Privacy Policy

This Privacy Policy explains what information this website (the Site) collects, why, how long it's kept, and what control you have over it. The Site is a personal blog operated by its owner, not a commercial service.

Effective date: 21 April 2026
Last updated: 21 April 2026

Short version: the Site does not use tracking cookies, does not store your IP address, honours Do Not Track, and has no advertising. Analytics are self-hosted and minimal. The only cookies issued belong to the administrator’s login session — not to public readers.

1. Scope

This policy applies to the public pages of the Site (the home page, blog posts, tag archives, the /about page, search, and the /privacy / /terms pages you’re reading). It does not cover third-party websites the Site links out to — each of those has its own privacy policy.

The password-protected /admin area is used only by the Site’s owner. References to administrator data below describe the owner’s own account and are included for completeness.

2. Who’s responsible

The Site is operated by its individual owner (the “Author”). You can reach the Author at career.ashish.kapoor@gmail.com for anything privacy-related. There is no company, team, or data protection officer behind the Site — this is a one-person project.

3. What the Site collects

3.1 From public readers

When you browse the Site, the server records a minimal row in a page_view table for each page you load. The row contains:

The path you requested (e.g. /blog/some-post).
The referrer URL if your browser sent one (e.g. the search engine or site you came from).
A coarse device class (desktop, mobile, or tablet) derived from your browser’s User-Agent string. The raw User-Agent is not stored.
A two-letter country code when the hosting platform attaches one as an HTTP header (e.g. via Cloudflare’s CF-IPCountry). When no such header is present, the country field is empty.
A UTC timestamp.

That is all. The Site does not store your IP address, cookies, fingerprints, or any account identifier. Individual readers are not identified or re-identified across visits. The table is used to show the Author aggregate charts (popular posts, 14-day traffic, device mix) on the administrator dashboard.

If your browser sends a DNT: 1 (Do Not Track) header or a Sec-GPC: 1 (Global Privacy Control) signal, no page_view row is written at all. Your visit is invisible to the Site’s analytics.

3.2 From the administrator

When the Author signs in to /admin, the Site:

Sets a secure, HTTP-only session cookie that identifies the logged-in browser. It expires after a period of inactivity.
Writes a row to a login_attempt table recording the attempted email, whether the attempt succeeded, the user-agent, and a timestamp. This exists so repeated failed logins can be rate-limited.
Writes entries to an activity_log table for administrative actions (publish a post, upload media, etc.) so the Author has an audit trail.
Hashes the Author’s password with Argon2id. The plain-text password is never stored.

None of this applies to public readers. You do not have an account on the Site, cannot create one, and cannot log in.

3.3 What the Site does not collect

No IP addresses — ever, for any reader.
No tracking cookies, no advertising cookies, no analytics cookies.
No browser fingerprints (no canvas, no audio, no font enumeration).
No email signups, no newsletter, no comments — these features do not exist on the Site, so there’s nothing to collect.
No social-media trackers (no Facebook Pixel, no Twitter analytics, no LinkedIn Insight Tag, no TikTok Pixel).
No third-party ad networks.
No session replay, heatmaps, or mouse-recording tools.

4. Cookies and similar technologies

The Site does not set cookies on public readers. There is no cookie banner because there is nothing to consent to. If you open a browser devtools panel on any public page you will see an empty cookie store for the Site’s domain (unless you are logged in as the Author).

The single exception is the administrator session cookie described in §3.2, which is only set after a successful login at /admin/login.

The Site does not use localStorage, sessionStorage, IndexedDB, service workers, or any other client-side storage mechanism to identify or track readers.

5. Third-party services

A handful of third parties may see your IP address as a consequence of how the web works — not because the Site sends them your data. They are listed below with links to their own privacy policies and open-source codebases where applicable.

5.1 Cloudflare (CDN & DDoS mitigation)

Site traffic is fronted by Cloudflare for caching and security. Cloudflare necessarily sees your IP and User-Agent in order to deliver the page to you. The Site’s origin server receives only the country code derived from that IP (via the CF-IPCountry header); the raw IP is stripped at the edge before reaching the Site’s code.

5.2 Google Fonts

Web fonts are loaded from fonts.googleapis.com and fonts.gstatic.com. Google’s Fonts API does not set cookies but sees the requesting IP — see Google Fonts & privacy. A future release may self-host these fonts to remove this dependency.

5.3 CDN-hosted open-source libraries (admin-only)

A few libraries used inside the administrator area are loaded from public CDNs. Public readers never see these requests because the relevant pages are behind the admin login.

CodeMirror 5 (via cdnjs) — the HTML editor in the admin blog form.
Chart.js (via jsDelivr) — the charts on the admin dashboard.

5.4 Hosting provider

The Site runs on a small virtual private server. The hosting provider may keep basic network logs as part of operating that machine; these are outside the Site’s control and are retained per the provider’s own policy. No application data is shared with them.

