Privacy Policy

Last updated: 17 May 2026

The short version: HeaderLab doesn't track you, doesn't use cookies for analytics, doesn't share data with advertisers, and doesn't store the URLs you scan. The longer version is below.

What we collect

Aggregate site analytics. We use Cloudflare Web Analytics to count visits and see which pages are read. It's cookieless and doesn't fingerprint browsers; the data we see is aggregated and isn't tied to individual visitors.

Scan requests. When you use the Headers Checker, CSP Builder, or CSP Evaluator, the URL or policy you submit is processed to generate the result. We don't keep a log of submitted URLs or policies after the response is returned.

Email correspondence. If you email hello@headerlab.dev, we store and read that email in order to reply. Email is routed through Cloudflare Email Routing.

Standard server logs. Like any service running on the public internet, our hosting provider (Cloudflare) records basic request information — IP address, user agent, request path, timestamp — as part of normal operations and abuse prevention. We don't tie these logs to identities or use them for analytics.

What we don't collect

  • Analytics cookies, behavioral cookies, or any cookies used for tracking
  • Cross-site tracking signals or browser fingerprints
  • Profiles, accounts, or any data tied to a user identity
  • The URLs or policies you scan, after the scan completes
  • Anything that gets shared with third-party advertisers

Third-party services

HeaderLab runs entirely on Cloudflare:

  • Cloudflare Workers — hosting and request processing
  • Cloudflare Web Analytics — cookieless visit counting
  • Cloudflare Email Routing — forwards email sent to hello@headerlab.dev

That's the full list. No Google Analytics, no Facebook Pixel, no tag managers, no session recording, no marketing pixels.

Advertising & affiliate links

HeaderLab is free and open-source. To keep it sustainable without compromising the principles above, we make two commitments.

We do not and will not use behavioral or tracking-based advertising. That rules out Google AdSense and similar networks. If we add advertising in the future, it will be through privacy-respecting networks (for example, EthicalAds or Carbon Ads) that serve ads based on page content, not on the visitor — no cookies, no behavioral profiles, no cross-site tracking.

We may include affiliate or referral links to security tools and services we'd recommend regardless. These use standard referral parameters and add no tracking on our side. Where required by law, and where it's simply the honest thing to do, we'll disclose the affiliate relationship near the link.

Your rights

Under GDPR, KVKK, and similar privacy laws, you have rights including access, correction, deletion, restriction, and portability of personal data we hold about you. Because HeaderLab doesn't maintain accounts or store personal data tied to your identity, most of these rights apply only to email correspondence you've initiated.

To exercise any of these rights — including deletion of email correspondence — write to hello@headerlab.dev.

Changes to this policy

When we make meaningful changes, we'll update the "Last updated" date at the top. HeaderLab's source is public, and the revision history of this page lives in our repository — so every change to this policy is visible in version control.

Contact

Questions or concerns about this policy: hello@headerlab.dev.