Sign in Subscribe

Privacy Policy

Last updated: 6 June 2026

This policy explains what this blog collects, why, where it goes, and how to remove it. Written to be specific rather than generic legal boilerplate. If anything here isn't clear, contact details are at the bottom.

Who runs this site

This blog is operated by Sigmund Brandstaetter, doing business as OSINT PH, based in Bangkok, Thailand, and Metro Manila, Philippines. References below to "I" and "this site" refer to me as the operator. For legal purposes, I am the data controller for any personal data processed through this site.

What I collect

If you visit a page without subscribing or signing in:

  • Your IP address (used to deliver the content and recorded in standard web server logs)
  • Your user agent string (browser, OS, device hint)
  • The URL you visited and the URL that referred you, if any
  • The time of the visit

This is the same information any web server logs by default. It's used to keep the site running, debug issues, understand which articles get read, and identify abuse (scrapers, brute force, etc.).

If you subscribe to the newsletter:

  • The email address you provided
  • A timestamp of when you subscribed
  • An IP address associated with the subscription, for anti-abuse
  • Engagement data from Mailgun: whether you opened a specific email and whether you clicked a link inside it

If you comment on a post (when commenting is enabled):

  • The display name you provided
  • The comment text
  • A timestamp

What I do not collect:

  • Your real name unless you provide it
  • Demographic information
  • Location data beyond what an IP address reveals
  • Browsing activity on other sites
  • Information from third-party trackers, social pixels, or advertising networks

Third-party processors

Three services handle data on my behalf:

Mailgun (US-based, operates under Standard Contractual Clauses for EU subjects). Delivers newsletter and transactional email. Stores email addresses, sending logs, and engagement data (opens, clicks) for the duration of your subscription plus a short retention window. Mailgun privacy policy: https://www.mailgun.com/privacy-policy/

Cloudflare (US-based, GDPR-compliant under DPA). Sits in front of this site as CDN, DDoS protection, and access control. Sees every request, processes IP addresses to filter abuse, retains aggregated traffic logs for a limited period. Cloudflare privacy policy: https://www.cloudflare.com/privacypolicy/

GoAccess (self-hosted on my own infrastructure). Reads nginx access logs to produce traffic statistics. The data never leaves my server. No third party sees it.

What I do not use:

  • Google Analytics or any Google tracking service
  • Facebook Pixel, TikTok Pixel, LinkedIn Insight Tag, or any other social ad tracker
  • Third-party analytics SDKs of any kind
  • Affiliate networks
  • Programmatic advertising

Cookies

This site uses a minimal set of cookies, all functional:

  • A Ghost member session cookie, set only if you sign up
  • A Cloudflare clearance cookie, set by Cloudflare for bot detection
  • A Cloudflare Access cookie, only set when accessing administrative paths that the public cannot reach

No advertising cookies. No third-party tracking cookies. The site does not present a cookie banner because there is nothing to consent to beyond functional necessity.

Where data is stored

Newsletter data lives in a database on my Cloud provider, physically located in their European datacenter. Mailgun stores email delivery data in the United States. Cloudflare data is distributed across their global edge network.

For visitors in the European Economic Area, the United Kingdom, or jurisdictions with similar transfer rules: data transfers to the United States operate under Standard Contractual Clauses and additional safeguards as documented by both Mailgun and Cloudflare.

How long I keep data

  • Newsletter subscriber data: for the duration of your subscription, plus 30 days after unsubscription as an anti-abuse buffer
  • Server access logs: 30 days, then deleted automatically
  • Mailgun engagement data: governed by Mailgun's retention defaults, typically 30 days
  • Comments: retained while the parent post exists, deletable on request

If you delete your subscriber account or unsubscribe, your record is removed within 30 days. Ghost provides built-in member deletion endpoints that I use to handle these requests.

Your rights

You can, at any time:

  • Unsubscribe from the newsletter using the link at the bottom of every email
  • Request a copy of all personal data I hold about you
  • Request deletion of your data
  • Request correction of inaccurate data
  • Object to processing for specific purposes
  • File a complaint with your local data protection authority

To exercise any of these rights, email [email protected]. Responses within 14 days.

Specific frameworks that may apply depending on your location: the EU/UK General Data Protection Regulation, the California Consumer Privacy Act and California Privacy Rights Act, and the Philippine Data Privacy Act of 2012 (RA 10173). The rights above apply to all subscribers regardless of jurisdiction.

Children

This site is not directed at children under 16. I do not knowingly collect data from anyone under 16. If you believe a child has subscribed using your email, contact me and the record will be removed.

Changes to this policy

If this policy changes materially, subscribers will be notified by email at least 14 days before the change takes effect. Non-material changes (typo fixes, clarifications, new processor disclosures that don't change collection) are reflected in the "Last updated" date at the top but not separately notified.

A copy of every previous version is kept on request.

Contact

For any privacy-related question, request, or complaint:

Email: privacy (AT) osintph.info

I aim to respond within 14 days. For urgent matters, indicate "URGENT" in the subject line.