Privacy.

This policy applies to andrewctf.dev and the direct subdomains used to publish research, blog posts, and project documentation. It does not cover code hosted on third parties — GitHub, Modrinth, Discord — which run under their own terms.

andrewctf.dev is a personal portfolio. There is no product, no account system, no paid tier, and no advertising. Most visitors read a few pages and leave. This document describes the very small amount of data that flow generates.

Server logs. The web server records standard request metadata for every page load: timestamp, requested path, HTTP status, user-agent string, referrer, and the IP address of the requesting client. These are the same fields any web server writes by default. They are used to debug failures and to detect abuse.

Email you send. If you write to hello@andrewctf.dev, your message and email address are stored in the inbox that receives it, like any other email. Nothing on this site captures email through forms — there are no forms.

That's the full list. No analytics pixels, no behavioural tracking, no fingerprinting, no session recordings, no A/B testing, no advertising IDs.

Server logs are used to keep the site reachable and to identify traffic patterns that look like attacks (credential stuffing, scraping bursts, exploit scanners). Logs are rotated and aged out after a short retention window — typically 30 days — and are never sold, traded, or shared with marketing partners, because there are no marketing partners.

Emails you send are used to reply to you. If a thread covers vulnerability disclosure or sensitive research collaboration, the relevant context may be retained longer and stored encrypted. See the disclosure policy for how security reports are handled.

This site does not set tracking cookies. It does not embed third-party scripts that set cookies on its behalf. A small number of functionalentries may be written to your browser's local storage to remember preferences such as reduced-motion choice — these never leave your device.

The site loads typefaces from Google Fonts, which means Google's servers see the IP address that requests the font file. That request is necessary to display the page; it is not used by us for any analytics purpose. Google's use of that data is governed by Google's privacy policy.

The site is hosted on commercial infrastructure that necessarily processes request data to deliver pages. No other external services — no analytics, no chat widget, no advertising network, no CDN-level fingerprinting — are integrated into these pages.

You can read this site without identifying yourself. You can block cookies and JavaScript without losing access to the text content. If you have written to hello@andrewctf.dev and want the resulting thread deleted, ask — it will be done and confirmed.

If you are in a jurisdiction that grants statutory rights of access, correction, or erasure over personal data held by private parties, those rights are honoured here on request. The data held is small: an email thread you initiated, plus short-lived server logs that have already aged out by the time most requests arrive.

If the practices described here change in a way that affects what is collected or how it is used, this page will be updated and the "last updated" date at the top will move forward. There is no mailing list, so material changes will be flagged in the site footer for a reasonable period.

Questions about privacy go to hello@andrewctf.dev. Security-sensitive reports — anything you would not want another reader of the inbox to see — should follow the disclosure policy and use the dedicated security address with PGP.