Privacy

What we collect

When you visit Gawk, we log HTTP request metadata (path, referrer, anonymised IP) on Vercel's edge — the standard request log every website keeps. None of that is sold or shared.

If you're in the EU, EEA, UK, or California, and you agree, we also mount Vercel Analytics. That counts which panels open and which pages load. It does not fingerprint you and does not use a persistent device id.

If you subscribe by email, we store the SHA-256 hash of your address, your country and region (from the request header, never the IP), and the tokens for the confirm + unsubscribe links. That's it.

What we don't collect

• We don't track you across sites.
• We don't fingerprint your browser.
• We don't sell data. There is no third-party ad network.
• We don't use LLM scoring or profiling on your input.

Global Privacy Control

If your browser sends a Sec-GPC: 1 header — Firefox does by default, so do Brave and DuckDuckGo — we treat that as a refusal of analytics and marketing cookies, without showing the banner. You don't need to do anything.

Your controls

• /privacy/preferences — change which categories you've agreed to, any time.
• Delete my consent record — clears your stored categories and writes a tombstone in our audit log so we have proof you were removed.
• To unsubscribe from email: every digest carries a one-click unsubscribe link. We also honour the one-click List-Unsubscribe header mailbox providers send.

Retention

Consent audit entries are kept indefinitely (the law requires proof of consent). They contain: visitor id, action, categories, country/region, timestamp. No IP, no user agent, no email.

Email subscriber records are kept until you unsubscribe. After unsubscribe, we keep the status record so we don't email you again if someone re-enters your address.