> cat /legal/privacy.md

Privacy Policy

Cookies

We use a single session cookie (steve_session) for authentication when you sign in with GitHub. It is httpOnly and used solely for auth — not for tracking. We currently do not use any marketing, analytics, or third-party cookies. Vercel Analytics, which we use for basic traffic metrics, is cookieless.

Email addresses

If you sign in with GitHub, we request access to your primary verified email address. If you subscribe to new post notifications, you provide your email directly. In both cases, your email is encrypted at rest using AES-256-GCM before being stored. We use your email only to send you notifications you opted into (comment replies or new posts). We never share your email with third parties.

Email notifications

We send email through Resend. Every email includes an unsubscribe link. GitHub users receive reply notifications by default when Steve mentions their username. Anonymous subscribers receive new post notifications after confirming via double opt-in.

Unsubscribe & data deletion

Every email we send contains an unsubscribe link. Clicking it permanently deletes your encrypted email from our storage. You can unsubscribe at any time.

GitHub data

When you sign in with GitHub, we store your username and avatar URL (both publicly available on GitHub) to display alongside your comments. We do not access your repositories, gists, or any other GitHub data.

Changes

We may update this policy as the site evolves. Significant changes will be noted on this page.

Last updated: March 2026 · back to blog