Cookies and local storage#
The site sets one HTTP cookie. Everything else listed below is browser-local storage that never leaves your device unless you submit it.
| Name | Where | Purpose | Lifetime |
|---|---|---|---|
site:theme | cookie + localStorage | Remembers light or dark mode so the first paint matches your choice. SameSite=Lax. | 1 year |
site:token | localStorage | Signed login token. Sent as a Bearer header on note writes and deletes. | Up to 30 days, until you log out, or until you clear it |
site:identity | localStorage | Your identity claims (username, permission, claim status). Used to render "posting as X". | Same as site:token |
site:highlights-visible | localStorage | Show or hide the highlight overlay on annotated text. | Until you clear it |
site:rail-collapsed | localStorage | Open or collapsed state of the comment rail. | Until you clear it |
site:toc-collapsed:<slug> | localStorage | Per-post table-of-contents collapsed state. One key per post you have visited. | Until you clear it |
Highlights and annotations#
When you select text on a post and leave a note, the site stores markers for the text you selected, the body of your note, your username at the time, your IP, and a timestamp. The selected text and the note body are public on the post page. Notes are kept until you ask for removal.
Usernames and passwords#
- Username: stored. Public on every note you post. Kept until you ask for removal.
- Password (optional): stored hashed with Bcrypt. The plaintext passwords are never written to disk and never sent to anyone, they are retained until you ask for removal.
If you comment without a password, ownership of your notes is tied to your current browser session, so you may not be able to delete them from a different device. Setting a password closes that gap for future notes.
IPs#
- Note-taker and replier IP: the IP you submitted from is retained for 30 days.
- Visitor IP for aggregate reader counts: stored only as a salted SHA-256 hash. The salt rotates weekly and is not retained, so hashes older than the current salt cannot be re-correlated to an IP. The hash is deleted after 14 days.
Logs#
This website saves access logs of one line per HTTP request, containing client IP, request method, URL, response status, response time, and User-Agent that are kept for 30 days.
What this site does not do#
- No third-party analytics, advertising, or trackers.
- No fingerprinting.
- No sharing, selling, or transfer of any of the above to third parties.
- No AI training datasets built from any of the above.
Your rights#
To request deletion of your account, your notes, your IP records, or to get a copy of what is on file, contact me via the about page.