Privacy Policy

Last updated: May 21, 2026

privacyscore.dev exists to show you what websites can learn about you. It would be hypocritical to track you while doing it. This page explains, in plain language, exactly what we collect, what we don't, and why.

The short version

• We never store your IP address, User-Agent string, or referer.
• We do count anonymous visits using a salted hash that rotates daily — the hash is one-way and rotates, so it cannot be reversed back to your IP and cannot link your visits across days.
• We don't use third-party analytics, marketing pixels, or session-replay tools.
• We do not set advertising cookies. (If we ever enable Google AdSense, we will update this page first and you will see a clear consent prompt before any ad cookie is set.)
• We do not have user accounts, profiles, or login.

What is shown back to you on the page

The home page renders, for your eyes only, every signal a typical website can extract from your visit: IP, headers, geolocation derived from the IP via a self-hosted MaxMind GeoLite2 database, and a series of browser-side fingerprint probes (canvas, WebGL, audio, fonts, WebRTC, screen, sensors, permissions). All of this is computed on the fly and discarded as soon as the response is sent.

What we keep, anonymously

To know whether the site is being used at all and which countries / browsers visit, two things are written to our database after each visit:

1. A raw event row in page_views with: a daily-rotating SHA-256 hash of your IP (not the IP itself), country code, browser name and version, OS name, device class (desktop / mobile / tablet / bot), and the privacy score we computed. Retained for 30 days then deleted.
2. An aggregate counter in hourly_stats grouped by hour, country, browser and device. Retained indefinitely. Contains no per-visitor information.

The visitor hash is built as sha256(ip + salt + YYYY-MM-DD). The salt rotates with the application key. Because the date is part of the hash, the same IP yields a different hash each calendar day, so no cross-day tracking is possible. Because of the salt, even a leaked database row cannot be reversed back to an IP without the salt.

Cookies

The site sets a single first-party session cookie that is required for CSRF protection on form submissions and Laravel's session handling. It contains an opaque session identifier and is deleted when you close your browser. It is not used for tracking.

An additional first-party flag (localStorage.ps_cookie_seen) is set when you click "Got it" on the cookie banner — it is purely so we don't show the banner again.

If we enable Google AdSense in the future, ad cookies will be added under explicit consent, and this page will be updated.

Your rights under GDPR

If you are in the EU/EEA, you have the right under GDPR to access, correct, port, or delete your personal data. Because we never store data that can identify you, we have nothing to hand over or delete on a per-person basis. The closest you can do is wait — your daily hash will rotate at midnight UTC, and any aggregate counter you might have contributed to is anonymous by design.

Logs

The web server (nginx) keeps short-lived access logs containing IP and User-Agent for security purposes — DDoS detection, fail2ban, abuse handling. These rotate every 7 days and are not joined with the analytics database.

Data shared with third parties

We do not sell, rent, or share visitor data with anyone. The MaxMind GeoLite2 database is queried locally on the server — your IP is never sent to MaxMind in real time. If/when AdSense is enabled, Google will be a processor for ad serving and you will be notified.

Contact

For privacy questions or GDPR requests, write to: [email protected].