Privacy
cyfar is a personal blog. The collection footprint is small on purpose. This page is the plain-language version of what happens when you read or sign up.
If you just read
You don't need an account to read anything here. When you load a post, a short-lived cookie gets set so the site can count views and dwell without double-counting you. It's an opaque random value, not tied to your identity, and it's the only thing the site stores against your reading activity. No IP address is recorded against reading events.
If basic visitor analytics are turned on, a third-party measurement script may run on public pages. It honours the browser's Do Not Track signal: send DNT and the script is never delivered. There is no advertising network, no remarketing pixel, and no data broker in the loop.
If you sign up
Sign-up stores your email and a hashed password. The plaintext password is never written anywhere.
Authentication events (sign-up, sign-in, failed sign-in, password reset, account deletion) are logged with IP address and browser user-agent. This is used for abuse review and to debug problems if you ever email about a locked-out account. It is never displayed publicly and is not shared with anyone.
If you bookmark or react to a post, the site records the post and a timestamp against your account. Same opaque-cookie rule as for anonymous readers otherwise.
If you use the contact form
Whatever you write in the form is stored so it can be read and replied to. The submission also records your IP and user-agent for spam triage. A captcha provider checks that the submission wasn't a bot.
What gets shared
Nothing is sold and nothing is handed off to advertisers. A small number of service providers see specific slices in order to do their job: email delivery sees the recipient address, captcha sees that one challenge, optional analytics sees the page-load. That's the entire third-party surface.
How long it sticks around
Account data lives until you delete the account. Deletion is a 30-day soft delete first (so a mistaken click is recoverable), then a permanent purge. Authentication-event logs are kept for longer for abuse review, with identifying fields cleared on permanent purge. Contact-form messages are kept while they might still be relevant and pruned periodically.
Getting your data off
Sign in and visit your account pagefor export and deletion. If you can't sign in or want something more specific, the contact form reaches the operator directly.
Changes
If the collection footprint ever grows (paid tiers, comments, anything new) this page gets updated before that surface goes live. There's no separate notification channel for it beyond the page itself.