$ cat ~/.privacy _

Privacy Policy

$ ls /cookies/ /trackers/ /analytics/ 2>&1 _

No cookies. No trackers. No analytics.

There are no advertising cookies, tracking pixels, fingerprinting scripts, or analytics beacons on this site. No third-party scripts load in the background. What you see in the page source is everything that runs.

The only things written to your browser are six localStorage values: theme, match-device-theme, cursor-blink, stars-bg, matrix-bg, and your avatar customization. No cookies. No session identifiers. Nothing that follows you around.

$ cat ~/.local/share/preferences _

Browser preferences (localStorage)

Six values are written to your browser's localStorage:

1. theme
   • "light" or "dark"
   • Your chosen color scheme.
   • Defaults to "dark".
2. match-device-theme
   • "1" when you've enabled the "Match device" toggle in the sidebar.
   • Absent by default (manual theme selection).
   • When active, the site theme follows your OS/browser color scheme preference live.
3. cursor-blink
   • "paused" when you've disabled the blinking cursor effect.
   • Absent by default (cursors blink).
4. stars-bg
   • "1" when you've enabled the "Stars" background toggle in the sidebar.
   • Absent by default (background off).
   • When active, an animated star field GIF is shown as the site background.
5. matrix-bg
   • "1" when you've enabled the "Matrix" background toggle in the sidebar.
   • Absent by default (background off).
   • When active, a Matrix-style hiragana rain canvas is shown as the site background. Mutually exclusive with Stars.
6. avatar-state
   • Your 8-bit avatar customisation, e.g. "gender=male&avatar=3-54-12-14-15-21".
   • Only written if you use the avatar builder on the /8biticon page.
   • Absent until you interact with the builder.

These are stored in localStorage, not sessionStorage. That means they persist across browser restarts by design so your preferences stick between visits without you having to re-configure them every time.

You can clear them at any time via your browser's developer tools (Application → Local Storage), or by toggling the options in the sidebar.

$ cat /var/mail/inbox | grep --from=you _

Data I receive from you

The only data I receive is what you voluntarily send. That means email you write to me, or a guestbook entry you submit. Nothing else.

Guestbook submissions are stored in a self-hosted Turso (libSQL) database. Spam is filtered using a honeypot field and content pattern detection. No third-party services process your submission. If you'd like a copy of anything you've sent, or want it deleted, just ask.

$ curl -sI https://alexmbugua.me | grep -i ^tk: _

Do Not Track

This site honors the DNT header. Tracking status is "N" (Not Tracking), declared at /.well-known/dnt. The full compliance policy is at /.well-known/dnt-policy.txt.

$ gpg --import /downloads/public.pgp && gpg --verify /.well-known/security.txt.sig _

Security

Security contact information is published at /.well-known/security.txt, signed with a detached PGP signature. The public key is at /public.pgp and via WKD at /.well-known/openpgpkey/ for automatic discovery by GPG, Thunderbird, and other OpenPGP clients.

PGP fingerprint: 18AE 4232 9AC1 F56F 843B 88C6 73B4 8769 BB38 F964 (Ed25519, expires 2028-03-01). The key covers alex@, security@, and contact@alexmbugua.me.

Existence of the security.txt file does not imply consent to perform security tests against this site. This site is primarily hosted on Netlify with GitHub Pages as a backup. Guestbook data is stored in a self-hosted Turso (libSQL) database. All testing must comply with respective hosting provider security policies.

$ cat /.well-known/pubvendors.json | jq '.vendors' _

Third-party vendors

This site does not use advertising or tracking vendors. A full transparency listing of all third-party services is published at /.well-known/pubvendors.json.

$ ls -1 /.well-known/ _

Well-known resources

• /.well-known/change-password — password change URL
• /.well-known/dnt — tracking status (JSON)
• /.well-known/dnt-policy.txt — DNT compliance policy
• /.well-known/privacy.txt — machine-readable privacy contact
• /.well-known/pubvendors.json — third-party vendor transparency
• /.well-known/security.txt — security contact information
• /.well-known/security.txt.sig — PGP signature for security.txt
• /.well-known/openpgpkey/policy — WKD policy sentinel
• /.well-known/openpgpkey/hu/… — WKD key files (alex@, security@, contact@)
• /public.pgp — PGP public key (ASCII-armored)

$ exit _

This site is built on the principle that a personal website doesn't need to surveil its visitors.