This blog runs as a static site behind Cloudflare and self-hosted infrastructure (dokku on ProxMox). The architecture intentionally minimises personal-data collection. This page documents what is collected, by whom, why, and how long.
What this site stores in your browser
Nothing. No first-party cookies, no localStorage, no sessionStorage,
no IndexedDB writes, no fingerprinting attempts. You can verify with your
browser’s dev-tools → Application panel.
The only state your browser keeps is the standard HTTP cache (managed by
Cache-Control headers — immutable for fingerprinted assets, short-TTL for
HTML).
What is logged on the server
The dokku-fronting nginx writes a request line per HTTP hit (access.log):
- Timestamp, method, path, response status, response size
- User-Agent string
- Referer (when supplied by the browser)
- Anonymised client IP (last octet truncated at ingest)
Logs are retained for 90 days in Loki on the same dokku host, then auto-purged. They are not sold, not shared with third parties, and not used for advertising.
Bunny Fonts
Inter and JetBrains Mono are served from https://fonts.bunny.net/. Bunny is
a GDPR/LGPD-compliant CDN, EU-hosted, and (per their published audit) does
not log IP addresses or set cookies. Verified independently by ctrl.blog.
Cloudflare
Cloudflare fronts the blog via Cloudflare Tunnel. By default, Cloudflare’s edge:
- Sets a Network Error Logging (
NEL) header (browser-native, no client storage). - Does not set the
__cf_bmBot Management cookie unless Bot Fight Mode is explicitly enabled. As of this writing, it is off.
If you have Cloudflare set to “Always Online” or use any Cloudflare service worker, Cloudflare may briefly cache page content at the edge. No personal data is involved.
Third parties
There are no analytics providers, ad networks, comment systems, or CDN-based trackers other than the two listed above. No Google Analytics, no Facebook Pixel, no Hotjar, no Tag Manager, no AB-testing service.
Your rights (LGPD + GDPR)
You have rights to access, correct, port, and erase any personal data the
operator holds about you. Contact: [email protected].
Operator
Pedro H. S. Balbino — independent operator. No data-controller / data-processor agreement is required because no personal data is collected beyond standard web-server logs.
Last updated
2026-04-25 — initial publication.