This page argues Harvv's analytics pixel meets the OAIC's November 2024 tracking-pixel guidance by default. Written by Harvv's founder. We are an interested party. Citations link to primary sources so you can verify the claims yourself.
16KB behavioural pixel. Zero personal information collected by default. Structurally aligned with the OAIC's 4 November 2024 tracking-pixel guidance and Australian Privacy Principle 3. No consent banner. No configuration. No data residency drama.
The Office of the Australian Information Commissioner published explicit guidance on tracking pixels. It is the most pixel-specific document any regulator has published anywhere in the world. The key passage:
"Personal information collected via a tracking pixel may include an IP address, URL information, or a hashed email address, if that information is able to be linked or matched with other information that identifies the individual. A 'set and forget' approach to deploying tracking pixels is not acceptable under the Privacy Act."
The penalty for getting it wrong was raised in 2022 to the greater of A$50 million, three times the benefit obtained, or 30 percent of adjusted turnover. On 8 October 2025 the Federal Court imposed the first-ever civil penalty under the Privacy Act 1988: A$5.8 million against Australian Clinical Labs. The enforcement era is no longer theoretical.
Every cell below is what each tool collects in its default, out-of-the-box configuration, sourced from the vendor's own public documentation. The OAIC's definition of personal information is the regulator's, not ours.
| Data field | Harvv | GA4 | Meta Pixel | Mixpanel |
|---|---|---|---|---|
| IP address | no | transient (still PII per Italian Garante) | collects by default | collects by default |
| Browser/device fingerprint | no | collects by default | collects by default | collects by default |
| Cross-site tracking cookie | no | collects by default | collects by default | first-party only |
| User-agent string | no | collects by default | collects by default | collects by default |
| Geolocation (derived from IP) | no | collects by default | collects by default | collects by default |
| Email hash on identify() | no | optional (operator decision) | via Automatic Advanced Matching | optional (operator decision) |
| Session recording with DOM | no | no | no | no |
| Default pixel size (gzip) | 16 KB | ~50 KB | ~40 KB | ~30 KB |
| Requires consent banner in AU? | No | Yes | Yes | Yes |
Several tools have shipped privacy modes you can turn on (Microsoft Clarity defaults to IP masking; Hotjar anonymises IPs; PostHog EU Cloud disables IP capture by default). That is real progress. But all of it depends on the operator (a) knowing the toggle exists, (b) flipping it correctly, and (c) keeping it on across upgrades. The OAIC explicitly warned against the “set and forget” pattern. Configuration drift is exactly that.
Harvv was designed with zero PII collection in 2025, before the OAIC published their guidance. There is no toggle to flip, no Property Filter App to install, no Consent Mode v2 to wire up, no server-side Google Tag Manager to deploy. The compliance moat is the absence of the data, not the presence of a switch.
The Australian Research and Development Tax Incentive offers organisations under A$20 million aggregated turnover a 43.5% refundable tax offset on eligible R&D expenditure. If your team uses Harvv to test product hypotheses, validate technical decisions, or measure the result of A/B experiments, the subscription cost may qualify as eligible expenditure.
The minimum eligible spend is A$20,000 of total R&D activity for the income year. Harvv Pro at approximately A$528/year per site is a small line item, but a meaningful one when combined with engineering time.
We are not tax counsel. Talk to your R&D tax adviser. Programme details at business.gov.au.
Prices shown in USD with approximate AUD conversion at current rates. Charges convert to AUD at checkout.
No. The OAIC's 4 November 2024 tracking-pixel guidance treats IP addresses, persistent IDs, and hashed emails as personal information when they can be linked to other data. Harvv's default install collects none of these. There is no personal information to consent to, so no banner is required for Harvv. A site that uses GA4, Meta Pixel, or Mixpanel alongside Harvv may still need a banner for those other tools.
GA4 still transmits the full IP address to Google's servers, processes it in memory to derive geolocation, then discards it. The Italian Garante (Order 224/2022) and Austrian DSB (D155.027, December 2021) both ruled that this transient processing still constitutes a transfer of personal data. The OAIC's Australian guidance follows the same logic. Configuration toggles do not fix architectural data flow. Harvv never has the IP address to discard in the first place.
Proposed European Commission COM(2025) 837 final, published 19 November 2025, would exempt first-party aggregated audience measurement from cookie consent across the EU-27 if adopted (expected mid-to-late 2026). Harvv's pixel structurally qualifies for that exemption: first-party, aggregated, controller's own use, no cross-border transfer. The wedge shape shifts but the structural advantage holds. Post-Omnibus, the GA4 and Meta Pixel banner requirement persists because data still leaves the controller's jurisdiction. Ours does not.
If your organisation is under A$20m turnover and uses Harvv data to test product hypotheses, run experiments, or validate technical decisions, the subscription may qualify as eligible R&D expenditure. Talk to your R&D tax adviser. We are not tax counsel; the regime details are at business.gov.au/grants-and-programs/research-and-development-tax-incentive. The minimum spend is A$20,000 in eligible R&D activities for the year.
Harvv events are processed in our infrastructure (currently US-based). Because no personal information is collected, the Schrems II-equivalent transfer concerns under Australian Privacy Principle 8 do not apply. There is no personal data to transfer in the first place. The aggregate behavioural counts (dead clicks, rage clicks, scroll depth, LCP timing) are not personal information under APP 3.
Free tier: 1 site, 50,000 events per month. Pro: USD $29 per month (approximately AUD $44), 3 sites, 500,000 events per site per month. Both tiers get every detector. No credit card required for the free tier. AUD pricing displayed at checkout; charges convert at the prevailing rate.
One script tag. 30 seconds. The pixel was built to be Privacy-Act-compliant before the guidance was written.