Privacy Policy
Plain language, no dark patterns. Here's exactly what happens to your data when you read, sign in, or join the conversation here, and how to stay in control of it.
Plain language, no dark patterns. Here's exactly what happens to your data when you read, sign in, or join the conversation here, and how to stay in control of it.
This is Caruso's Conjecture, a personal website and interactive blog run by me, Chris Caruso. This policy explains what happens to your data when you read, sign in, or take part in the community here. I've tried to write it the way I'd want it written for me: plainly, and without hiding the interesting parts in a wall of legalese.
You can read almost everything here without an account and without handing over anything about yourself. Data only really enters the picture when you choose to sign in, react, comment, sign the guestbook, reply, or fork a post.
Signing in is optional and handled by GitHub or Google, whichever you choose. I never see your password. Once you approve the sign-in, I receive a small profile from that provider: your name or username, email address, avatar image, and an account identifier. That becomes your account here so you can be recognized on the things you post.
If you react, comment, sign the guestbook, reply, or fork a post, I store that content along with your account, so it can be shown back to you and to other readers.
Comments, published forks, guestbook signatures, and guestbook replies are public by design. Assume that what you post, along with the display name and avatar on your account, can be seen by anyone who visits.
I collect privacy-conscious usage analytics to understand how the writing lands: which posts get read, how far, how the reader and narration are used, and where things break. Crucially, this records shapes, not substance. It logs things like page views, reading and listening progress, which sections hold attention, clicks on links, theme changes, and performance or error signals. Guestbook analytics contain only public content ids, counts, lengths, actions, and outcomes. They never contain message text, mention display text, author details, or search terms.
If you're signed in, these analytics are tagged with a pseudonymous code derived from your account: a one-way hash, never your name or email, applied only in the moment and never stored on your device. It lets me see how signed-in readers return over time without following anyone around with a cookie.
Like any website, mine sees ordinary request information such as your IP address, browser, and the time of a request. This is used transiently to serve pages, deliver images and audio, and protect the site from spam and abuse (for example, rate-limiting and basic content moderation on the things people post).
If you're in the EEA or the UK, data protection law asks me to have a lawful basis for each way I use your data. Here's the honest mapping:
The site keeps a few things in your browser. Most of them never leave your device.
Usage analytics run cookieless by default: they measure how a single visit unfolds without storing anything that could recognize you on a later one. One analytics cookie, used only to count unique and returning visitors, is set solely where I'm permitted to. Outside the EEA and UK it's on by default; inside the EEA and UK it's set only if you allow it when asked. You can change your mind at any time.
There is no advertising or cross-site tracking here, so there are no advertising cookies to manage.
I do not sell your data, I do not show ads, and I do not use your data to profile or target you anywhere else.
Running the site relies on a small set of trusted service providers. They process data on my behalf, each under its own privacy terms:
I may also disclose information if the law genuinely requires it, or to protect the site, its readers, or my rights. Otherwise, your data stays within this short list.
Some of the providers above (GitHub, Google, Microsoft, Cloudflare, and Discord) are based in the United States, so running the site can involve transferring your data there. Where your data moves outside the EEA or UK, it's covered by an appropriate safeguard, such as the EU-US Data Privacy Framework for certified providers or the European Commission's Standard Contractual Clauses.
localStorage["cc-telemetry-opt-out"] = "1" in your browser. Your local reading preferences keep working; they never left your device to begin with.If you're in the EEA or the UK, you have rights over the personal data I hold about you:
To exercise any of these, just email me at hello@chriscaruso.dev. You also have the right to complain to your local data protection authority, though I'd genuinely appreciate the chance to put things right first.
This site isn't directed at children, and I don't knowingly collect personal information from anyone under 13. If you believe a child has provided information here, email me and I'll delete it.
If this policy changes, I'll update the effective date at the top, and for anything material I'll make the change clear. Continuing to use the site after an update means the revised policy applies.
Anything here unclear, or want to exercise a choice above? Email me at hello@chriscaruso.dev, or use the contact page. Real person, real inbox.