BLANCO
Privacy and data handling
Privacy Policy
Last updated: July 10, 2026
Who Operates This Site
blancodagoat.dev is operated by an individual using the public handle Blanco / blancodagoat. The operator is based in Hungary. There is no company behind the site. A home address and full legal name are not published on this public page for personal safety. Privacy and legal requests can be sent to [email protected]. If identity verification or legally required private details are necessary for a valid request, they can be handled through an appropriate private channel.
Short Version
The public tools are designed to work without accounts and without advertising. Most Chatlog Magician work stays in your browser. Data leaves your device only when you choose a feature that sends it, such as cloud sync, font backup, preset sharing, suggestions, ImgBB upload, supporter activation, BlancoKit server-proxied Discord lookups, or external donation links.
Data Stored In Your Browser
Chatlog Magician uses localStorage, sessionStorage, and IndexedDB for preferences and
project convenience features. This can include chat display settings, character names,
recent chatlog history, autosaved projects, finished export images in the Stack panel,
custom font files, cloud bucket IDs, ImgBB API keys, supporter tokens, disclosure
flags, tutorial/help state, and temporary UI state. BlancoKit stores a random browser
client ID in localStorage (bk_client_id) so daily server-proxied lookup
limits can follow your browser across IP changes. This information is stored by your
browser on your device unless you explicitly use an upload, sync, backup, or share
feature.
Optional Cloud Sync And Font Backup
If you use cloud project sync or cloud font backup, the browser encrypts the project or font backup with the passphrase you enter before upload. The passphrase is not saved by the site and is not sent to the server. The server stores the encrypted blob, generated bucket/object IDs, upload/list/delete requests, quota counters, and any supporter token header used to unlock higher limits. Cloud blobs are stored on the VPS filesystem under the Chatlog Cloud service.
Preset Gallery
If you submit a community preset, the site sends the preset name, optional description, cleaned tool settings, generated preview image, and submission timestamp to the preset API. "Cleaned tool settings" means the site tries to keep only the preset options needed to recreate the look. Current code approves submissions directly into the public gallery. Presets are meant to contain tool settings, not private chat text, character names, background images, or overlay files.
Suggestions And Contact
The in-app suggestion form sends your summary, description, priority, and optional Discord username to the site API. The API forwards that content to a Discord webhook so I can read and triage it. If you contact me by email, Discord, GitHub, or another external channel, that service handles your message under its own privacy policy.
Supporter Perks And Payments
Payments are handled by third-party providers such as Ko-fi, PayPal, and Buy Me a Coffee. This site does not process or store card numbers. For Chatlog Magician Ko-fi supporter perks, Ko-fi can send a webhook to this site. The site stores the Ko-fi transaction ID, generated supporter token, expiry time, payer display name supplied by Ko-fi, optional public wall display name, and activation settings. If you opt into the supporter wall, the chosen display name is shown publicly. BlancoKit tips through Buy Me a Coffee are handled by that provider; they do not currently share Chatlog Magician supporter tokens or cloud quotas.
ImgBB Uploads
If you add an ImgBB API key and upload Stack images, the key is stored only in your browser. The selected image is sent from your browser directly to ImgBB, not through this site's server. Uploaded images are public to anyone with the returned link. Delete URLs are saved locally so you can remove uploads through ImgBB later.
BlancoKit Sign-In And Supporter Billing
BlancoKit (/discord/) offers optional sign-in with Discord OAuth using the
identify scope only. That returns your Discord user ID, username, display
name, and avatar hash so the site can show who is signed in and attach daily lookup
credits to your account instead of only your browser or IP address. Discord handles
authentication; this site does not receive your Discord password. After sign-in, the
server stores a random session token in Redis and sets an HttpOnly first-party cookie
(bk_session) in your browser.
Optional BlancoKit Supporter upgrades are processed by Stripe Checkout. Stripe handles card data; this site stores your Discord user ID, Stripe customer/subscription IDs, and supporter tier/expiry metadata needed to raise lookup limits. Payment status updates arrive through signed Stripe webhooks. BlancoKit supporter billing is separate from Chatlog Magician Ko-fi perks.
When you are signed in, BlancoKit may store a short lookup history (tool name, ID you
looked up, optional label, timestamp) and optional pinned favorites in Redis for up to
30 days to power the account dashboard. Pro subscribers may create API keys
(bk_…); key hashes and metadata are stored server-side. API keys use the
same daily credit pool as the web UI. You can revoke keys from the account page.
BlancoKit And Discord Tools
BlancoKit (/discord/) is a separate browser toolkit with utilities such
as user lookup, invite resolution, webhook checks, presence lookup, embed
builders, and other Discord-related helpers. Most BlancoKit tools run entirely in your
browser. A smaller set of features call this site's API so a server-side Discord bot
token or third-party presence service can fetch public data on your behalf.
