The same definitions from the Terms of Service §00 apply throughout this Privacy Policy. In particular:
The pages on damned.wtf are static, client-side educational resources. Access to the Site is gated by a one-time human-verification check (Cloudflare Turnstile); this is the only server-side processing performed by the Operator, implemented as lightweight edge functions solely to confirm you are not an automated bot. There is no database, no user accounts, no usernames or passwords, no persistent data storage, and no analytics or tracking implemented or controlled by the Operator.
The sole purpose of the Site is to educate visitors about browser security, privacy concepts, and related technical topics. Nothing here is intended as a commercial service.
Cloudflare) for basic delivery, caching, and DDoS protection. This is standard web infrastructure behaviour entirely outside the Operator's direct control — refer to your hosting/CDN provider's privacy policy for their logging and data retention practices.
The Operator sets a single strictly-necessary cookie (__Host-human_verified) after you pass the verification check, so you are not asked to verify again on every page. It contains only a signed, time-limited token — no personal data, no identifier that follows you across sites, and nothing used for tracking, advertising, or analytics. The Operator does not use pixels, beacons, localStorage, or any other persistent identifier.
The Operator retains no information about you. The verification token and IP address used for the bot check are processed only momentarily to confirm the check with Cloudflare and are not stored by the Operator. The purpose of the Site is purely educational — to demonstrate concepts in a transparent, privacy-respecting way.
The Operator sets one strictly-necessary cookie, __Host-human_verified, once you pass the human-verification check. It exists solely to remember that your browser cleared the bot check so you are not re-prompted on every page. It stores only a signed, time-limited token, holds no personal data, and is never used for tracking, profiling, advertising, or analytics. Because it is essential to providing the Site you requested, no consent banner is required for it under the ePrivacy Directive / GDPR. No other cookies or tracking technologies are set by the Operator.
The Operator does not sell, rent, trade, or disclose visitor information for advertising or profiling. Limited technical data may be transmitted to infrastructure providers (currently Cloudflare for hosting, CDN, security, and human-verification) as necessary to deliver, cache, secure, and protect the Site, governed by those providers' own policies. Third-party requests you initiate by clicking external links are made directly by your browser and are not proxied, intercepted, or logged by the Operator.
For visitors in the European Economic Area (EEA) or United Kingdom subject to the EU or UK General Data Protection Regulation, the following Article 13 transparency notice applies to the limited technical data processed to deliver and protect the Site:
The Operator does not profile visitors, build audiences, or engage in automated decision-making. No Data Protection Officer is appointed, as the Operator does not carry out large-scale or systematic monitoring nor process special-category data.
The Site does not host user-generated content, provide user accounts, operate a marketplace, or offer a public content-sharing platform. It is a personal, non-commercial journal with no contact channel. To the extent any digital-services rules apply, the Operator will respond to valid legal process as required by applicable law. As baseline principles:
As of 2026, comprehensive privacy laws are in effect across numerous US states including California (CCPA/CPRA), Virginia (CDPA), Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Nebraska, Maryland, Indiana, Kentucky, and Rhode Island, among others.
The Operator does not believe the Site falls within comprehensive US state privacy-law thresholds because it is personal, non-commercial, does not sell or share personal information, does not engage in targeted advertising, and does not intentionally collect personal information at scale. Those laws generally impose obligations only on for-profit businesses meeting revenue or volume thresholds (for example, CCPA applies to businesses with annual gross revenue above roughly $26.6M, or that buy/sell/share the personal information of 100,000+ California residents, or derive 50%+ of revenue from selling/sharing personal information).
The Operator does not sell, share, rent, or trade personal information, does not process sensitive personal data, and does not engage in targeted advertising. If the Site's operation, ownership, traffic, or monetisation changes such that these laws apply, this policy will be updated.
All content on the Site is provided strictly for personal, educational, and informational purposes.
Prohibited uses include, without limitation:
The Site and all content are provided "as is" and "as available" without warranties of any kind, express or implied, including but not limited to merchantability, fitness for a particular purpose, accuracy, or non-infringement.
