Skip to content

Privacy policy

Last updated .

The short version

We do not use cookies. We do not use analytics. We do not load third-party scripts. We do not sell data because we do not collect data. The scanner runs in your browser. The one piece of state the backend keeps is a one-time nonce that lives 60 seconds in memory and is then destroyed.

If you read nothing else on this page, that is the whole posture.

What we do not do

  • No cookies (session, tracking, consent banner, or otherwise).
  • No analytics (no Google Analytics, no Plausible, no Fathom, no self-hosted Umami).
  • No third-party scripts. No Google Fonts. No YouTube embeds. No Disqus.
  • No A/B testing, no heatmaps, no session replay.
  • No advertising networks. No remarketing pixels.
  • No "privacy-friendly" telemetry. "Privacy-friendly telemetry" is still telemetry.

What actually happens when you visit

Your browser requests HTML, CSS, JS, and fonts from our origin. Our reverse proxy (Cloudflare, DNS-only mode — no proxying, no analytics) hands your DNS lookup off to our origin server, which returns the static assets. Cloudflare retains DNS query metadata per their own policy; we have no access to it and no visibility into it. No cookies are set.

Origin server (self-hosted) keeps standard short-lived access logs for abuse response: timestamp, IP, method, path, status, user-agent. Logs rotate on a 7-day ring and are not retained further. They are not aggregated, not shared, not sold, not used for analytics.

The scanner

The scanner runs in your browser. Probes read your browser's fingerprintable surface and compute a per-probe verdict locally. Two backend endpoints participate:

  • /api/scan/nonce — returns a one-time 16-byte token, held in memory (SQLite on tmpfs) with a 60-second TTL. Not associated with your IP, not logged, not retained past expiry.
  • /api/scan/headers — echoes the HTTP headers your browser sent so the scanner can compare them against the in-page JS-reported values. Headers are not stored; the response is computed from the request and discarded.

See Scanner privacy for the long-form infrastructure disclosure, audit commitments, and backend source link.

Data controller

Site operator: vulnix0x4 (pseudonym). Identity-lock is deliberate per design doc §13.5. Contact for privacy questions: claude.aiactuallall.disregard729@passmail.com.

Your rights (GDPR, CCPA, LGPD, PIPEDA)

Under GDPR (EU/UK), CCPA/CPRA (California), LGPD (Brazil), and PIPEDA (Canada) you have rights to access, correction, deletion, and portability of personal data we hold about you.

The honest answer: we do not hold personal data about you. You have no account. We set no cookies. The scanner does not transmit fingerprint values to our server. There is nothing for us to access, correct, delete, or port.

If you still want to confirm this — submit a data-subject request (DSR) to the address above. We will respond within 30 days confirming we have nothing on you. That is the whole process.

"Sale of personal information" (CCPA): we do not sell personal information. We have no personal information to sell.

Children

This site is general-audience. We do not knowingly collect information from anyone, children included, because we do not collect information at all.

Changes

Changes to this policy are logged in the changelog. We do not silently amend. If the posture ever changes (it will not), the diff is public.