Skip to content
Legal

Privacy Policy

This policy covers innerwarden.com — what the marketing website collects when you visit and how it is handled. Last updated May 19, 2026.

Looking for how the Inner Warden agent itself handles attacker IPs, audit trails, and incident data on your server? That is a different document — Product Privacy & Data Protection.

The short version

  • We do not sell your personal data and do not share it with advertisers.
  • Analytics cookies (Google Analytics 4, Microsoft Clarity) only load after you explicitly opt in via the cookie banner — and you can revoke at any time.
  • When install.sh finishes installing Inner Warden, it pings our server with your release version, OS, and CPU architecture. Your IP address is hashed into a daily dedup bucket and never persisted in raw form.
  • Install-ping rows are automatically purged after 90 days.

What we collect

1. Standard request data

Like every website, our hosting provider (Vercel) records HTTP request metadata at the edge — timestamp, requested URL, response status, user agent, source IP, country (from the x-vercel-ip-country header). This is used to keep the site reliable and to investigate abuse. Vercel applies its own retention to platform-level access logs (typically days, not months) — see Vercel’s privacy policy for their commitment.

2. Install pings

When install.sh finishes installing the Inner Warden agent, it sends a GET request to /api/ping?v=<version>&os=<uname-s>&arch=<uname-m> so we can see which versions are being adopted on which platforms. The handler is in pages/api/ping.ts — you can read the exact code we run.

FieldHow we store it
vRelease version string, e.g. v0.14.0. Stored verbatim, max 64 chars, sanitised to ASCII.
osOutput of uname -s: Linux / Darwin. Stored verbatim.
archOutput of uname -m: x86_64, aarch64, arm64. Stored verbatim.
ipNever persisted in raw form. Fed into SHA-256(ip + ":" + YYYY-MM-DD + ":" + secret) to produce a daily dedup hash (installation_id) — repeat pings from the same host on the same UTC day collapse into one row; the next calendar day is a fresh bucket and we cannot link yesterday’s hash to today’s.
countryTwo-letter country code from Vercel’s x-vercel-ip-country header. No city, no ASN.

Result: we can graph install volume per version / OS / country / day, but the database row does not let us identify any individual installation by IP.

3. Analytics (with consent only)

If — and only if — you accept the “Analytics” category in the cookie banner, the site loads:

  • Google Analytics 4 — aggregated traffic statistics. Cookies: _ga, _ga_*, _gid.
  • Microsoft Clarity — heatmaps and anonymised session recordings. Cookies: _clck, _clsk, MUID, ANONCHK, SM, CLID.

A full cookie table with provider, purpose, and expiration lives on the Cookie Policy page. You can change your preferences any time from the Cookie Preferences link in the footer.

4. Contact and newsletter forms

We use a self-hosted Mautic instance at mautic.innerwarden.com for any newsletter / contact forms that may appear on the site. When you submit a form, your email and the message body are stored in Mautic so we can reply. No third-party email vendor receives that data. If you want your record removed, email contact@innerwarden.com with the address you submitted.

Who processes the data

  • Vercel Inc. — site hosting and edge logs. EU and US regions. DPA available on request.
  • Google LLC — Google Analytics 4 (consent-gated only).
  • Microsoft Corporation — Clarity heatmaps (consent-gated only).
  • Inner Warden (project) — self-hosted Mautic instance for contact forms, only when you submit one.

Retention

  • Install pings — 90 days, then automatically deleted by a daily cron (/api/cron/purge-events). Raw IP is never stored in the first place; only the daily hash + country + version + OS + arch.
  • Analytics cookies — retention is set by the provider (see the Cookie Policy for per-cookie duration). You can clear them at any time via the cookie preferences modal.
  • Mautic contact records — kept until you ask us to delete them.
  • Vercel access logs — managed by Vercel under their own retention policy.

Your rights

Under GDPR, UK GDPR, LGPD, and CCPA you have the right to access, correct, delete, port, or object to the processing of your personal data. Because install pings are pseudonymised (hashed per day with no raw IP retained) we cannot tie them back to you even on request — but for any data we can identify you with (contact / newsletter records, recorded sessions, etc.) we will act on a request within 30 days.

To exercise a right, email contact@innerwarden.com with:

  • The right you want to exercise.
  • Enough context to identify your record (the email you used, the approximate date of visit, etc.).

You can also lodge a complaint with your local data protection authority if you believe we are not meeting our obligations.

Contact

For any privacy question or data subject request, email contact@innerwarden.com. We aim to respond within 30 days; security vulnerabilities have their own faster SLA — see Vulnerability Disclosure Policy.

We will update this page when the site’s data handling changes materially. The git history of this file is the authoritative changelog.

Last updated: May 19, 2026.