My profile picture
Cutotopo
Back to home

Privacy Policy

Please read this I spent like 5 hours writing it.

This website is operated by Cutotopo (contacts here, or if you want the fancy email address legal[at]cutotopo[dot]live is also fine) who is also what regulators would call "data controller" and is based in Italy.

Lawyers would call what I do "legitimate interest pursuant to Article 6(1)(f) of the EU GDPR", I would call it something more like "you cannot browse the web without IP addresses plus I would like to know approximately how many people visit my site, nothing else" (sadly my version is not serious-sounding enough, so the former applies). More on this later.

Cookies?

This website does not store any tracking cookies on your browser. I could not care less about what you do outside of here (also it's none of my business to start with), and I honestly don't think any large mega corporations have any right to know that you have been here. My providers (read the following paragraph) could store some cookies on your browser, but those will be used strictly to prevent downtime or security incidents, as per their privacy policies.

So what data is actually collected or processed?

First of all, just so we are on the same page: what are we even talking about? In very very simple terms:

  • IP address: your unique(-ish) identifier on the internet, think of it as your address printed on a package you want to receive;
  • User agent string: a little line of text that tells the website what you are viewing it on (e.g. "Firefox 147 on Windows 7", "Safari 5.1 on an iPod Touch", "NetFront NX on a Nintendo 3DS", ...);
  • Timezone: literally your current time zone (e.g. UTC, CET, PST, ...)
  • Stack trace: a report of all the functions in code that were called leading up to an error;
  • One-way hash: a string that is derived from applying a mathematical algorithm on some data, but cannot be reversed - doing this on the same data returns the same thing, so it's useful for correlating data while preserving its secrecy;
  • CDN: Content Distribution Network, an ecosystem of servers distributed across different countries that keeps copies of stuff so you can receive it more quickly;
  • (D)DoS: (Distributed) Denial of Service, an attack where a malicious party tries to "run the server out of resources" by repeatedly requesting stuff from it;
  • Backend: the part of a website that is working behind the scenes to bring what you see to you, kind of like the kitchen in a restaurant;
  • URL: Uniform Resource Locator, the part of a web address that identifies what you want to get from the website, it's the one with the slashes;
  • Self-managed: I don't outsource it, it lives on my infrastructure and it is managed by me;
  • Provider: a person or, more likely, a company that provides me a service to help get this site on your screen more easily/efficiently/securely/...;
  • Internet Explorer 11: thank God it's dead. oh wait...

Now, with the definitions out of the way:

  • To function properly, this website shares technical information with Cloudflare, Inc. and Netlify, Inc. when you visit.
    • They will automatically process your IP address (welp, good luck reaching anything on the internet otherwise) and user agent string to protect against attacks, maybe also your current timezone (this depends on your browser, it's not really something I can control).
    • This also means that if you decide to DoS my website, your IP address WILL end up in a blocklist somewhere at one of my providers. That is how the internet works though, and I really prefer telling this to you straight up instead of burying it under six A4 sheets of legalese like everyone else does.
    • Because CDNs exist, content may or may not be delivered to you from outside the EU, which means, well, that your data might leave the EU. This is based on a thousand of different factors and I'm not really able to predict where a request will come from before it happens, so now you know.
  • I use Sentry (by Functional Software, Inc.) to gather information on errors that may occur: for example, if the blog is not loading because the backend died, Sentry will send me an email notifying me of this. Your user agent string will be included in the error details to eventually help me reproduce more complex issues (looking at you, Safari users), as will be a stack trace, the URL you were currently on, and a one-way hash derived from your IP address.
    • This data will be stored in the United States, and will be kept for a maximum of 90 days.
    • Yes, yes, I know that hashing is not technically anonymization, but I still need to correlate data between (possibly multiple) errors and I honestly don't want nor need to have your full IP address for that. So here is the deal: you get privacy and I get the data points I need to fix my website if needed.
    • None of this data can be traced back to any visitor.
  • Privacy-preserving analytics are provided by a self-managed Plausible Analytics instance.
    • This data will be stored in Italy and aggregated (i.e. not really kept in full, just incrementing a series of numeric counters).
    • None of this data can be traced back to any visitor.

If you really don't trust me, you can just turn off JavaScript on your browser.
You won't be missing out on much (besides a few minor visual enhancements), and you will be able to completely view and use the website anyway.
Only Netlify will then get your IP address, but there isn't much I can do about that because, as explained earlier, that is how the internet works, your best bet in that case is to either use something like Tor or just not visit the website at all.
I am literally doing everything I can to minimize the data I collect to serve its only purpose of counting visitors and reporting errors, but if you are still concerned about your privacy, well, I'm sorry but I really don't know what to tell you.

About data access/rectification/erasure requests

Well, even if I stored your user agent string, I would have no idea of who you are. There are probably millions of other people on this planet using Internet Explorer 11 in 2026, right?

This means that I might not be able to fulfill any requests for the retrieval or deletion of information unless you are able to provide additional, very specific and precise metadata (e.g. exact timestamps and URLs) that would allow me to identify your request, of course if the related subsystem allows it (e.g. analytics do not, since your data has been processed into values and discarded already). So if you are really sure I could have something I should delete, just shoot me an email and I'll see what I can do.

You also have the right to lodge a complaint to your relevant data protection authority, but I would appreciate you at least contacting me before getting regulators involved...
You also absolutely have the right to object to the above treatment of data. The quickest and easiest way for you to do this is by turning off JavaScript as mentioned above (then Sentry and Plausible won't load), or visiting via cURL or Links (which don't run JavaScript at all, and the latter can properly display this site).
Otherwise, if you really prefer a more formal approach, the above about data access/rectification/erasure requests applies in full, with all of the mentioned limitations that may apply.

For any other questions or inquiries, don't hesitate to contact me.

Last updated on Feb 20, 2026 ("clarifications about technical terms and grammar corrections").
Yes the year in the Internet Explorer joke updates automatically, so in 2027 it will be "2027". Don't worry: the rest remains the same.