Privacy
What the site knows about you, and what it does not.
Stance
baki.io inverts the default web stance. Where most sites hide what they collect, this one shows you. Everything stored about your visit is visible to you at /system/your-presence, and you control what stays.
What gets stored
Three tiers, each consented to separately:
Essential - always on, because without them the site cannot function. Session identifiers, viewport dimensions, interaction state.
Engagement (Tier A + B, client-side only) - reading dwell, focus paths, preferences. Lives in your browser; never leaves your device.
Traffic (Tier C, server-side aggregates) - k-anonymized device and content-affinity stats that let the site show how it is actually being read. Opt-in.
What is never stored
- Your name, email, or any direct identifier in this site’s own datastores.
- Location data (the Ambient register mode reads only your device timezone).
- Third-party tracking scripts beyond the single Plausible analytics pixel disclosed below.
Hosting-layer transparency: see “Server access logs” below for what the static-site host (Cloudflare Pages) and the edge / CDN (Cloudflare) see in transit. baki.io itself does not read or persist those logs.
Your rights
- See - everything stored is mirrored at /system/your-presence.
- Export - download a JSON file of your Tier A + B data at any time.
- Forget - wipe your local state with one click.
- Dissent - revoke consent per tier or all at once.
The full data-subject rights list under GDPR (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, complaint to a supervisory authority) is enumerated in “Legal disclosures (GDPR Art. 13)” further down this page.
Revoke annotation consent. If you previously chose Accept or Reject when prompted to send annotations to Baki for review, the button below removes that decision from this device and clears any annotation drafts pending on this device. The next time you press Send, the consent prompt appears again.
Controller
The data controller (Verantwortlicher under Art. 4(7) GDPR) for personal data processed via baki.io is:
Baki Bektaş Wasserwerkstraße 20 13589 Berlin, Germany Privacy contact — design@baki.io
A formal Data Protection Officer (DPO) is not appointed: this is a personal site whose processing activities do not meet the thresholds set out in Art. 37 GDPR or §38 BDSG (no large-scale systematic monitoring, no special-category processing, no employee count engaging the German appointment threshold). Direct privacy correspondence to the privacy contact above.
Contact
For privacy questions, exercising data-subject rights, or any GDPR matter: design@baki.io. Responses are typically within 30 days as required by Art. 12(3) GDPR. Other channels are listed in /system/colophon.
Purposes and legal bases
Each data flow is processed for a specific purpose under a specific Art. 6 legal basis:
| Data flow | Purpose | Legal basis |
|---|---|---|
| Plausible analytics pixel | Aggregate page-level traffic counts (page, referrer-class, country, device-class). Cookieless; no cross-site identifier. | Art. 6(1)(f) GDPR — legitimate interest in understanding which writing is read, balanced against minimal-data design. |
| Visitor presence telemetry (localStorage Tier A/B: dwell, focus paths, preferences, drop drafts) | Personalize reading experience, surface presence at /system/your-presence, drive consent toggles. Stored client-side only. | Art. 6(1)(a) GDPR — explicit opt-in consent. Withdrawable per tier from the presence page. |
| Tier C traffic aggregates (server-side k-anonymized stats, when wired) | Show how the site is actually being read. K-anonymity threshold ≥ 5; raw events not retained. | Art. 6(1)(a) GDPR — opt-in consent. |
| Drop submissions (visitor comments via the Signal Drop compose form) | Receive visitor commentary, route through moderation queue, optionally publish on the relevant page. | Art. 6(1)(b) GDPR — performance of the implicit “publish my comment” agreement; combined with Art. 6(1)(a) consent for the act of submission. |
| Server / edge access logs (Cloudflare Pages static host; Cloudflare edge) | Operate, secure, and debug the site. Detect abuse. | Art. 6(1)(f) GDPR — legitimate interest in network and information security (ref. Recital 49). |
| Rate-limit state (hashed IP key in Cloudflare Workers KV, used by the save-layout and submit-drop Workers) | Throttle write endpoints at 120 requests / hour / IP to prevent abuse. | Art. 6(1)(f) GDPR — legitimate interest in network and information security. TTL: 1 hour (expirationTtl: 3600 in workers/save-layout/src/index.ts). |