When you use a server-proxied BlancoKit lookup (such as user, invite, webhook,
or presence), the browser sends the identifier you entered plus a first-party client
ID header (X-BK-Client-Id) derived from the
bk_client_id value stored in your browser when you are not signed in. If
you are signed in with Discord, lookup credits are tracked against your Discord user ID
instead. The server uses that identity and your IP address to enforce daily lookup
credit limits and abuse prevention. Credit counters are stored in Redis with a short
automatic expiry. Limits reset at midnight UTC. Failed validation does not spend a
credit; successful or attempted proxied lookups may spend one credit even if Discord
or a third-party API returns an error.
For user lookups, the server uses a Discord bot token to request public profile data from Discord and returns items such as usernames, display names, avatar or banner URLs, badges, account age, public flags, accent or banner colors, and other public fields exposed by Discord. Presence lookup may call the third-party Lanyard API with the user ID you enter. Webhook checks send the webhook URL you enter to Discord for a read-only validation request.
BlancoKit also has a small analytics endpoint that records events such as page views, tool actions, user lookups, and support clicks with path, referrer host, language, viewport, timestamp, and limited event details. That event log is used to understand tool usage and protect infrastructure, not to create user accounts.
Analytics, Logs, And Security
The site uses Cloudflare and a Hetzner VPS. The live VPS is hosted in Hetzner's
Nuremberg, Germany region. These providers and the nginx/Express servers can receive
ordinary request data such as IP address, user agent, requested URL, referrer,
timestamps, and error/security events. BlancoKit lookup credit counters (client ID,
IP address, usage count, and day bucket) are stored in Redis for abuse prevention.
If Cloudflare Web Analytics is enabled at the edge, it can collect privacy-preserving traffic metrics.
Google Analytics 4 (G-WPNCDS433D) may collect page views and usage metrics on
production pages via cookies set by Google. Local scripts also keep aggregate Cloudflare and search-performance CSV snapshots for site operations.
Server-side nginx logs, systemd service logs, and local Chatlog Cloud backups are
retained for 14 days unless a longer retention period is required for security, abuse
investigation, payment verification, or legal obligations.
Cookies
The public tools do not use advertising cookies. On production pages, a cookie banner
lets you accept or reject optional analytics cookies (Google Analytics). Your choice is
stored in localStorage as bk_analytics_consent (
granted or denied). Google Analytics loads only if you accept.
Browser ad blockers may still block third-party analytics scripts even after you accept;
first-party server logs and optional Cloudflare Web Analytics are separate.
BlancoKit sign-in uses an HttpOnly bk_session cookie when you log in with
Discord. The only other first-party cookie in the code is an admin-only
cm_gallery_admin
session cookie for the private preset gallery admin page. It is HttpOnly,
SameSite=Lax, Secure in production, and expires after 30 days. Third-party sites you
visit from links may set their own cookies.
Third-Party Services
This project can interact with these services, depending on which pages or features you use:
- Cloudflare for DNS, edge security, possible Web Analytics, and legacy deployment pieces; Cloudflare may process data internationally.
- Google Analytics (Google LLC) for site traffic measurement on production pages; Google may process data internationally.
- Hetzner Online GmbH for VPS hosting of the static site and API services; the live VPS is in Hetzner's Nuremberg, Germany region.
- Discord for suggestion webhooks, release webhooks, Discord profile lookup, and webhook validation.
-
Lanyard (
api.lanyard.rest) for optional BlancoKit presence lookup when a user has opted into that third-party service. - Ko-fi, PayPal, Buy Me a Coffee, and Stripe for donations and BlancoKit Supporter billing.
- ImgBB for optional user-triggered image uploads.
- Google Fonts, cdnjs, jsDelivr, and code.jquery.com for fonts and JavaScript libraries on some pages.
- GitHub, mail clients, and social/contact links when you choose to open them.
Affiliate And Sponsored Links
Some pages may contain affiliate or sponsored links, such as hosting links on project pages. If you sign up through those links, I may earn a commission at no additional cost to you. Those destination services handle their own tracking and payment data.
Why Data Is Used
Data is used to provide the tools you request, remember local preferences, sync encrypted backups when you ask for them, publish submitted presets, process suggestions, activate supporter perks, enforce BlancoKit lookup credits and other quotas, secure the service, measure aggregate traffic, and respond to contact or legal requests.
Legal Basis For EU/UK Visitors
Where EU or UK data protection law applies, the usual legal bases are your consent for optional submissions/uploads and public supporter wall names, performance of a requested service for cloud sync, supporter perks, and contact replies, legitimate interests for security, abuse prevention, debugging, and aggregate analytics, and legal obligations for valid legal or payment-related records.
Other Visitors
The request rights described in "Your Rights" are handled as a general practice for all visitors, not only EU/UK visitors, when the request can be reasonably verified and matched to data this site actually holds.
