Privacy
Last updated: 1 May 2026 · rev 2
This is a personal, non-commercial hobby blog. I keep the data I collect to the minimum needed to run the site and reply to messages. This page tells you what that means in practice.
Who runs this site
The site is operated by @hitmanmcc as a personal project. There is no company behind it. To get in touch, use the contact form.
What I collect, and why
When you read pages
- Vercel (the hosting provider) keeps short-term server logs that include your IP address and browser user-agent string. That is standard for any web server and is needed for security, debugging, and abuse prevention. Logs are retained by Vercel for roughly 30 days and then discarded.
- Vercel Analytics records aggregated, cookieless visit metrics (page paths, referrer, country, screen size). It does not set cookies and does not build a per-visitor profile.
- Vercel BotID runs an invisible challenge in the background of every page load to distinguish humans from automated traffic. It uses browser-environment signals (no audio, video, location, or contact data); the verification result is only actually consulted when you submit the contact form.
When repair-entry pages render embedded images
- Some images on repair entries (tweet thread photos and a small number of console reference photos) are loaded directly from pbs.twimg.com / video.twimg.com (Twitter/X) and upload.wikimedia.org (Wikimedia). Your browser fetches them from those hosts, which means they see your IP address and user-agent. The site sets a strict referrer policy so they only see
https://hitmanmcc.com/, not the specific URL you were reading. - If you are signed into Twitter/X in the same browser, your Twitter session cookies will be sent with those image requests. There is no way for me to change that from this side. Backfilled and newer entries are gradually being re-hosted on Vercel Blob to remove this leak.
When you send a message via the contact form
- I receive your name, email, and the contents of your message.
- BotID's invisible-CAPTCHA verification (mentioned above) is the gate that rejects automated submissions before they reach my inbox.
- The IP address of the submission is not stored or forwarded.
When you click the “Translate” button on a repair entry
- The text content of that entry is sent to Microsoft Azure's Translator service, which returns the translation. Azure sees only the text and the target language, not your name, email, or IP. The request is rate-limited per visitor IP (held in server memory for the rate-limit window, never written to disk and never tied to your identity).
When you (somebody, an attacker) try to log into the admin area
- Failed admin-login attempts persist the IP address in the database for the duration of the brute-force lockout window (15 minutes). Records are deleted on successful login. This is the only path by which a visitor IP ever lands in the database; ordinary reading does not.
I do not use Google Analytics, advertising trackers, social media pixels, or any other cross-site tracking technology. There is no comments system, no newsletter, no user accounts for visitors. The site explicitly tells your browser to deny camera, microphone, and geolocation access to itself.
Cookies and local storage
The site does not set any cookies on visitor browsers other than a single authentication cookie used by me to log into the admin area. That cookie is functional, not tracking, and is not present unless you explicitly log in.
A few small values are stored locally on your device using the browser's built-in localStorage and sessionStorage: your chosen theme (dark/light), the on/off state of the CRT visual effect, and the scroll position of the feed so back-navigation lands you where you were. These never leave your device and are not used for tracking.
If you ever see a cookie banner on this site, that means I have added something new and forgotten to update this page. Please tell me.
Where the data lives
The site uses a small number of third-party services to operate. All are bound by their own GDPR-compliant data processing terms.
| Service | What it does | Where it processes data |
|---|---|---|
| Vercel Inc. | Hosting, server logs, analytics, bot protection, image storage | United States |
| Resend | Delivers contact-form emails to my inbox | United States |
| Turso | Database for the site's content. Stores visitor IPs only on failed admin-login attempts (auto-cleared on success). | United States and Europe |
| Microsoft Azure | Translates entry text into your selected language when you click Translate | Europe (West Europe region) |
Transfers to the United States are covered under each provider's standard contractual clauses and (where applicable) the EU-US Data Privacy Framework.
How long things are kept
- Server logs: ~30 days, by Vercel.
- Analytics rollups: aggregated indefinitely, never tied to an individual.
- Contact-form messages: kept in my inbox for as long as I find them useful, or until you ask me to delete them.
Your rights under GDPR
You can ask me to:
- confirm what data I hold about you, if any
- correct it
- delete it
- restrict how I use it
- give you a copy in a portable format
- stop using it for any purpose you object to
Send any of those requests via the contact form. I will respond within 30 days.
If you are unhappy with my response, you can file a complaint with the Portuguese data protection authority, the Comissão Nacional de Proteção de Dados (CNPD), at cnpd.pt.
Changes to this page
If I change anything material on this page, the “Last updated” date at the top will change. There is no email list to notify, but the page is in the sitemap.