Privacy Policy
Last updated: 15 July 2026
1. Who runs this site
This personal website is run by one developer in Ukraine ("I", "me"). I decide why and how I process the data described here, which makes me the controller for that processing. Privacy questions and requests can be sent to [email protected].
2. What is collected
| When | Data |
|---|---|
| Any request | Your IP address and normal request headers reach the CDN and server so they can return the page and protect the service. |
| First-party analytics | Page path and query string, referrer hostname, time, site hostname, browser and device type, approximate country, region, city, timezone, and IP-derived coordinates, ISP/ASN, an IP-derived visitor hash, and a short activity-based session identifier. |
| Feedback or email | Your email address, message, attachments, IP address, user agent, referrer, and submission time. Feedback also uses Cloudflare Turnstile and is delivered to me through Discord. |
| Push notifications | Your browser's push endpoint and encryption keys, plus the notification topics you select. |
| Protected features | Authentication tokens and the limited settings needed to keep a private or administrative feature working. |
| Tool use | Inputs, files, URLs, searches, or settings you submit to a tool, plus the output needed to complete the request. |
The analytics system is self-hosted. It does not use an analytics cookie, a local-storage identifier, advertising technology, or cross-site tracking. Its visitor hash is pseudonymous, not anonymous: I hold the key and can test a supplied IP address against it.
In the analytics database, IP addresses are masked for visitors located in the EEA, United Kingdom, or Switzerland, and when the country is unknown. Full IP addresses may be retained for other locations. A selected visitor's full IP may also be recorded for up to three days while investigating abuse.
3. Why it is used
- to deliver pages and features you request;
- to measure traffic and understand which parts of the site are used;
- to detect abuse, enforce rate limits, and investigate security issues;
- to handle feedback, support, and security reports;
- to send notifications only after you enable them.
I do not sell personal data or use it for advertising. Any visitor numbers shared publicly or with a project partner are aggregate statistics, not individual visitor or session records.
4. Legal basis where the GDPR applies
First-party analytics, service security, feedback handling, and operation of requested features rely on legitimate interests under GDPR Art. 6(1)(f): maintaining the site, responding to users, understanding its use, and preventing abuse. Push notifications rely on your consent under Art. 6(1)(a), which you can withdraw by unsubscribing.
I do not make automated decisions about you. Anyone can send a privacy request; which legal rights apply depends on the circumstances and applicable law.
5. Cookies and browser storage
Analytics does not write to or read from your device. Other features use browser storage only when relevant:
- authentication cookies or tokens for protected areas;
- notification topics and push-subscription state;
- small feature preferences, such as whether an in-app notice was already shown.
Cloudflare Turnstile loads when you open the feedback form and may use its own storage and signals to distinguish people from bots.
6. Who receives data
| Recipient | Role |
|---|---|
| VPS hosting | Runs the API and stores first-party analytics. |
| Cloudflare | Provides CDN, DNS, DDoS protection, coarse network/location headers, and Turnstile. It receives request data including your full IP. |
| ipapi.co | Receives an IP address when network or location details missing from the request need to be filled in. |
| Discord | Receives feedback content, contact details, request metadata, and attachments submitted through the feedback form. |
| Email provider | Handles messages sent to or from the site's email addresses. |
| Browser push provider | Delivers notifications after you subscribe. |
| External APIs and content hosts | Receive normal request data or relevant tool input when a feature loads third-party content, checks a listed service node from your browser, or asks an external service to complete your request. Examples include GitHub-hosted files and supported media sources. |
Some providers may process data outside the EEA. Where the GDPR applies, transfers rely on an applicable adequacy decision or appropriate safeguards such as the European Commission's Standard Contractual Clauses. Current provider and safeguard details are available from [email protected].
7. Retention
Analytics records are retained while the site or related projects remain active and while the records remain useful for long-term traffic comparison, maintenance, or security. I review them periodically and delete them when those purposes end or the records are no longer useful for them. Temporary full-IP collection ends after no more than three days.
Feedback, attachments, and email are kept while needed to handle the conversation, investigate abuse, or protect legal rights. Push subscriptions remain until they are removed, replaced, or rejected as invalid by the push service. Authentication and browser settings remain until they expire, you sign out, or you clear them.
8. Your choices and rights
You can ask to access, correct, delete, or restrict personal data about you, and you can object to first-party analytics. Where applicable, you may also request portability or complain to a data protection authority. Send requests to [email protected].
Analytics does not contain your name. An IP address and rough date may be needed to find a matching record. You do not have to provide them, but without enough information I may be unable to identify which records are yours.
You can withdraw push-notification consent at any time by unsubscribing or removing the site's notification permission.
9. Changes and contact
This policy may change with the site. The date above will change when it does. Privacy questions and requests: [email protected].