Skip to content

Colophon · Privacy practices

This site practices what it preaches

A privacy-respecting site is the strongest evidence that I mean it. This page documents how this one is built and every practice it follows — written to be verified, not believed. Most claims can be checked from your browser in under a minute.

The practices

  1. 01

    No analytics of any kind.

    Not “anonymized” analytics — none. I don't know you visited, and I've decided that's fine. The hosting platform (Vercel) sees standard request logs as part of serving the site; that's the complete list of who sees anything.

  2. 02

    No third-party requests.

    Fonts, images, scripts, and styles are all served from this domain. No CDN calls, no social embeds, no like buttons, no external avatars. Open your browser's network panel on any page of this site — every request goes to this origin. That check is the whole audit.

  3. 03

    No cookies.

    The theme preference lives in localStorage, which never leaves your browser and is never sent to any server. There's no consent banner because there is nothing to consent to.

  4. 04

    Photos are stripped of EXIF and GPS metadata at build time.

    Every image in the photography section is a web-sized copy processed to remove camera metadata and location data before it's published. Full-resolution originals never touch this repository or its host.

  5. 05

    Global Privacy Control and Do Not Track are honored trivially.

    There is no tracking to opt out of. Sending those signals here is respected by architecture, not by a settings toggle.

  6. 06

    Contact without harvesting.

    Reaching me is a plain email link — no form, no form processor, no third-party inbox holding your message. For sensitive mail, a PGP key is available on the contact page.

  7. 07

    Strict Content-Security-Policy.

    Scripts run only with a per-request cryptographic nonce (no unsafe-inline), and the policy denies frames, external objects, and form posts to other origins. Referrer-Policy is no-referrer: leaving this site tells the destination nothing about where you came from.

  8. 08

    security.txt.

    A standard, machine-readable disclosure contact lives at /.well-known/security.txt if you find something wrong.

  9. 09

    Full-text RSS with no tracking.

    The writing feed carries complete article text — no tracking pixels, no campaign parameters, no “read more” bait. Follow without an algorithm or an account in the middle.

  10. 10

    This page.

    Every practice above is a checkable claim, not a promise. The stack is listed below so you know exactly what you're talking to.

Stack

Framework
Next.js (App Router) with TypeScript, styled with Tailwind CSS from a single set of design tokens
Type
Schibsted Grotesk, Inter, and JetBrains Mono — all open-licensed, subset and self-hosted; no font network
Hosting
Vercel. The platform sees standard HTTP request logs; no additional logging or analytics is enabled on top
Source of truth
Writing is markdown files; photos pass through a build pipeline that strips metadata; this page is regenerated with every deploy

Keep me honest

Questions about any of this — or found a claim that doesn’t hold? Tell me.

Last deployed July 10, 2026