Deep Sky Creations

Plain language

Privacy

A short, plain-language explanation of what this site does and doesn't do with information about you. No legalese where I can avoid it.

Last updated

Browsing Deep Sky Creations anonymously is possible and unchanged from how it always was: no analytics-by-default, no tracking pixel, no third-party advertising, no behaviour profiling. The pages you read without signing in do not contact any server I run.

If you choose to sign up for an account (the small "Sign up" button in the header), then the following is stored on a Postgres database I run, in support of the account:

  • Account record. Your username, email address, and an Argon2id hash of your password (the password itself is never stored or transmitted in plain text after submission).
  • Email verification. A short-lived 6-digit code tied to your account so we can confirm the email address is really yours. Stored hashed; expires after 15 minutes.
  • Session. A server-side record that says "this browser is signed in as you," referenced by an opaque token in an HTTP-only cookie called dsc_session. Sliding 30-day expiry. The cookie is set only after successful email verification.
  • Settings. Theme, locale, observing locations, notification preferences, marketing-email opt-in. Synced to the server only for signed-in users; anonymous visitors keep using local storage.
  • Audit trail. Account creation, email verification, login, and logout events are recorded with your IP address and user agent so I can investigate abuse.

And — as before — anything you set on /settings while signed OUT lives only in your browser's localStorage:

  • Observing location. Your saved coordinates and label, used to compute when objects rise from where you are. Clearable from /settings at any time.
  • Cookie / consent preference. Once the cookie consent banner is active (currently dormant — see below), your choice is stored in localStorage so you aren't asked again.
  • No name, email, or contact information from anonymous visitors. Account holders' email is collected only because the account requires it.
  • No analytics, page-view tracking, or behaviour profiling.
  • No advertising identifiers.
  • No social-media tracking pixels or share-button beacons.
  • No fingerprinting.
  • No marketing email unless you explicitly opt in during signup. The default is OFF.

Anonymous browsing sets no HTTP cookies. The only cookie this site ever sets is dsc_session, written when you complete signup + email verification. It carries an opaque random token (no personal data inside it), is HTTP-only and Secure, has SameSite=Lax to mitigate CSRF, and expires 30 days after your last activity.

Browser storage (the localStorage values described above) is used for preferences you set yourself.

Once the planned store launches, payment and cart functionality will require additional storage from Shopify and (potentially) Printful. At that point a consent banner will activate and you will be asked before any commerce-related cookies are set.

The site connects to a small number of outside services. Each is listed below with what it's used for and whether it sees any information about you.

OpenStreetMap Nominatim
Used by /settings to turn your latitude/longitude into a city name. Your coordinates are sent to nominatim.openstreetmap.org for this lookup. No identifying information goes with them. Falls back silently if the service is unreachable.
NASA APOD
The site's daily APOD feature is rebuilt server-side from api.nasa.gov each morning. Your browser never connects to NASA on your behalf — the imagery is served from this site's own CDN.
Shopify v1.1
When the store launches, product browsing and checkout will use Shopify's hosted commerce platform. Shopify will set its own commerce cookies; you will be asked before they are loaded.
Printful v1.1
Print fulfilment partner; only sees order details after a purchase is made. Will not be active until the store launches.

For anonymous browsing, the data you can control all lives in your own browser:

  • Clear /settings to remove your saved observing location.
  • When the cookie consent system is active, this page will offer a button to revoke any choices you've made.
  • Use your browser's "clear site data" tools to remove everything Deep Sky Creations has stored locally.

For account holders, you also have:

  • Access. Email me from the address on file and I will export everything we hold about your account in a machine-readable format.
  • Correction. The account page (when it ships) will let you edit your email, username, and settings directly. Until then, email me.
  • Deletion. Email me to delete your account. Hard deletion removes the account row, sessions, settings, observing locations, reactions, and saves; forum posts you authored stay with their author column set to NULL so the conversation history isn't shredded for everyone else.

If the store launches and you make a purchase, that order's data is held by Shopify under their privacy policy. They have their own deletion/access tools.

Privacy questions can go to Mike at Mike@DeepSkyCreations.com. I read everything I'm sent.