This policy describes what data is collected when you use the appsec.fyi website (https://appsec.fyi) and the appsec.fyi iOS app. The short version: we don't ask for your name, email, or any account. We don't sell data. We don't use advertising.
Data We Do Not Collect
- We do not require an account. There is no sign-up, no login, and no user profile.
- We do not collect your name, email address, phone number, or physical address.
- We do not collect contacts, photos, location, microphone, camera, or health data.
- We do not sell, rent, or share personal data with third parties for advertising.
- We do not use third-party advertising networks or tracking pixels.
Data the iOS App Collects
The appsec.fyi iOS app is a reader for content published on the appsec.fyi website. It communicates with the appsec.fyi servers to fetch curated security resources.
- Network requests. When the app loads content, our server receives standard HTTP request data (IP address, user agent, requested URL, timestamp). This is used only for delivering the requested content and for aggregate traffic analysis. Server logs are retained for a limited time and are not linked to any personal identity.
- Anonymous engagement metrics. The app may record anonymous events such as which topics or resources are opened. These events are aggregated to power features like trending topics. They are not tied to a user identifier, device identifier, or account.
- Local preferences. Preferences you set inside the app (such as theme choice or favorited topics) are stored on your device. They are not transmitted to our servers.
- Apple App Analytics. Apple may provide us with aggregated, anonymized usage and crash statistics through App Store Connect. We do not receive personal identifiers from Apple.
Data the Website Collects
- Server logs. Standard web server access logs (IP, user agent, requested URL, referrer, timestamp) are retained for a limited time for security and troubleshooting.
- Analytics. The website uses Clicky and Google Analytics to measure aggregate traffic. These are proxied through our domain as first-party requests. No personal data is collected beyond what these analytics services normally record (approximate location derived from IP, browser/OS, referring site).
- Click tracking. When you click a resource link on a topic page, an anonymous beacon is sent to our server to count clicks. No user identifier is attached.
- Local storage. We store your theme preference (dark/light) in your browser's localStorage. This stays on your device.
Third-Party Services
The following third-party services process limited data on our behalf:
- Clicky and Google Analytics — aggregate website analytics (website only, not the iOS app).
- Apple App Store — app distribution and crash/usage reporting (iOS app only).
- Buttondown — if you voluntarily subscribe to the email newsletter, your email address is stored with Buttondown, our newsletter provider. You can unsubscribe at any time from any newsletter email.
Resources linked from appsec.fyi are hosted by third parties. When you follow an outbound link, you leave our site or app and become subject to the privacy policy of that third party.
Children
appsec.fyi is not directed at children under 13. We do not knowingly collect data from children.
Your Choices
- You can browse without creating an account — there is no account to create.
- You can block analytics in your browser or iOS settings, and the site and app will continue to function.
- You can uninstall the iOS app at any time, which removes all locally stored preferences.
- You can unsubscribe from the newsletter at any time using the link in any email.
Security
All traffic to the website and iOS app is encrypted with HTTPS (TLS 1.2/1.3). Our servers are maintained with current security practices.
Changes to This Policy
If this policy changes, the "Last updated" date at the top of this page will be revised. Material changes will be announced on the website.
Contact
Questions about privacy? Contact Carl Sampson at chs.us or on X (@chs).