TL;DR

Three Things to Know

Zero tracking storage

No cookies. No third-party trackers. No fingerprinting. localStorage is used only for user-requested feature state (jukebox playback), exempt under Art. 5(3)'s strictly-necessary carve-out.

GPC sent but not read

The browser sent Sec-GPC: 1 during the visit. The site doesn't read it. This is moot here (no tracking to suppress), but worth wiring up if tracking is ever added.

Six of six security headers 🛡

HSTS preload, comprehensive CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy (camera/mic/geolocation disabled).

Scroll for the full story →

>_ datagobes.dev
1 / 11
Consent Mechanism

Banner Blueprint

None — Art. 5(3) not triggered, Art. 6(1)(f) legitimate interest for server-side analytics
"No consent banner present. ePrivacy Art. 5(3) is only triggered when information is stored in the user's terminal equipment — and the site stores nothing (no cookies, no localStorage, no indexedDB). Server-side analytics (Vercel) hashes the IP with a daily salt and discards, operating under GDPR Art. 6(1)(f) legitimate interest rather than consent. CNIL and DSK both carve out first-party, non-cross-site analytics as not requiring consent under this model."
n/a
n/a
Accept standard Reject standard
ePrivacy Art. 5(3) limited to strictly-necessary state No cookies. No fingerprinting. localStorage is used only for user-requested features (jukebox playback state), which falls under Art. 5(3)'s strictly-necessary carve-out — the same rule that lets sites remember dark-mode preferences or shopping-cart state without consent. Article 29 WP Opinion 04/2012 names this category explicitly as exempt.
Server-side analytics under Art. 6(1)(f) Vercel Web Analytics processes the IP server-side, hashes it with a daily salt + User-Agent for unique-visitor counting, then discards the IP. Per CNIL guidance, first-party, non-cross-site, aggregated analytics operates lawfully under legitimate interest — consent is not the right basis.
GPC signal received but not parsed Under Art. 6(1)(f), users retain the Art. 21 right to object. GPC is the implementable form of that objection. Reading the Sec-GPC: 1 header and conditionally skipping the analytics beacon is the action that closes the loop. Currently the signal arrives but isn't acted on.
>_ datagobes.dev
2 / 11
Consent Variants

Ignore vs Accept vs Reject

Side-by-side comparison of what gets loaded depending on your consent choice.

No Interaction Accept All Reject All
Trackers
No Interaction
0
Accept All
0
Reject All
0
Cookies
No Interaction
0
Accept All
0
Reject All
0
3rd Parties
No Interaction
0
Accept All
0
Reject All
0
>_ datagobes.dev
3 / 11
Data Transfers

Transfer Circuit

Where your data travels — each destination's jurisdiction and legal safeguards.

🌐 datagobes.dev
🌍 US
jmsrmcpfzkcwofggbvto.supabase.co
1 req
Adequate
DPF Certified
No Safeguards
>_ datagobes.dev
4 / 11
Security Posture

Shield Rings

6/6
Strict-Transport-Security Active
Content-Security-Policy Active
X-Content-Type-Options Active
X-Frame-Options Active
Referrer-Policy Active
Permissions-Policy Active
6 / 6 headers active
>_ datagobes.dev
5 / 11
Legal Compliance

Document Shelf

Privacy notice Found
Privacy-audit playbook Found
2 found
0 missing
>_ datagobes.dev
6 / 11
Art. 13/14 Compliance

Privacy Policy Checklist

How well the privacy policy covers the 13 GDPR-required information items.

Controller identity
Processing purposes
Lawful basis
Retention period
Data subject rights
Right to lodge complaint
Coverage
83%
5 present
0 absent
1 vague
>_ datagobes.dev
7 / 11
Risk Assessment

Privacy Risk Summary

Consent 9.5

No CMP present, no tracking to require consent. Browser GPC signal is sent but not parsed by the site (moot today).

Pre-Consent 10

Zero trackers, zero cookies, zero SDK loads, zero Consent Mode pings. localStorage is used only for user-initiated feature state (jukebox); strictly-necessary exemption applies.

Cross-Border 8.5

Single non-EU endpoint (Supabase US), restricted to the site's own project via CSP.

Security 10

All six core headers present with strong configuration (HSTS preload, comprehensive CSP, Permissions-Policy disabling camera/mic/geolocation).

Cookies 10

Zero cookies set, period — no expiry, alignment, or post-reject deletion concerns to evaluate.

Dark Patterns 10

No consent banner means no dark patterns to score.

Legal 8

Privacy notice present. Retention language is vague; spec maximum durations per processing purpose to strengthen Art. 13(2)(a) compliance.

Overall
9.5
>_ datagobes.dev
8 / 11
Action Items

Recommendations

Read the GPC signal explicitly #1

Even with no current tracking to suppress, parsing Sec-GPC: 1 and signaling acknowledgement (e.g., setting an internal flag) future-proofs the site for any future addition of analytics or marketing tools.

Tighten privacy notice retention language #2

The privacy notice mentions retention but in general terms. Specifying maximum durations per processing purpose strengthens Art. 13(2)(a) compliance.

>_ datagobes.dev
9 / 11
>_ datagobes.dev
Privacy Audit #02
datagobes.dev favicon

datagobes.dev

9.5
EXCELLENT

When privacy means doing less · 0 trackers · 0 cookies

This report presents technical observations from an automated external scan. It does not constitute legal advice or a formal compliance assessment. Findings should be interpreted in consultation with qualified legal counsel.

>_ datagobes.dev
10 / 11
Methodology

How We Scanned

📡
Pre-Consent
Before interaction
Post-Consent
After accept
Scan configuration
BrowserFirefox (stealth mode) Viewport1440×900 Localeen-NL (EU) Variantsignore · accept · reject ClassificationTracking fires → consent-mode pings → SDK loads
↧ Download JSON ↧ Download Report

Privacy Audit #02 in the datagobes.dev series

>_ datagobes.dev
11 / 11