This policy explains what data OSA Tracker (“we”, “us”) collects and how we use it. We are run by the OSA Tracker maintainers. The simple version: there are no user accounts, we don’t track you, and we never store your raw IP address.
1. Who we are
The data controller for this service is the OSA Tracker maintainers. For any privacy query or to exercise your rights, contact [email protected].
2. What we collect and why
- Submitted domains and metadata. When someone submits a domain we store the domain name and the details provided (block type, category, an optional note). This is information about websites, not about you, and forms the public dataset.
- A hashed IP address. When you submit a domain or download an export, we take your IP address, combine it with a secret salt, and store only the resulting irreversible SHA-256 hash. We use it solely for rate limiting and to detect abuse/spam. We do not store raw IP addresses. Lawful basis: our legitimate interests in keeping the service available and abuse-free (UK GDPR Art. 6(1)(f)).
- No analytics or tracking. We do not use advertising or analytics cookies, tracking pixels, or third-party profiling.
3. Cookies and local storage
- Public pages set no cookies. Your preferences (theme, the “show explicit” toggle, export options) are kept in your browser’s localStorage — they stay on your device and are never sent to us.
- Admin area. After an administrator signs in, a single strictly-necessary session cookie is set to keep them logged in. It is exempt from consent requirements under PECR. Ordinary visitors never receive it.
4. Who we share data with
We do not sell data. We use a small number of processors:
- Anthropic (Claude API) — submitted domain names are sent to Anthropic to automatically classify and screen them. Domain names are not normally personal data. Anthropic processes them under its own terms and does not train on API data.
- Cloudflare — provides our network tunnel, TLS and CDN. As part of routing requests it processes connection data, including IP addresses, as a processor on our behalf.
- Hosting. The service is self-hosted by the OSA Tracker maintainers.
Some of these providers may process data outside the UK; where they do, they rely on appropriate safeguards such as the UK International Data Transfer Agreement or equivalent.
5. How long we keep it
- Domain records are kept indefinitely as part of the public dataset (or until removed by a moderator).
- Hashed IP values are kept for around 30 days and then pruned. In-memory rate-limit counters are transient and cleared on restart.
6. Your rights
Under UK GDPR you have rights to access, rectify, erase, restrict or object to the processing of your personal data, and to complain to the Information Commissioner’s Office (ICO). Because the only visitor data we hold is a one-way salted hash that we cannot link back to you, we may be unable to identify your records in order to action some requests. To make a request, email [email protected].
7. Children
This service is not directed at children. The dataset may reference adult or otherwise sensitive websites; such entries are flagged and hidden from the default list unless a visitor explicitly opts in.
8. Changes
We may update this policy from time to time. The “last updated” date at the top reflects the latest version.