To the maximum extent permitted by applicable law, the Operator of damned.wtf — a single private individual operating a personal, non-commercial educational site with no registered legal entity — shall not be liable for any direct, indirect, incidental, special, consequential, or exemplary damages arising from your use of or inability to use the Site, including reliance on any information presented here.
You use this Site entirely at your own risk, and the Operator owes you nothing for it. The Site has always been free — no payment, subscription, fee, or consideration of any kind is required or solicited — and to the fullest extent permitted by applicable law, the Operator excludes all liability for any loss, damage, or consequence arising from your use of or reliance on the Site, regardless of the theory of liability and regardless of whether the Operator was warned such loss was possible. The only liability not excluded is liability that cannot lawfully be excluded — such as for fraud, wilful misconduct, or death or personal injury caused by negligence — because no document can waive those.
Content on the Site is for general educational purposes only and does not constitute professional security, legal, or technical advice. Do not rely on it as a substitute for professional consultation.
All original content, code, and design on damned.wtf is the property of the Operator unless otherwise noted. You may view and reference content for personal and educational use. Reproduction, redistribution, or commercial use without explicit permission is prohibited.
Third-party libraries, fonts, or services used on the Site retain their respective licenses and ownership.
The Site is not directed to children under 13 (under US COPPA), or under 16 where applicable under GDPR, and the Operator does not knowingly collect personal information from children. If the Operator becomes aware that personal information from a child has been collected or retained, the Operator will take reasonable steps to delete it where within the Operator's control. The FTC's amended COPPA Rule had an effective date of June 23, 2025, with a compliance deadline of April 22, 2026 for regulated entities.
The content on the Site is technical and educational in nature, intended for users with a baseline understanding of web and browser technologies. If you are under the applicable age in your jurisdiction, please use the Site only with parental or guardian supervision.
The Site does not itself provide an AI system, make automated decisions about users, or profile visitors. Where content is substantially assisted by or generated with AI tools, the Operator may label it as a transparency practice; this is a best-effort commitment and does not create an enforceable obligation. The EU AI Act entered into force on August 1, 2024 and is generally applicable from August 2, 2026, with exceptions. The Operator does not intend the Site's current static content to trigger AI Act obligations, but this may be reassessed if the Site's functionality changes.
The page at damned.wtf/infosec is a static cybersecurity education guide. The following privacy-specific clarifications apply:
The Operator keeps no user database, accounts, or stored user records, so there are no such records that could be breached from the Operator's side; the only backend is the stateless human-verification check, which retains nothing about you. The Site is served over HTTPS. Security of your own device, network, and browser is your responsibility.
This policy is governed by and construed in accordance with applicable law. As this is a personal, non-commercial educational site with no established legal entity, no single jurisdiction is designated; however, you agree that your use of the Site complies with the laws of your own jurisdiction. Nothing in this policy limits rights you may have under applicable mandatory consumer protection or data protection laws in your country of residence.
The Operator may revise this policy at any time. The "Last updated" date at the top of this page reflects the most recent revision. Non-material changes (e.g. wording clarifications) take effect immediately upon posting — continued use constitutes acceptance. If a material change is ever made to data collection practices (currently: none collected), that change will be made clearly visible on this page. Checking this page periodically is your responsibility.
The Site does not provide anonymity. It does not protect your privacy. It is not a security tool. Nothing here will make you harder to track, safer online, or less identifiable to any third party.
You are solely responsible for your own security and privacy posture.
The Operator does not maintain user accounts, application-level user logs, or visitor profiles. The verification cookie is a stateless signed token kept only in your own browser, of which the Operator retains no copy. The Operator can only produce records that are actually within the Operator's possession, custody, or control, and will respond to valid legal process as required by applicable law.
In the event of any law enforcement request or legal process:
By accessing the Site, users acknowledge and agree to the full Terms of Service — including the Release of Claims, Assumption of Risk, and Law Enforcement clauses. Those terms remain binding.
This Privacy Policy explains the Site's data practices only. The legal terms governing use of the Site — including warranties, limitation of liability, assumption of risk, indemnification, and law-enforcement provisions — are set out separately in the Terms of Service.