Effective date: 2026-04-04

The short version: this site does not track you, profile you, or sell anything about you. It uses a session cookie only to remember that you are logged in.

1. What We Collect

Session data. When you log in, the server sets a single HMAC-signed session cookie that records your authentication tier. It contains no personally identifying information beyond what you provided at login. It expires when you log out or your browser session ends.

Server logs. The web server logs standard HTTP request data for every request: IP address, requested URL, HTTP method, response status code, response size, timestamp, and User-Agent string. These logs exist for security and operational purposes only. They are not used for advertising, not sold, and not shared with third parties for commercial purposes.

Login attempts. Failed login attempts are rate-limited by IP address. The IP address and timestamp of failed attempts may be retained for security purposes.

2. Cookies

One cookie is set when you log in: a session cookie containing your authentication tier, signed with HMAC. No tracking cookies. No advertising cookies. No analytics cookies. No third-party cookies.

If you do not log in, no cookies are set.

3. What We Do Not Collect

  • No advertising identifiers.
  • No device fingerprints.
  • No behavioral tracking.
  • No analytics scripts.
  • No social media widgets.
  • No external fonts or CDN assets.

All assets are served from undefect.com directly.

4. Third-Party Services

Links to GitHub, GitLab, and upstream project repositories are external. Their own privacy policies apply when you follow those links.

Donation processing is handled by a third-party payment processor. Their privacy policy governs data collected during that transaction.

5. IP Address Logging and Retention

Your IP address appears in server access logs as part of normal HTTP operation.

Normal traffic: Access logs are retained for 30 days, then purged automatically.

Abusive traffic: IP addresses that engage in abusive behavior — including automated attacks, credential stuffing, vulnerability scanning, or excessive scraping — may be subject to extended logging and record retention. Records associated with abusive behavior may be retained indefinitely for security purposes, including potential disclosure to upstream infrastructure providers and abuse contacts.

IP geolocation data may be derived from IP addresses appearing in logs. This data is used for security analysis only.

6. What We Do Not Do

  • We do not sell or rent IP addresses or traffic data.
  • We do not cross-reference server logs with personal identity information.
  • We do not use behavioral data for advertising targeting.
  • We do not run client-side tracking or fingerprinting scripts.

7. Children

This site contains technical security research. It is not directed at children under 13.

8. Contact

Privacy questions: privacy@undefect.com

Access issues or concerns about retained records: security@undefect.com

9. Changes

The effective date at the top of this page reflects the most recent revision.