Privacy Policy

Privacy Policy – TheDeLay.com
privacy-policy.txt

Privacy Policy

Effective: February 15, 2026 — Last updated: February 15, 2026 (v2: fonts self-hosted)

TL;DR

  • Analytics — Self-hosted Umami. No cookies. No Google Analytics. Your data stays on my server.
  • Cookies — WordPress defaults only (login sessions, comment preferences). No tracking cookies.
  • Third parties that see your IP — Cloudflare (CDN/security). That’s it.
  • Fonts — Self-hosted. No Google Fonts CDN. Google doesn’t see your visits.
  • Ads / data brokers / “partner networks” — None. Zero. Never.

That’s the gist. Below are the full details, because you deserve them.

Who Runs This Site

TheDeLay.com is a personal blog operated by John DeLay — homelab enthusiast, InfoSec professional, and the person writing these articles. This is a personal site, not a business entity. There’s no marketing team, no analytics department, and no one else looking at your data.

Site: https://thedelay.com
Contact: [email protected]

What Data We Collect

Every Pageview (Analytics)

I use Umami for analytics — it’s self-hosted on my own infrastructure and designed to be privacy-friendly from the ground up.

What Umami records:

  • Page URL visited
  • Referrer (where you came from)
  • Browser type and screen size
  • Country (derived from IP — but the IP itself is not stored)
  • Session duration

What Umami does NOT do:

  • Store your IP address
  • Set cookies or use local storage for tracking
  • Track you across sessions or websites
  • Fingerprint your browser
  • Send data to any third party

Server Logs (Standard Apache)

Like every web server, Apache generates access logs containing your IP address, the URL requested, timestamp, browser user agent, and HTTP status code. These exist for troubleshooting and security monitoring. They are not mined for marketing insights. Standard log rotation applies (~30 days).

Comments

If you leave a comment on a post, WordPress collects:

  • Name (required)
  • Email address (required)
  • Website URL (optional)
  • Comment text
  • IP address and browser user agent (for spam detection)

If you opt in, WordPress saves your name, email, and website URL in browser cookies so you don’t have to re-enter them next time. These are opt-in only and last one year.

Gravatar: WordPress may send a hash (MD5) of your email address to the Gravatar service to retrieve your profile picture. This is standard WordPress behavior.

What We Don’t Collect

To be explicit about what’s not happening here:

  • Email newsletter signups
  • Membership or login accounts (public-facing)
  • Purchase or payment data
  • Location tracking beyond country-level analytics
  • Social media login integrations
  • Advertising cookies or tracking pixels
  • A/B testing or behavioral experiments

Cookies

This site uses minimal cookies. Here’s the complete list:

Full Cookie Table
Cookie Set By Purpose Duration
wordpress_logged_in_* WordPress Admin login session Session / 2 weeks
wordpress_sec_* WordPress Admin login security Session
wp-settings-* WordPress Admin display preferences 1 year
comment_author_* WordPress Remember commenter name 1 year (opt-in)
comment_author_email_* WordPress Remember commenter email 1 year (opt-in)
comment_author_url_* WordPress Remember commenter URL 1 year (opt-in)
__cfruid / __cf_bm Cloudflare Bot detection / rate limiting Session

No tracking cookies. No advertising cookies. No analytics cookies.

Umami achieves session awareness through a hash-based method that cannot identify individual users and requires zero cookies or local storage.

Third-Party Services

These services process some of your data as part of delivering this site. Here’s exactly what each one sees and why it’s there.

Cloudflare — CDN & Security

What they see: All traffic to TheDeLay.com routes through Cloudflare. They see your IP address, request headers, and page requests.

Why: DDoS protection, SSL/TLS termination, caching for performance.

Policy: cloudflare.com/privacypolicy

My take: Standard trade-off. Cloudflare is the CDN/security layer for millions of sites. They act as a proxy, not a tracker. I chose them for security and performance, and I’d rather have their protection than not.

Google Fonts — Eliminated

Status: Self-hosted. No external requests.

This site uses JetBrains Mono for its terminal aesthetic. Many sites load this from Google’s font CDN, which means Google sees your IP address on every pageview. We didn’t like that.

As of February 2026, all font files are self-hosted on this server. No DNS lookup to Google, no font CSS fetch, no woff2 download from fonts.gstatic.com. Your browser talks to TheDeLay.com and nobody else.

My take: If you run a website and care about your visitors’ privacy, self-host your fonts. It took 15 minutes and eliminated Google from every single pageview. There’s no reason not to.

Google Workspace — Email Only

What they see: If WordPress sends you an email (comment reply notification, password reset), that email transits through Google’s SMTP servers.

Why: Email delivery via Google Workspace (the thedelay.com domain).

Applies when: You leave a comment with notifications enabled, or you request a password reset. That’s it.

Wordfence — Security Plugin

What it does: Scans for malware, blocks brute-force attacks, maintains a web application firewall. May send anonymized threat data to Wordfence’s threat intelligence network.

What it does NOT do: Track your browsing, set cookies, or collect personal data for marketing.

Policy: wordfence.com/privacy-policy

Gravatar — Comment Avatars

What they see: An MD5 hash of your email address, if you leave a comment.

Why: Displays profile pictures next to comments (WordPress default).

Policy: automattic.com/privacy

Embedded Content

Articles may occasionally include embedded content from other sites (YouTube videos, GitHub gists, etc.). Embedded content behaves as if you visited that site directly — they may collect data, use cookies, and track your interaction.

I minimize embeds where possible. When I can, I use screenshots or direct links instead.

Data Retention

Data Type Retention Notes
Analytics (Umami) Indefinite Aggregated, non-identifying
Server logs ~30 days Standard log rotation
Comments Indefinite Until you request deletion
Comment cookies 1 year Opt-in only
Admin session cookies Session / 2 weeks Removed on logout

Your Rights

Regardless of where you live, here’s what you can do:

  • Access — Request a copy of any personal data I hold about you
  • Correction — Ask me to fix inaccurate data
  • Deletion — Ask me to delete your comments or any associated data
  • Object — Ask me to stop processing your data in a specific way

EU/EEA residents (GDPR): You have additional rights including data portability and the right to lodge a complaint with your local supervisory authority.

California residents (CCPA): I do not sell personal information. There is nothing to opt out of.

To exercise any right: Email [email protected]. I’ll respond within 30 days. No forms, no runaround.

Children’s Privacy

This site is not directed at children under 13. I don’t knowingly collect data from minors. If you believe a child has submitted personal data through a comment, contact me and I’ll remove it.

Security

TheDeLay.com uses HTTPS everywhere (enforced via Cloudflare), runs a hardened WordPress installation (custom database prefix, disabled file editing, Wordfence firewall), and is hosted on Google Cloud Platform with standard security practices.

No system is 100% secure. I’m an InfoSec professional and I take this seriously, but I’m also honest about reality.

Changes to This Policy

If I make significant changes, I’ll update the date at the top of this page. For a personal blog with minimal data collection, changes should be rare.

Contact

Questions about this policy? Something unclear?

Email: [email protected]
Site: https://thedelay.com

This policy was written by a human (with AI assistance) to be actually readable. If privacy policies were this honest everywhere, the internet would be a better place.