OSS does not set, store, or read any cookies on this website. There is no consent banner because we have nothing to consent to. That's the actual policy. Everything below is the honest version of how the marketing site is run, because we'd rather tell you than have you find out at F12.
How We Run This Site
We self-host everything we control. Every component on the OSS side of this site is open source. We do not use third-party SaaS analytics, ad networks, or behavioral trackers. The two analytics layers below are the entire footprint:
1. Self-hosted Umami
Umami is a privacy-respecting open-source alternative to Google Analytics. It runs on infrastructure operated by OSS, not a third-party SaaS provider. It collects:
- Aggregated browser type (Firefox, Chrome, Safari, etc.)
- Aggregated device type (desktop, mobile, tablet)
- Aggregated region (state-level for US)
- Page views per URL
- Referrer if available
What Umami does not do: set cookies, store a persistent identifier, share data with anyone, profile individual visitors, or correlate sessions across visits. It uses a daily-rotating hash to deduplicate within a single day. The hash is gone the next day. This is not PII under any privacy framework.
2. Caddy Access Logs
Every web server keeps access logs. That's not a tracker, it's basic infrastructure: when your browser asks for a page, the server records that a request came in. The log would exist whether we read it or not.
Some visitor IPs hit our server directly and get logged. Many don't, because edge providers and CGNAT mask them on the way through. We do not save IPs long-term, we do not link them to individuals, and we do not share them with anyone. Logs rotate out on a 30-day cycle.
What we use the logs for: aggregate traffic patterns, abuse response, and bot identification. Not user tracking. Not advertising. Not anything else.
What we built on top: a small dashboard that visualizes the access logs server-side. The dashboard code, with example screenshots showing truncated IPs in the visualization, will be published on Forgejo for anyone to inspect, take, and use on their own infrastructure.
What We Don't Run
- No Google Analytics
- No Facebook Pixel
- No retargeting beacons
- No advertising-network trackers
- No third-party SaaS analytics
- No persistent identifiers in your browser
- No GDPR or CCPA consent banner because nothing on this site requires consent
Don't trust us. Verify us. Open developer tools (F12) and click the Storage or Application tab. The cookies set by OSS: zero.
Then check the Network tab. You'll see one call to our self-hosted Umami endpoint and the static assets the page needs. No advertising networks. No trackers. No SaaS analytics dialing home.
The Customer Dashboard, Same Story
The customer dashboard is reachable only through the WireGuard tunnel. Access is enforced at the network layer: requests from a tunnel IP are served, requests from anywhere else get a 403 before the application ever sees them. There is no login form, no session cookie, no auth token in your browser. If your packets can reach the dashboard, you're authorized. If they can't, you're not. That's the entire access model.
So the cookie count on the dashboard is also zero. Same story as the marketing site, different reason.
Now ask yourself: how do the other VPNs handle this?
Their cookie banners. Their third-party trackers. Their Google Analytics tags. Their Facebook Pixels. Read their cookie policies. Then come back here.
If any of this changes, the page will be updated and the change will be explained.