Privacy policy
What this blog stores about its readers, why, and how to ask for it to be deleted.
Last updated:
This is my personal blog, and this is its privacy policy. You won’t find lawyer-speak here, but you will find exactly what I store about you and why.
When you’re just reading
Nothing happens. No sign-in, no tracking cookies, no idea who you are or where you came from. You’re an anonymous reader, and that’s how I like it.
When you comment
Now I need to know who you are. I don’t like anonymous comments, and I don’t want internet bots filling my blog with gambling ads. So I ask you to sign in through an external identity provider, and I store:
- The identity provider’s name: which sign-in service you used.
- Your stable identifier from that provider: a value I can’t reverse into your real name or email, but enough to recognize you across comments and to ban anyone who abuses the system.
- Your display name: what shows up with your comments. Defaults to your account name with that provider, and you can change it whenever you want.
- Your website URL (optional): becomes a link on your name.
- A hash of your email (SHA-256): not the email itself, only its fingerprint. I use it to fetch your avatar from Gravatar if you have one, and the email can’t be recovered from the hash.
- Your comment text and timestamps.
What I don’t store
- Your email address: I don’t need it, and I can’t contact you outside the blog. That’s a deliberate choice.
- Your avatar image: it loads live from Gravatar, not from my servers.
- Your IP address: Cloudflare uses it to protect the blog from attacks. I never see it.
Cookies
The blog uses only two cookies:
a2h_lang: remembers the last language you chose (Arabic or English), so when you come back to the home page, it opens in the same language. The value is eitheraroren. It’s never used for tracking.a2h_session: gets set after you sign in. It keeps you logged in for a week so you don’t have to sign in every time you comment. It carries a cryptographic signature, and nobody outside this blog can read or modify it.
I also use Cloudflare Turnstile to block bots. It runs in invisible mode, with no visible challenge shown to readers. It might set technical cookies for protection, nothing else. See Cloudflare’s Turnstile Privacy Addendum for details.
Deleting your account and data
You can delete your account and all your comments at any time, from the “Delete my account” button inside the “Edit profile” dialog. When you do, everything tied to you is removed from the database: your name, your website link, your email hash, and all your comments.
If for any reason you can’t use that interface, just email me:
Everything tied to you will be deleted within a week, no questions asked.
A note about banned accounts
If a banned reader chooses to delete their account, all their data is wiped just like anyone else’s. The one thing that stays is the provider name and the account identifier in the ban list. This means signing in again with the same provider and the same account won’t be allowed. It’s there to keep the ban in place, not to retain any personal data.
Third parties involved
- Identity providers: for sign-in. Each provider’s privacy policy applies when you use their service.
- Cloudflare: hosts the blog and the database.
- Gravatar: fetches your avatar based on your email hash, if you have an account there.
Changes
If anything changes, I’ll update the date at the top of the page. That’s the part you should know.
This blog was built on one principle: that you, the reader, decide what gets stored about you, when it gets deleted, and who has access to it. Privacy here isn’t a feature added to the experience. It’s a foundation the experience is built on.