Privacy Policy - Cloud Security Office Hours (CSOH)

The 30-second version

0 Cookies set on csoh.org

0 Marketing or cross-site trackers

0 Times your data has been sold or shared

No cookies, ever

The site is static HTML, CSS, and JS. Your dark-mode preference lives in your browser, not on our server.

Privacy-first analytics

Aggregate page views via GoatCounter, a privacy-friendly tool: cookieless, no cross-site tracking, no fingerprinting, no session replay, and your IP is never stored. No Google Analytics, no ad tech.

Never sold or shared

We don't sell, rent, or trade the mailing list. The only personal data we hold is your email address.

Outbound links scrubbed

External URLs are stripped of utm_*, fbclid, gclid, and similar tracking parameters before publication.

Who we are

Cloud Security Office Hours (CSOH) is a free, volunteer-run, vendor-neutral cloud-security community. We are not a company. We have no products and we do not sell anything. The website at csoh.org is community-maintained on GitHub.

Cookies and tracking

We do not set any cookies on csoh.org. The site is static HTML, CSS, and JavaScript served from our host. The one measurement we run is GoatCounter, a privacy-friendly, cookieless page-view counter (full details in the next section): it sets no cookies, never stores your IP, and cannot track you across other sites. Beyond that there is no Google Analytics, no advertising or social pixels, no fingerprinting, and no session-replay tools.

Your browser stores one thing in local storage if you use it: your dark-mode preference, so the site remembers it next visit. That value lives only in your browser and is never sent to us.

What we collect, and why

Six places data touches us. Here's the full picture:

1. Mailing list

The only personal data we collect. Sign up at csoh.kit.com with your email (first name optional). We use it exclusively to send the weekly Friday Zoom link, calendar info, and rare community announcements (<1 per month).

The weekly issue may include a clearly-labeled sponsored link from a community-aligned partner. No separate promotional emails, no partner mailings, no targeting. Unsubscribe in any message removes you immediately.

Hosted by Kit (formerly ConvertKit) - their privacy policy. Not exported anywhere else.

2. Email correspondence

If you email admin@csoh.org or another organizer, we keep that thread for as long as is reasonable to follow up. We don't add you to anything else based on that email.

3. GitHub contributions

If you open an issue or pull request on our GitHub repository, your username and any data you include become part of a public open-source project's history. That's GitHub, not CSOH - see GitHub's privacy statement.

4. Zoom sessions

Joining the Friday session means Zoom processes your name, audio, video (if on), and chat messages. Zoom is the data controller - see Zoom's privacy statement.

We do not record sessions by default. The presentation portion is recorded only when the speaker agrees; participant Q&A is not. Meeting recaps summarize topics, not individuals.

5. Server logs

Our host keeps standard access logs (IP, URL, user-agent, timestamp) for short-term operational use - debugging, abuse handling, capacity planning. Logs are not used to profile visitors, not joined with the mailing list, and never analyzed for marketing or "engagement."

6. Analytics (GoatCounter)

We count page views with GoatCounter to see which guides land. It is cookieless and stores no IP addresses or other personal data - visits are tallied with a rotating, non-identifying hash, and it cannot follow you across other sites. It records only the page path, referrer, browser and OS, and screen size, in aggregate. The script is self-hosted at /vendor/goatcounter-count.js, so the site's strict CSP still loads no third-party JavaScript; the hosted GoatCounter service (csoh.goatcounter.com) processes the counts.

External links and tracking parameters

csoh.org links to thousands of external resources. Two things to know:

Outbound links are scrubbed of tracking parameters (e.g. utm_*, fbclid, gclid, msclkid) before publication. A monthly automated job and a per-PR check enforce this - see tools/normalize_urls.py.
Once you click an external link, the destination site's privacy policy applies. CSOH has no control over what those sites do.

The same scrubbing is applied to URLs that community members share in Zoom chat before they appear on chat-resources.html.

News aggregator

Our news page and RSS feed are populated by a script that pulls from public RSS feeds every three hours. The aggregator runs on GitHub Actions; it has no idea who is reading the page. Beyond the cookieless page-view count every page gets, we don't track which headlines you read or which outbound links you click.

Children

CSOH is aimed at working cloud-security professionals. The site is not directed at children under 16, and we do not knowingly collect data from anyone in that age range.

Where data lives

The website is hosted in the United States. The mailing list (Kit) and code repository (GitHub) are also US-based. Cookieless, non-identifying page-view analytics are processed by the hosted GoatCounter service (csoh.goatcounter.com). By emailing us or signing up for the list, you consent to your data being processed in the US.

Security

We follow standard practices to protect what little data we hold: HTTPS everywhere, narrow access to mailing-list and email accounts, MFA on organizer accounts, strict Content Security Policy on the site, automated URL-safety scanning before merge. To report a vulnerability, see our Security Policy.

Your rights

For the small amount of data we hold, you have the right to:

Know

What we hold about you - mailing-list address and prior email correspondence with organizers.

Correct

Fix inaccurate information at any time.

Delete

Unsubscribe from the list at any time, and email us to delete a prior thread.

Object

Object to any specific use of your data.

Portability

Get a copy of your data in a portable format on request.

To exercise any of these, email admin@csoh.org. We aim to respond within 14 days.

Changes to this policy

If we make material changes, we'll post them here with a new "Last updated" date and call them out in the next mailing-list email. We'd consider any change that broadens what we collect, who we share with, or what we use data for to be material.

Contact

Email: admin@csoh.org
Mail-list opt-out: Use the unsubscribe link in any CSOH email, or email us
Security issues: See our Security Policy

Back to Home Code of Conduct

🔐 Privacy Policy