How we handle your data.

A short, honest note about what we collect when you visit this site — and what we don't.

Last updated · 29 May 2026

What we collect

Each time you load a page on this site we record one row in our database: the path you visited (e.g. /), the root domain that referred you (e.g. google.com — never the full URL with its query parameters), your browser's reported language, a coarse device class (mobile / tablet / desktop), and a short fingerprint computed from your IP address and browser. The fingerprint is hashed with a daily-rotating secret salt, so we can count unique visitors within a day but cannot link visits across days or back to a specific person.

What we don't

We set no analytics cookies. We use no localStorage, IndexedDB, or any other client-side storage for tracking. We embed no third-party analytics scripts, no social-share widgets, no advertising, no profiling. We do not track you across other sites. If your browser sends a Do Not Track header, the tracker doesn't fire at all.

Why

To know roughly how many people find the site, which pages they read, and where they come from. That's the only purpose — there is no advertising or monetisation tied to this data. The lawful basis is our legitimate interest in understanding usage of our own site (GDPR Article 6(1)(f)); the daily salt rotation and lack of cross-day correlation keep the impact on you minimal.

How long we keep it

Page-view rows are kept indefinitely at the moment. We plan to add an automatic deletion of rows older than 24 months and will update this notice once it's in place.

Who sees it

Only us. The data lives in a Postgres database on our own server, never sent to a third party for analytics. The server logs (nginx, application) are accessible to the technical team for operating the platform — same legal basis, same retention plan.

Your rights

You can ask for a copy of the data we hold about you, or for its deletion. Email haloceteki@hotmail.com. Realistically: because the fingerprint rotates daily and isn't reversibly linked to you, we may not be able to identify which rows belong to your visits — but we'll do our best with whatever identifier you can provide (the IP you used, the approximate time of your visit, etc.).

Account & sign-in

If you sign in to download the Android build, your authentication is handled by auth.haloceteki.eu (our self-hosted OpenIddict identity server). That sign-in sets a session cookie under auth.haloceteki.eu and an OIDC token cookie under this site, both strictly necessary to keep you signed in for the download. We don't sign you up for anything beyond the account you create, and we don't share your email with any third party.

Invite requests

If you use the self-service form at auth.haloceteki.eu/Request to ask for an invite, we collect your email, your name (if you provided one), the app you requested access to, and your message. We also store your IP and user-agent briefly — both are cleared as soon as the request is decided. The confirmation link we send you contains a token stored only as a SHA-256 hash; the live token is sent in the email and never written to disk. Declined requests are kept for 30 days as anti-abuse history, approved requests link to the resulting invite code, and spam-marked requests are deleted after 90 days.

Changes to this notice

If we change how we handle data, we'll update this page and note the change in the date at the top. There's no separate notification — checking back here from time to time is on you.