Privacy
What this site collects, what it does not, and how to remove your data.
This site is a personal practitioner's log. It is not a SaaS product, not a tracker, and not a data broker. Most pages set no cookies and load no third-party analytics. This page documents the few exceptions, in plain language, so a procurement officer or a curious reader can verify the claim.
Last updated: 25 April 2026.
Who runs this site
Ibrahim Anwar, operating from Bogor, West Java, Indonesia. Editorial publisher: PT Hibrkraft Kreasi Indonesia. Contact for any privacy question: hi@hibranwar.com.
What this site does not do
- No Google Analytics, Meta Pixel, or any third-party tracker.
- No advertising scripts. No remarketing.
- No cookies for tracking, profiling, or fingerprinting.
- No selling, renting, or sharing of personal data with anyone.
- No mailing list. There is nothing to subscribe to. Nothing is sent to your inbox unless you email me first.
What is logged when you visit
The site keeps a small private dashboard so I can see what is happening on my own infrastructure. The data is minimised on purpose.
| What | Why | How long |
|---|---|---|
| Daily-salted IP hash (not your raw IP) | Counting unique visits per day without being able to identify you across days. | Aggregated, kept indefinitely. The salt rotates daily, so the hash cannot be reversed or correlated with other days. |
| Page path, referrer, user agent | Knowing which pages are read and which are broken. | Server access logs, rotated by the hosting provider. |
| 404 errors | Finding broken links and fixing them. | Same as above. |
| Rate limit counter (raw IP, 60-second window) | Blocking abusive scrapers. The counter resets every 60 seconds. | 60 seconds. |
| Bot probe log (IP, user agent, path) | If a request triggers a hidden honeypot or hits an obvious attack path (/wp-admin/, /.env, etc.), it gets logged for security analysis. |
Security log. Aggregated bot data is also published at pulse/bots.php (no IPs in the public feed). |
The dashboard at /pulse/ is password-gated, noindex, and only I can read it. The underlying SQLite databases sit in a directory that is blocked from the public web.
What happens if you fill the contact form
The form on the contact page is processed by Formspree, a third-party form handler. Your submission is delivered to my inbox and stored on Formspree's servers under their privacy policy. The fields collected are: name, email, company, subject, and message.
I keep messages relevant to active business in my mail archive. If you want a message and any associated record deleted, email hi@hibranwar.com and ask. I will confirm the deletion.
Embedded resources from third parties
A handful of pages load assets from third-party CDNs. These third parties can see your IP address in the standard HTTP request, the same way they would on any site that uses them.
- Google Fonts — the Inter typeface is served by
fonts.googleapis.comandfonts.gstatic.com. Used on every page. - jsDelivr — Chart.js and Mermaid are loaded on course pages that need diagrams or charts. Not loaded on essays, notes, or static pages.
- Creative Commons icons — the CC BY 4.0 badge in the footer is served from
mirrors.creativecommons.org. - Formspree — only invoked when you submit the contact form.
None of these embed tracking pixels on this site. They are infrastructure for typography, charts, and forms.
Cookies
None are set on regular pages of hibranwar.com. The /pulse/ dashboard sets a session cookie when I log in to read my own analytics. That cookie is not set for public visitors.
Children
This site is not directed at children under 13. I do not knowingly collect data from children. If a parent or guardian believes I have, email me and I will remove it.
Your rights
Under Indonesia's Personal Data Protection Law (UU No. 27/2022), and broadly equivalent rights under GDPR if you visit from the EU or EEA, you can:
- Ask what data I hold that relates to you.
- Ask for it to be corrected.
- Ask for it to be deleted.
- Object to its processing.
- Withdraw consent at any time, where consent was the basis.
The honest scope: outside contact-form messages and Formspree records, I do not hold data that can identify you as a person. The visit dashboard is salted hashes, not identities. There is usually nothing to delete because there is nothing personal stored.
To exercise any right, email hi@hibranwar.com from the address you used to contact me. I respond within 7 working days.
Security
The site runs on shared LiteSpeed hosting at Rumahweb (Indonesia), behind HTTPS, with Content Security Policy headers, rate limiting, and a bot honeypot. Admin paths are blocked from public access. No system is perfectly secure, but the surface here is small on purpose: a static site with a SQLite read index and a single Formspree integration.
Data location
Server in Indonesia. If you contact me by form, your message also lives briefly on Formspree's infrastructure (United States). If you visit from outside Indonesia, your visit data is processed in Indonesia.
Changes to this page
If the stack changes — for example, if I add a different form handler or remove Google Fonts — this page is updated and the date at the top is bumped. The change history is visible in the site's build log.
If a clause here is unclear, or if you want a written confirmation of what is stored about a specific submission, email hi@hibranwar.com. I read every message.