For California visitors, the CCPA/CPRA generally applies to for-profit businesses doing business in California that meet thresholds such as over $26,625,000 in annual gross revenue (the inflation-adjusted 2026 threshold, up from the original $25 million figure in the statute), buying, selling, or sharing the personal information of 100,000 or more California residents or households, or deriving 50% or more of annual revenue from selling or sharing California residents' personal information. Based on the current solo, free, no-account, ad-free setup, and no sale of personal data or sharing for targeted advertising, this site appears below those thresholds; the practical request rights above are still honored where possible.
Visitors from Turkey, Indonesia, Hong Kong, and other jurisdictions have their own data protection laws, including KVKK, Indonesia's UU PDP, and Hong Kong's PDPO. Instead of a country-by-country legal breakdown, this site aims to honor the same privacy principles for everyone: no ad tracking, no data sales, minimal collection, reasonable security, and access, correction, or deletion requests handled on request.
Retention And Deletion
Browser-stored data remains until you clear it in your browser or use the tool's delete controls. Cloud projects can be deleted from the cloud sync UI. Font backups can be overwritten by making a new backup. Presets and supporter wall names require a manual request for removal. Ko-fi supporter records are used for the 30-day perk period and may be kept longer where needed for payment verification, abuse prevention, or accounting. BlancoKit lookup credit counters in Redis expire automatically after a short retention window (about 48 hours). Nginx logs, systemd service logs, and local Chatlog Cloud backup archives are retained for 14 days, except where a longer period is needed for security, abuse investigation, payment verification, or legal obligations.
Your Rights
You can request access, correction, deletion, restriction, objection, or portability for personal data connected to you. Send requests to [email protected] and include enough detail to identify the data, such as a cloud bucket/project ID, preset name, supporter token, Ko-fi transaction ID, BlancoKit browser client ID, suggestion details, or public wall display name. I may need to verify that you control the relevant identifier before making changes.
You also have the right to lodge a complaint with a data protection supervisory authority. In Hungary, this is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH). Current NAIH contact details include email [email protected], postal address 1363 Budapest, Pf. 9., office address 1055 Budapest, Falk Miksa utca 9-11, and phone +36 (1) 391 1400. If you live elsewhere in the EU or UK, you can also contact your local supervisory authority.
International Transfers
The operator is based in Hungary, the live VPS is hosted by Hetzner in Germany, and Cloudflare and other third-party providers may process data internationally.
- Cloudflare states that, for EEA/UK transfers to the United States, it relies on its EU-U.S. Data Privacy Framework certification and uses Standard Contractual Clauses if that certification lapses or for other international transfers.
- Discord states that it uses the European Commission's Standard Contractual Clauses, adequacy decisions where available, and the EU-U.S. Data Privacy Framework for its U.S. entities.
- GitHub states that it generally relies on the European Commission's Standard Contractual Clauses and also participates in the EU-U.S. Data Privacy Framework.
- Google states that it relies on adequacy decisions, the EU-U.S. Data Privacy Framework, and Standard Contractual Clauses where required.
- PayPal states that EEA transfers within PayPal use approved Binding Corporate Rules and that other non-EEA transfers use adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement/Addendum, or a lawful derogation.
- Ko-fi states that transfers outside the EEA/UK use appropriate safeguards, such as UK or European Commission Standard Contractual Clauses where appropriate.
- Buy Me a Coffee publishes international-transfer language, but I could not confirm a specific SCC, adequacy, or Data Privacy Framework mechanism from its current public page.
- I could not confirm a specific international-transfer mechanism from ImgBB's current public privacy page during this update.
Security
The site uses HTTPS, security headers, origin checks, body-size limits, rate limits or quota counters on sensitive endpoints, local-only backend binding behind nginx, and passphrase-based browser-side encryption for cloud project/font backups. No website can promise perfect security, so avoid submitting secrets or private chat content unless you are intentionally using an encrypted backup feature and understand what you are sending. If a data breach creates a risk to affected users' rights or safety, I will investigate and notify affected users or the appropriate authority without undue delay where required.
Children
The site is not directed at children and does not knowingly collect children's personal data. If you believe a child submitted personal data, contact me and I will review it.
No Newsletters Or Advertising
The site does not operate a newsletter, account-based marketing list, advertising network, advertising pixel, behavioral ad profile, Google Analytics property, Google Tag Manager container, Meta Pixel, TikTok Pixel, Hotjar, Microsoft Clarity, or LogRocket integration. The site currently runs ad-free.
Changes To This Policy
This policy may be updated when features, providers, or hosting arrangements change. The "Last updated" date at the top shows when the page was last revised.
Contact
For privacy requests, email [email protected]. You can also reach the project owner via GitHub.
Back to home