| localStorage — strictly-necessary (session id, viewport, UI preferences, presence registers) | Site cannot function without these — render the correct register, persist consent toggles, remember reading position within a session. | TTDSG §25(2) Nr. 2 — strictly necessary for the requested service; no consent required. Read-out / storage exemption per §25(2) Nr. 2 TTDSG mirrors Art. 5(3) ePrivacy. |
| localStorage — consent-requiring (Tier A/B engagement: dwell, focus paths, drop drafts; visitor annotations syncing to server) | Personalize reading, enable presence dashboard, allow visitor annotations. | TTDSG §25(1) — explicit consent required for storage / read-out. Combined with Art. 6(1)(a) GDPR for any subsequent server-side processing. |
Recipients and processors
Personal data may be processed by the following recipients, each acting as a processor under Art. 28 GDPR (Auftragsverarbeitung) where applicable:
| Recipient | Role | Data category | Location | Legal vehicle |
|---|---|---|---|---|
| Cloudflare, Inc. | Static-site host (Cloudflare Pages — origin since 2026-05-19), CDN / reverse proxy / DNS, Workers runtime (save-layout, submit-drop) and Workers KV (rate-limit state). | IP address, user agent, request URL, TLS metadata (in-transit + briefly at origin), rate-limit key (hashed IP, 1 h TTL). | Global edge network (incl. EU + US). | Cloudflare Customer DPA — https://www.cloudflare.com/cloudflare-customer-dpa/. Standard Contractual Clauses (SCCs) for any US transfer; Cloudflare is a self-certified participant in the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023). |
| Plausible Insights OÜ | Privacy-focused analytics — Plausible Cloud, EU-hosted. | Cookieless aggregate page events (no IP retained beyond hashing for daily uniques). | Estonia (EU). | Intra-EU processing; Plausible DPA — https://plausible.io/dpa. |
| GitHub, Inc. | (a) Source-code hosting for the static site (open-source repository). (b) Drop-submission moderation queue — the submit-drop Cloudflare Worker writes accepted submissions to a private GitHub repo via the Contents API. | (a) Public Git history of the site; no visitor data. (b) Drop body text, anchor slug, visitor handle (self-chosen), trust tier, validation snapshot. No visitor IP, no UA, no Plausible identifier is sent to GitHub. | Global (US-headquartered, EU edge available). | This site uses a free GitHub personal account. GitHub’s formal Data Protection Agreement at https://docs.github.com/en/site-policy/privacy-policies/github-data-protection-agreement applies to paid tiers; the free-tier relationship is governed by the GitHub Privacy Statement (https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement) and the GitHub Terms of Service. SCCs for any US transfer; GitHub is a self-certified participant in the EU-US Data Privacy Framework (Adequacy Decision 2023/1795). |
No data is sold. No data is shared with advertisers. No data is enriched against third-party identity graphs.
Retention
| Category | Retention period | Notes |
|---|---|---|
| Tier A/B engagement (localStorage) | Until you clear browser storage or click Forget at /system/your-presence. | Never transmitted; nothing for the controller to delete server-side. |
| Tier C traffic aggregates | 90 days at the aggregator level. Raw events not retained. | k ≥ 5 anonymity floor. |
| Plausible aggregate stats | Plausible’s default — page-level aggregates retained indefinitely; no per-visitor records. Daily-unique salts rotate every 24 hours. | Cookieless. No cross-day re-identification. |
| Drop submissions (accepted) | Retained on baki.io as long as the parent page is published. Deletable on request. | Public once moderated. |
| Drop submissions (rejected) | Not stored beyond the validation response. | The Worker rejects + discards in the same request. |
| Cloudflare Pages access logs (origin) | Cloudflare’s defaults for Pages (aggregate metrics retained; per-request logs not exported to baki.io). | Not aggregated or analyzed by baki.io. |
| Cloudflare edge logs | Cloudflare’s default for the free tier (≤ 24 hours raw; aggregate metrics longer). | Not exported to baki.io. |
| Rate-limit state (Workers KV) | 1 hour (expirationTtl: 3600) per save-layout Worker. | Hashed-IP key; auto-evicted on TTL expiry. |
International transfers
baki.io is operated from Berlin, Germany. The controller (Baki Bektaş) is based in the EU. Two data flows can leave the EU/EEA:
- Cloudflare (CDN, Pages origin, Workers runtime, Workers KV) routes requests through the nearest edge node, which may be a US point of presence depending on visitor location and load. Transfers are covered by Cloudflare’s Standard Contractual Clauses and by Cloudflare’s self-certified participation in the EU-US Data Privacy Framework — see European Commission Adequacy Decision (EU) 2023/1795 of 10 July 2023.
