Privacy Policy

What data this site holds, and what we do (and don't) do with it.

Short version

We don't track you

secctrl.fyi does not use cookies, does not run advertising trackers, and does not collect any personally identifiable information. There is no login, no account, and no persistent user profile of any kind.

The data described below is used only to understand aggregate usage patterns (e.g. "how many people use the compare page?") and to detect abuse. It is not sold, shared with third parties, or used for advertising.

Request Analytics

What the API logs

Every request to the API at api.secctrl.fyi is recorded in Cloudflare Analytics Engine — Cloudflare's append-only, aggregate-analytics platform. The following fields are recorded per request:

  • Client IP address — stored as the Analytics Engine index field for cardinality purposes; used only in aggregate and not linked to anything else
  • Normalised request path — e.g. /api/controls/:id, not the raw URL
  • Country code — e.g. AU, derived from Cloudflare's IP geolocation
  • Cloudflare data centre — e.g. SYD, the PoP that served the request
  • Cache status — whether the response was a cache HIT or MISS
  • Entity — the control ID or version pair being requested (e.g. ism-1173)
  • HTTP status code and response time (ms)

No user-agent, referrer, query string content beyond what is listed above, or any other header is recorded.

Analytics Engine data is retained and processed by Cloudflare in accordance with Cloudflare's Privacy Policy.

Infrastructure

Cloudflare

This site is hosted on Cloudflare Pages and the API runs on Cloudflare Workers. As the network provider, Cloudflare may process connection metadata (IP addresses, TLS handshakes) in the normal course of providing CDN and DDoS protection services. This is governed by Cloudflare's Privacy Policy.

Fonts

Google Fonts

This site loads the Geist and Geist Mono typefaces from Google Fonts (fonts.googleapis.com). Loading fonts from Google's CDN means your browser makes a request to Google, which may log your IP address. This is governed by Google's Privacy Policy.

Cookies & Storage

Cookies and local storage

This site uses no cookies. The only item stored in your browser is your theme preference (light or dark mode), saved to localStorage under the key theme. This data never leaves your device.

Rate Limiting

Rate-limit bypass tokens

Some users are issued a personal bypass token that removes the API rate limit. These tokens are associated with an email address, stored in Cloudflare D1 (a managed SQLite database), alongside an optional expiry date.

Email addresses collected for this purpose are used solely to identify the holder of a bypass token. They are never used for marketing, never shared with third parties, and never used for any purpose other than managing access to the rate-limit bypass feature.

Contact

Questions

If you have questions about this policy, contact @wan0net on LinkedIn.

Last updated: February 2026.