6. How long data is kept

Data	Retention
Page-view rows (path, referrer, device, country, timestamp)	Kept indefinitely while they remain useful for aggregate charts. Individual rows cannot be tied back to a reader.
Login-attempt rows (email attempted, success flag, user-agent)	Kept for security auditing. Failed attempts older than 15 minutes no longer count toward rate-limiting.
Administrator activity log	Kept indefinitely as a change history for the Site’s content.
Administrator session cookie	Expires on idle timeout or explicit logout. Not persisted server-side.
Database backups	Rotated by the operator; older backups are destroyed when they age out of the retention window. Backups contain the same data as the live DB (notably: no IPs, no reader cookies).

7. Your rights

Because the Site does not store any identifiers that can be tied back to you, most data-subject rights do not have a meaningful target. There is no “your data” to export, correct, or delete — there is no you as far as the Site’s records are concerned.

That said, if you are covered by a regulation such as the EU’s GDPR, the UK GDPR, or California’s CCPA/CPRA, you have the following rights in principle:

Access — to know what, if anything, is held about you.
Rectification — to have inaccurate data corrected.
Erasure (“right to be forgotten”) — to have your data deleted.
Portability — to receive your data in a machine-readable format.
Objection / restriction of processing.
Not to be subject to automated decision-making — the Site does no automated profiling or decision-making.
Lodge a complaint with your local data protection authority.

If you believe the Site is holding data about you that you want exercised in any of the above ways, email career.ashish.kapoor@gmail.com. The Author will respond within 30 days.

8. Do Not Track & Global Privacy Control

The Site honours the DNT: 1 request header (Do Not Track) and the Sec-GPC: 1 request header (Global Privacy Control). When either is present, the Site’s analytics layer skips writing a page_view row entirely. You do not need to take any further action.

Most browsers offer a toggle for these signals in their privacy settings. The Site’s behaviour is the same whether or not you send them — no IPs are stored either way — but sending them removes even the anonymised row.

9. Children

The Site is written for a general audience and is not directed at children under 13. Because no personal information is knowingly collected from anyone, the Site does not knowingly collect personal information from children. If you believe a child has submitted personal information through the Site (for example, via an email sent to the Author), contact career.ashish.kapoor@gmail.com and it will be deleted.

10. Security

The Site applies the following measures to protect its own data and, indirectly, any information you entrust to it:

HTTPS-only delivery with HSTS preloading in production.
Strict Content Security Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and a locked-down Permissions-Policy.
Administrator passwords hashed with Argon2id; per-IP lockout on repeated failed logins.
CSRF protection on every administrator form.
Parameterised database queries throughout — no string-concatenated SQL.
Server-side validation of all inputs.
Encrypted off-site backups to rotate against ransomware/hardware failure.

No system is perfectly secure. If you discover a vulnerability, please responsibly disclose it by emailing career.ashish.kapoor@gmail.com before sharing it publicly.

11. International transfers

The Site’s servers are hosted in the United States. Cloudflare operates a global network — your traffic is typically served from the closest edge node, which may be in a different country to the origin. Google Fonts is served from Google’s global CDN. Because the Site stores no personal data from readers, no personal data crosses borders in the technical sense required by GDPR Chapter V — but the underlying network traffic is international by default.

12. Links to other sites

Blog posts and the /about page link to external sites (open-source projects, documentation, articles, social profiles, and so on). The Site has no control over those destinations — they may use cookies, fingerprinting, or advertising technology that this Site does not. Please review the privacy policy of each external destination you visit.

13. Changes to this policy

This policy may be updated as the Site evolves (for example, if a new third-party service is added, or a feature such as comments or a newsletter is introduced). When that happens, the Last updated date at the top of this page will change, and the previous version will be retained in the Site’s source-code repository (see §15) so the change history is public.

If a change is material — for example, if a new class of data starts being collected — it will be summarised in a blog post on the home page, not quietly changed.

14. Contact

Privacy questions, data-subject requests, vulnerability reports, or feedback on this page:

Email: career.ashish.kapoor@gmail.com
LinkedIn: Ashish Kapoor

15. Transparency & source code

The Site is a personally maintained open project. Where practical, the source code and the open-source dependencies it relies on are linked publicly so you can verify the claims above yourself rather than taking them on trust.

This Site’s source — the Python/Flask application that renders every page you see is maintained by the Author on GitHub: github.com/ashish-kapoor. Opening an issue there (or in the specific blog-website repository when it’s published) is a valid way to flag something about this policy or the Site’s data handling in public.
Web framework: Flask (BSD-licensed).
Database: SQLite (public-domain; source at sqlite.org/src).
Password hashing: Argon2 (CC0-licensed reference implementation).
CSRF / forms: Flask-WTF (BSD-licensed).
Rate limiting: Flask-Limiter (MIT-licensed).
Admin HTML editor: CodeMirror 5 (MIT-licensed).
Admin charts: Chart.js (MIT-licensed).

If you spot a discrepancy between what this policy says and what the source code actually does, that is a bug. Report it via the contact channels in §14 and it will be treated as a security/ethics issue rather than a feature request.

This policy is written in plain English rather than legalese. Nothing here is a waiver of any right you hold under applicable law. Where local law grants you more than this policy promises, that law wins.