← Home

~5 min read

Privacy

This page explains how the community pulse feature (the little agree, disagree, and alert buttons next to each heading) handles your data. The short version: your marks and notes never leave your browser. There is no account, no login, and nothing about your reading habits is stored anywhere except your own device.

What lives in your browser

When you click a stance button or write a note on any section, the mark and the note are saved in your browser's local storage (specifically, IndexedDB). They are associated with the section ID. That is the full extent of what is persisted.

Your marks and notes are not synced to any server, not backed up, not shared, and not visible to anyone but you. If you open the same page on a different device, you will see no marks there, because each browser is its own separate store.

What lives on the server

The only information the site's server sees about community pulse activity is a single directionless reaction counter per section. When you click any stance button, the site increments the reactions number for that section by one. The server does not know which button you clicked (agree, disagree, or alert), does not know anything about you, and does not associate the increment with any identity.

To keep casual inflation of the counter tidy, the server applies a per-IP rate limit of 5 increments per section per hour. IP addresses are hashed with a deployment salt before storage and old rate-limit rows are cleaned up when the next write comes in.

What clearing your browser does

Clearing browser data (cookies, site data, or IndexedDB specifically) erases your community pulse marks and notes. There is no server backup. This is by design: the server never received the data, so there is nothing to restore from. If you want to keep a record of your marks, use a future settings page (coming soon) to export them as a file.

What the site does not collect

The community pulse feature does not collect your name, email, address, phone number, device identifier, user agent, cookies beyond what your browser sends automatically, or any other information about you as a person. There is no login, no account, no profile. The only identifier tying any activity to anyone is the IP rate-limit bucket, which is hashed and ephemeral.

What is on the rest of the site

The rest of the Marblehead Budget Data site uses Cloudflare Web Analytics for basic, privacy-friendly traffic measurement. Cloudflare Web Analytics does not use cookies, does not track individual users across sites, and does not collect personal data. It records aggregate page views and referrer information only.

The site also uses PostHog to track anonymous usage events: which table-of-contents links visitors click, whether the tax calculator is used (yes or no, not the values entered), and how far down a page visitors scroll. PostHog does not collect names, emails, or device identifiers. No personal profiles are created. The data helps the author understand which sections are actually being read so the site can improve over time.

Facebook sign-in

Marbleheaddata.org offers Facebook as an optional way to sign in and claim your address as a verified resident. When you sign in with Facebook we receive:

We do not receive your friends list, posts, photos, or email at this time. Your Facebook access token is used only to fetch the data above and is then discarded. We never store it. You can sign out at any time from your profile page, which clears your session and stops the site from showing you as signed in.

Your claimed address is visible only to you on your own profile page. It is never shown to other users, never published, and never returned by any public endpoint.

Deleting your data

You can delete the data tied to your verified identity at any time:

If you want a full hard-delete of your row in the database (rather than the soft-delete flag), or if you have lost access to your account and cannot reach the profile page, open an issue at our GitHub issues page and we will remove it manually.

Engagement rows (which ideas you have backed or repped) are left in place after a release. They become unattributable because the resident row they pointed to is revoked, but the count remains. If you want those removed as well, mention that in the GitHub issue.

How long we keep your data

Verified-resident rows are kept for as long as the claim is active. After a release, the row is soft-deleted and retained for audit purposes only; it is not used for any public surface.

Children's privacy

This site is intended for residents 18 or older. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has signed in or claimed an address, please contact us via the GitHub issues page above and we will remove the record.

Questions

If something on this page is unclear or you want to verify any claim above, the full source code for the community pulse feature (front-end widget and server-side Worker) is published at github.com/agbaber/marblehead under the community-pulse/ and assets/community-pulse/ directories. You can read the code and confirm these claims for yourself.

Last updated: June 15, 2026.