- GitHub hosts source code and the drop-submission moderation queue on US infrastructure. Transfers are covered by GitHub’s Standard Contractual Clauses and by GitHub’s self-certified participation in the EU-US Data Privacy Framework (same Adequacy Decision 2023/1795).
- Plausible Cloud processing remains intra-EU (Estonia); no third-country transfer.
A copy of the relevant SCCs / DPF certifications can be requested from the controller email above.
Automated decision-making
None. baki.io performs no profiling, no scoring, and no automated individual decisions within the meaning of Art. 22 GDPR. Drop submissions pass through automated content validation (length, profanity, link-density, rate-limit) — these are uniform safety filters, not individual decisions, and every accepted drop is reviewed by a human (Baki) before publication.
Server access logs
Honesty over claims: when your browser hits baki.io, multiple Cloudflare-operated layers generate access logs that the controller does not routinely read but which exist:
- Origin (Cloudflare Pages) — since 2026-05-19 the static site is hosted directly on Cloudflare Pages (no third-party origin host). Pages serves the static export; request metadata flows through Cloudflare’s standard analytics. Per-request raw logs are not exported to baki.io.
- Edge (Cloudflare CDN) sees the same fields in transit (IP address, User-Agent, request path, referrer, response status, timestamp), plus TLS metadata. Cloudflare retains aggregate metrics on the free tier; raw logs are not exported to baki.io.
- save-layout Worker (Cloudflare Workers + KV) processes live editorial saves and writes them back to the GitHub repo via the Contents API. It uses a hashed-IP key in Workers KV for rate-limiting at 120 requests / hour / IP (TTL 1 h). Source:
workers/save-layout/src/index.ts. - submit-drop Worker (Cloudflare Workers) processes drop submissions. The Worker does not log visitor IPs to GitHub. The moderation-queue file written to GitHub contains only the visitor’s chosen handle, trust tier, drop text, and validation snapshot. Cloudflare’s own runtime logs may briefly capture request metadata; the Worker code itself emits only generic error strings keyed on the drop id. Source:
workers/submit-drop/index.ts.
If access-log retention or contents change materially (e.g. another host migration), this section and the version stamp at the top of the page update.
Supervisory authority
For data subjects in Germany, the competent supervisory authority for this controller (resident in Berlin) is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) Friedrichstraße 219 10969 Berlin, Germany Telephone: +49 30 13889-0 Email: mailbox@datenschutz-berlin.de Web: https://www.datenschutz-berlin.de/
Data subjects may also lodge a complaint with the supervisory authority of their EU/EEA Member State of residence, place of work, or alleged infringement (Art. 77 GDPR).
Legal disclosures (GDPR Art. 13)
For visitors in the EU, the disclosures required by GDPR Article 13 / ePrivacy Directive are summarized here in tabular form. This complements (does not replace) the plain-language stance above; if the table and prose conflict, the table is authoritative.
