Privacy

What this site stores, what it sends, and what it doesn't. Written plainly because the alternative is what everyone else is doing.

The short version

No cookies. No cross-site trackers. No persistent identifiers. No fingerprinting. Analytics is aggregate-only and first-party. That's why there's no consent banner getting in your way, I don't need one.

What the audit preview stores locally

If you run the audit preview at /scan, the wizard uses your browser's sessionStorage, wiped the moment you close the tab, for two things:

  • scan:has-live-session, remembers that you just ran the preview, so the shared result page can link you back to your own result.
  • scan:wizard-result-percent, remembers that the result count-up animation already played, so it doesn't replay on navigation.

That's the complete list. Nothing is written to cookies or localStorage, nothing is persistent across tabs, and nothing about either flag is ever sent to me or to a third party.

Analytics

I use Plausible, a privacy-focused analytics service, proxied through bart.consulting/pa/* so the script and event beacons stay on this domain. Plausible:

  • Counts aggregate page views and named events (audit preview wizard funnel steps, CTA clicks, share actions).
  • Does not set any cookies, neither first-party nor third-party.
  • Does not store IP addresses, device IDs, or any persistent identifier that could link visits to a person.
  • Does not track you across other sites.

I look at these numbers to understand which pages get read and where people drop off in the audit preview wizard. I can't tell who you are from them.

Third parties loaded by the site

  • FontAwesome icon kit, loaded from kit.fontawesome.com for the icons used in navigation and content. FontAwesome may log the request per their own policy.
  • Fonts, self-hosted. No Google Fonts CDN call, so Google does not see your visit through a font request.

No embedded videos, maps, calendars, chat widgets, remarketing tags, or advertising networks are on this site.

Server logs

The site is hosted on AWS Amplify. Amplify keeps standard request logs (timestamp, IP, requested URL, user agent) according to AWS defaults. I use these only for debugging and abuse prevention, not for analytics or profiling.

If you run the audit preview

The audit preview uses an OAuth connection to your Jira to read cycle time and throughput data. The connection is yours to start and yours to revoke, details and the security model are in the preview wizard itself and in the How the Audit Works page. No Jira credentials ever touch my servers; the integration uses a short-lived access token on your behalf.

Questions

If anything here is unclear, or if you want to know something I haven't covered, email bart.pinnock@nimflex.be and I'll answer directly.