When it fires: on every front-end page view from a non-excluded visitor (admins are excluded by default; logged-in users with edit-posts capability are skipped).
• Transport: an async <script> tag loaded from https://radar.syswp.com.br/p/{site_id}.js runs in the visitor’s browser and sends measurement events back to the same domain.
• Data sent: anonymized IP (last octet zeroed in your server before the script even runs, as the pixel is keyed to your site), page URL, referrer URL, user-agent string, browser locale and timezone, Web Vitals metrics (LCP, FCP, TTFB, CLS, INP).
• Cookies set: _rdid and _rds first-party cookies — unless cookieless mode is enabled in the plugin settings, in which case no cookies are set.
• Legal basis: consent (cookie + analytics) or legitimate interest depending on your jurisdiction. See the “Privacy & compliance” section above.

(2) Server-side beacon (new in v1.1.0+)

• When it fires: only for requests the JS pixel cannot see — unauthenticated requests to /wp-json/, xmlrpc.php, admin-ajax.php, wp-login.php, and direct probes of /wp-admin/. Skipped for cron, WP-CLI, and excluded users.
• Transport: a fire-and-forget wp_remote_post to https://radar.syswp.com.br/api/v1/pixel/server-beacon, dispatched on the WordPress shutdown action AFTER the page response is delivered, using fastcgi_finish_request() + blocking => false for zero added page latency.
• Data sent: site ID, HTTP method, request URI (truncated to 500 chars), anonymized IP (last octet zeroed inside this plugin before transmission), user-agent (truncated to 1000 chars), referer (truncated, escaped), HTTP response status code, request-type label (rest / xmlrpc / ajax / login / admin_unauth / other), plugin version, DNT header value, cookieless-mode flag.
• Data NOT sent: logged-in user identities, post content, form submissions, payment data, cookies, session tokens — none of these ever transit the beacon.
• Legal basis: legitimate interest in security monitoring under LGPD Art. 7º IX / GDPR Art. 6(1)(f). No visitor consent is required for security telemetry of suspicious unauthenticated requests, per regulator guidance. Disclosure remains mandatory and is provided in the privacy policy snippet above.

Common to both

• Servers are located in Brazil.
• Data is processed in compliance with LGPD/GDPR.
• sslverify is always true on outbound HTTP — never relaxed.
• No personally identifiable information (no name, no email, no full IP, no cross-site identifier) leaves your WordPress install.

Service links

• Service URL: https://radar.syswp.com.br
• Privacy policy: https://radar.syswp.com.br/privacy/
• Terms of service: https://radar.syswp.com.br/terms/
• Plugin setup + LGPD guide: https://radar.syswp.com.br/docs/plugin-setup/