Privacy policy

Last updated 2026-05-29

This site is a static, publicly readable reference. There are no user accounts, no comments, no forms, and no transactions. We collect a small amount of aggregate analytics — see below — and nothing else. This page exists because the spec lists a privacy policy as required, and because honest disclosure is the only kind worth publishing.

Data controller

Joost de Valk (joost.blog) operates this site as a personal open-source project. For privacy questions, email [email protected].

What we collect

The site sets no cookies and stores nothing in your browser. For ordinary browser visits, the only data we collect is aggregate page-view analytics via Plausible (separate server-side aggregate logging for crawlers and MCP / A2A calls is described under Logs and hosting):

• URL of the page you loaded.
• HTTP referrer (which site sent you, if any).
• Browser, operating system, and device type — derived from the User-Agent string and discarded after the request.
• Country, derived from your IP address. Your IP address itself is never stored.

What Plausible deliberately does not do:

• No cookies, no localStorage, no fingerprinting.
• No cross-site tracking. No identifier follows you to another site.
• No personal data, no profiles, no advertising. The data is aggregated and cannot be used to identify you.

Plausible is GDPR, CCPA, and PECR compliant by design and does not require a cookie banner. See Plausible's data policy and privacy policy for the full detail. Aggregate statistics are stored on EU servers operated by Plausible Insights OÜ in Estonia.

Beyond analytics:

• No accounts, no login, no profile data.
• No forms — there is nothing to submit.
• No third-party scripts other than the single Plausible request to plausible.io/js/script.js.
• No advertising network.

Logs and hosting

The site is hosted on Cloudflare Pages. Cloudflare may process request metadata (IP address, user-agent, requested URL, timestamp) as a normal part of serving the site and protecting it from abuse, governed by Cloudflare's own privacy policy. We do not receive a copy of that data and do not use it for analytics.

We do record aggregate request metadata for two non-human traffic streams in Cloudflare Analytics Engine — an internal dashboard at /admin/stats (gated by Cloudflare Access) reads it:

• Crawler / AI-agent traffic: when a request matches a known AI / LLM / search crawler User-Agent, carries a Signature-Agent header, is verified-bot per Cloudflare, or asks for text/markdown, we record the bot name, path, country, method, referer, and User-Agent (truncated). No IP address is stored.
• MCP / A2A calls to mcp.specification.website: we record the JSON-RPC method, tool name, the first 500 bytes of arguments, client name/version, protocol version, country, and User-Agent (truncated). No IP address is stored.

Neither stream covers ordinary browser visits. Both are kept to understand which agents use the spec and the MCP server, and how. The data lives in Cloudflare's Analytics Engine under our account; retention follows Cloudflare's defaults.

GitHub

Source content lives on GitHub. If you open an issue or pull request, that interaction is governed by GitHub's privacy statement, not this one.

Signals we respect

• Do Not Track / Global Privacy Control: Plausible does not respect DNT or GPC because the analytics it runs do not constitute the kind of tracking those signals were designed to stop. If you disagree, block plausible.io in your browser or use an extension such as uBlock Origin — the site continues to work without it.
• Browser content blockers: the Plausible request is blocked by all common content blockers. We notice no difference; you get the same site.

Children

The site is a public technical reference. It is suitable for anyone, including under-13s, because it collects no personal data and has no interactive features.

Changes to this policy

If the site ever changes in a way that adds data collection (it should not), we will update the date at the top of this page and announce the change in the repository.

Your rights

Under the UK GDPR and EU GDPR you have the right to access, correct, delete, restrict, and port any personal data we hold on you. Because we hold none, the practical answer to any such request is “we have nothing on you”. If you believe we are mistaken, email us and we will investigate within 30 days.

Related

• The spec page on privacy policies — what this page is required to cover, and why.
• All privacy-category spec pages.