Skip to content

Privacy

Effective date: June 14, 2026 Operator: Centaur Security Labs LLC (Colorado, USA) · [email protected]

This site runs its own analytics, on hardware we control. We do not use Google Analytics, ad networks, or any third-party tracker. Nothing collected here is sold, shared, or sent to a third party. The data lands in a local database on our own machine and is used for one thing: understanding how people read this site.

Because this is a lab that studies how systems behave, we instrument our own site the way we'd instrument a target — and then we tell you exactly what that means. Here is everything collected.

What we collect

Page activity (via a self-hosted GoatCounter instance):

  • The page you viewed, the page that referred you, and the time of the visit
  • Your browser and operating system (from the standard request your browser sends)
  • Approximate engagement: time on page, scroll depth, outbound link clicks, and copy events
  • Your IP address, which we use to derive an approximate region and your network operator (ASN). We do not use it to identify you personally.

Device profile (via a small first-party script, probe.js, that posts once per page load):

  • A random first-party identifier stored in a cookie named csl_vid, kept for up to one year, so we can tell a returning device from a new one. It contains no personal information — just a random string.
  • Locale signals: time zone and preferred languages
  • Hardware hints: CPU core count, approximate device memory, connection type and speed estimate, and touch-point count
  • Display characteristics: device pixel ratio, viewport size, screen size, and color depth
  • A canvas fingerprint and WebGL vendor/renderer string — values derived from how your specific browser and GPU render graphics. Combined, these help us recognize the same device across visits.

What we deliberately do not collect

  • No WebRTC LAN-IP enumeration. A common fingerprinting trick reads the private IP addresses on your local network. We disabled it on purpose.
  • No names, emails, accounts, form input, or payment data. There are no forms or accounts on this site.
  • No third-party analytics, advertising, or cross-site tracking networks.

Your controls

  • Global Privacy Control (GPC). If your browser or a privacy extension sends a GPC signal, the device-profile script collects and sends nothing — it stops before reading anything. GPC is the opt-out we honor. (We do not rely on the older "Do Not Track" header, which browser vendors deprecated and never agreed on a meaning for.)
  • Exclude yourself from page analytics. Open your browser's developer console on any page and run goatcounterExclude(). Your future visits won't be counted.
  • Clear the cookie. Deleting the csl_vid cookie (or browsing in a private window) resets the device identifier at any time.

Retention, access, and changes

Collected data is stored on infrastructure we control and is not retained for any purpose beyond understanding site usage. To ask what we hold about a device, or to request deletion, email [email protected].

This policy may change as the site does. When it does, we'll update the effective date above. This site is not directed to children under 13 and we do not knowingly collect data from them.