Privacy Policy

What we collect, why, and what you can do about it.

Last updated: February 2026

1. Information We Collect

This is a personal website with blog, tools, and guides. Here's exactly what we collect:

When you browse (no account needed)

  • Page view analytics - Page path, referrer, browser type, and a non-reversible hash of your IP address. We don't use Google Analytics or any third-party tracking. This is our own lightweight, server-side system.
  • Bot detection - We flag automated traffic at the time of the request so we can filter it from reports.

When you create an account

You can sign in with a magic link (email) or through Google, GitHub, or LinkedIn. We store:

  • Email address - Required. Used for login and communication.
  • Name, bio, avatar - Optional. You choose what to share.
  • OAuth provider data - If you sign in via Google, GitHub, or LinkedIn, we receive your profile name, email, and avatar from that provider. We store these to display on your account page.
  • Login tokens - Temporary magic link tokens (expire in 1 hour) and session data.
  • Topic interests & newsletter preferences - Your selections, stored to personalize your experience.

When you submit the contact form

  • Name, email, message - What you type into the form.
  • IP address and browser info - Collected for spam prevention.

When you unlock gated guide content

  • Email address - Used to send a verification link.
  • Unlock token - Stored in a cookie (1 year) so you don't have to re-verify.
  • IP address and browser info - For abuse prevention.

2. How We Use Information

  • Authenticate you and maintain your session
  • Display your profile on your account page
  • Deliver gated content you've unlocked
  • Understand aggregate traffic patterns (which pages are popular, where traffic comes from)
  • Prevent spam and abuse
  • Respond to contact form messages

We do not sell, trade, or share your information with third parties. We do not run ads. We do not build advertising profiles.

3. Cookies

We use functional cookies only. No tracking or advertising cookies.

  • Session cookie - Standard PHP session for login state. Expires when you close the browser.
  • Persistent login - When you sign in via OAuth (Google, GitHub, LinkedIn), a cookie keeps you signed in between visits (expires in 1 year).
  • Guide unlock cookies - One per guide you've unlocked, so you don't re-verify each visit (1 year).
  • Cache variation - A cookie that tells our server cache whether you're logged in, so it serves the right version of pages.
  • Theme/settings - Your display preferences (dark/light mode, accent color) stored in localStorage, not cookies.

We do not use third-party analytics cookies. No Google Analytics, no Meta Pixel, nothing like that.

4. Third-Party Services

  • Google Fonts - For typography (Space Grotesk, JetBrains Mono). Google may collect usage data per their privacy policy.
  • OAuth providers - If you choose to sign in via Google, GitHub, or LinkedIn, those services handle the authentication flow. We only receive the profile information you authorize. Each provider has its own privacy policy.

That's it. No CDNs, no embedded social widgets, no third-party analytics.

5. Data Retention

  • Analytics - Page view data can be purged periodically. IP hashes are non-reversible.
  • Contact submissions - Kept until manually deleted by the site admin.
  • User accounts - Kept until you delete your account.
  • Guide unlocks - Kept for reporting purposes.

6. Your Rights

You have control over your data:

  • Delete your account - Go to your account page and use the "Delete Account" option. This permanently removes your profile, connected social accounts, topic interests, and newsletter subscriptions.
  • Unlink OAuth providers - Remove connected Google, GitHub, or LinkedIn accounts from your account page at any time.
  • Contact form data - Reach out via the contact page to request deletion of your submissions.

If you have concerns about any data we hold, reach out and we'll sort it out.

7. Security

  • Passwords are never stored in plain text (we use magic links, not passwords).
  • IP addresses in analytics are stored as non-reversible HMAC hashes.
  • All forms use CSRF protection.
  • OAuth state parameters are validated to prevent cross-site attacks.
  • Disposable/temporary email addresses are blocked at registration.

8. Changes to This Policy

If this policy changes significantly, we'll update the date at the top. Continued use after changes means you accept the updated terms.

9. Contact

For privacy-related questions, reach out via the contact page.