| Field | Value |
|---|---|
| Data controller (Art. 13(1)(a)) | Baki Bektaş — Wasserwerkstraße 20, 13589 Berlin, Germany. Privacy contact: design@baki.io. |
| Data Protection Officer (Art. 13(1)(b)) | None appointed; thresholds in Art. 37 GDPR / §38 BDSG not met. Privacy contact: design@baki.io. |
| Legal basis — Tier Essential (Art. 13(1)(c)) | Art. 6(1)(f) GDPR — legitimate interest: the site cannot function without session identifiers and viewport dimensions. Storage on the device additionally exempted under TTDSG §25(2) Nr. 2 (strictly necessary). |
| Legal basis — Tier A/B (Engagement) | Art. 6(1)(a) GDPR — consent. Stored entirely client-side; never transmitted. Storage on the device requires TTDSG §25(1) consent. Revocable per tier on /system/your-presence. |
| Legal basis — Tier C (Traffic) | Art. 6(1)(a) GDPR — consent. Opt-in. K-anonymized server-side aggregates. |
| Legal basis — Plausible analytics | Art. 6(1)(f) GDPR — legitimate interest. Cookieless, aggregate, no cross-site identifier; does not set or read information on the terminal device beyond what is strictly necessary, so TTDSG §25(2) Nr. 2 applies. |
| Legal basis — Drop submissions | Art. 6(1)(b) GDPR (contract — “publish my comment”) combined with Art. 6(1)(a) (consent at the act of submission). |
| Legal basis — Server / edge access logs | Art. 6(1)(f) GDPR — legitimate interest in network and information security (Recital 49). |
| Legal basis — Rate-limit state | Art. 6(1)(f) GDPR — legitimate interest in preventing abuse of write endpoints. |
| Legal basis — Visitor annotations syncing to server | Art. 6(1)(a) GDPR — consent. Withdrawal of consent and erasure within 30 days via design@baki.io. |
| Retention — Engagement (Tier A/B) | Until you clear browser storage or click Forget on /system/your-presence. |
| Retention — Traffic aggregates (Tier C) | 90 days; raw events not retained; k ≥ 5. |
| Retention — Plausible aggregate stats | Page-level aggregates retained per Plausible defaults; daily-unique salts rotate every 24 h. |
| Retention — Drops (accepted) | Lifetime of the parent published page; deletable on request. |
| Retention — Drops (rejected) | Not retained beyond the validation response. |
| Retention — Cloudflare Pages access logs (origin) | Cloudflare defaults for Pages; per-request raw logs not exported to baki.io. |
| Retention — Cloudflare edge logs | Free-tier defaults (≤ 24 h raw; aggregate metrics longer). |
| Retention — Rate-limit KV state | 1 hour (expirationTtl: 3600 in save-layout Worker). |
| Recipients / processors (Art. 13(1)(e)) | Cloudflare, Inc. (Pages origin + CDN + Workers + KV) — DPA: https://www.cloudflare.com/cloudflare-customer-dpa/. Plausible Insights OÜ (analytics, EU) — DPA: https://plausible.io/dpa. GitHub, Inc. (source-code hosting + moderation queue) — free-tier governed by GitHub Privacy Statement https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement; paid-tier DPA at https://docs.github.com/en/site-policy/privacy-policies/github-data-protection-agreement. |
| Cookies / localStorage (TTDSG §25) | No cookies set by baki.io. localStorage keys split into two regimes: (a) strictly-necessary under TTDSG §25(2) Nr. 2 — session id, viewport, consent state, UI preferences (no consent required); (b) consent-requiring under TTDSG §25(1) — Tier A/B engagement data, drop drafts, visitor annotations. Each clearable from /system/your-presence. |
| International transfers (Art. 13(1)(f)) | Cloudflare may route via US edge (SCCs + EU-US Data Privacy Framework — Adequacy Decision (EU) 2023/1795). GitHub stores source code and the moderation queue in US (SCCs + EU-US DPF, same Adequacy Decision). All other processing intra-EU. |
| Data-subject rights (Art. 13(2)(b)–(d)) | Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21), withdrawal of consent at any time without affecting the lawfulness of prior processing (Art. 7(3)), and the right to lodge a complaint with a supervisory authority (Art. 77). Exercise via design@baki.io. |
| Supervisory authority | Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Friedrichstraße 219, 10969 Berlin. +49 30 13889-0. mailbox@datenschutz-berlin.de. https://www.datenschutz-berlin.de/ |
| Right to lodge a complaint | You may complain to the BlnBDI or the supervisory authority of your EU/EEA Member State at any time (Art. 77 GDPR). |
| Automated decision-making (Art. 13(2)(f)) | None. No profiling, scoring, or automated individual decisions (Art. 22 GDPR). |
| Source of data | Directly from the data subject (you) via the browser. No data is acquired from third-party data brokers. |
| Statutory / contractual requirement (Art. 13(2)(e)) | Provision of personal data is not a statutory or contractual requirement. You are not obliged to provide any data; declining means certain features (Tier A/B presence, drops, visitor annotations) are unavailable. |
Changes to this policy
When this document changes, the version number at the top updates and the date of the revision is recorded. Every commit-level snapshot is auto-archived to docs/legal/privacy/ — see the revision index for the full chronology.