Privacy Policy

Last updated 2026-06-02

War-Tracker ("we", "us") operates the public OSINT war-tracking platform at war-tracker.com, the public JSON API at /api/v1/openapi.json, the remote MCP server at /mcp, and the real-time event WebSocket. This page explains what we collect when you (or an agent you control) visit any of those surfaces.

Summary

• No tracking pixels, no ad networks, no third-party analytics. We do not use Google Analytics, Meta Pixel, Hotjar, Segment, or any session-replay tooling.
• No accounts required. The map, the WebSocket feed, and the free JSON API endpoints work without authentication. OAuth sign-in (X, Google, Microsoft) is optional and only used to attach a stable identity to your likes, comments, and view history.
• Payments stay on-chain. Paid API requests settle in USDC via the x402 protocol; we see the wallet address that signed the payment but not your real-world identity.
• We do not sell personal data.

Data we collect automatically

For every HTTP and WebSocket request we receive, our edge (Cloudflare) and our origin (FastAPI behind nginx) log:

• IP address — used for rate-limiting, abuse detection, geolocation at country level, and the bot/UA scoring in /x402. Stored at the edge for up to 30 days, and inside our Redis cache for short-lived counters (typically 24 hours).
• User-Agent and request headers (Sec-Fetch-*, Origin, Referer, Accept) — used to distinguish humans from AI training crawlers per the policy at /pricing.
• URL path and query parameters — needed to serve the request and log errors.
• Approximate location at country level, derived from IP via Cloudflare and our IP-guard service. We do not store city, latitude, or longitude.

Server access logs are rotated; long-running aggregates are stored as counts (not raw IPs) in our analytics tables.

Cookies

We use a small number of strictly-necessary first-party cookies:

• ct_visitor — opaque random visitor id (no personal data). Used to deduplicate anonymous event views, enforce fair-use limits, and detect bot traffic. ~1 year.
• wt_session — set only after you complete OAuth sign-in. Holds an encrypted session token. Cleared when you sign out.
• Cloudflare's __cf_bm and cf_clearance — bot-management cookies set by our CDN. See Cloudflare's cookie policy.

We do not use third-party advertising, remarketing, or cross-site tracking cookies.

Optional sign-in (OAuth)

If you choose to sign in with X (Twitter), Google, or Microsoft, we receive from your chosen provider:

• A stable provider-specific user identifier.
• Your public display name and profile picture URL (if you have made them public on that provider).
• Your verified email address, when the provider includes it.

We do not receive your password, your private posts, your contact list, or any scope you did not approve at the OAuth consent screen. You can revoke our access at any time from your provider's account settings; doing so deletes the link on our side at next sign-in attempt.

Payments (x402)

Paid API endpoints settle via the x402 protocol in USDC on Base by default (other supported networks are listed at /x402.json). When you settle a payment we receive:

• The signing wallet address (on-chain public address).
• The amount, asset, network, and transaction hash, returned by the facilitator (xpay, Coinbase CDP, PayAI, or Dexter).

We do not link wallet addresses to OAuth identities unless you explicitly associate them yourself. Settlement metadata is retained indefinitely for accounting and dispute resolution.

Real-time WebSocket feed

The /ws/strikes WebSocket streams live conflict events. Beyond the request metadata above, we only log connection lifetime, the geographic / time-window query you opened the socket with, and the cumulative event count delivered during your session — all for rate-limiting and quota enforcement only.

Third-party processors

The following processors handle data on our behalf, each under their own published terms:

• Cloudflare — CDN, DDoS protection, edge caching, bot management.
• X, Google, Microsoft — OAuth sign-in providers (only invoked if you choose to sign in).
• x402 facilitators — payment validation and on-chain settlement. See /x402 for the current facilitator list and their terms.
• Hosting and database providers under standard data-processor agreements.

Your rights

Depending on where you are (GDPR in the EU/UK, CCPA in California, similar laws elsewhere) you may have the right to access, correct, delete, port, or object to the processing of personal data we hold about you. To exercise any of these rights, email privacy@war-tracker.com from the email address linked to your account (or, for purely anonymous visitors, describe the visitor cookie or wallet address you would like us to look up). We will respond within 30 days.

You can delete your account at any time from /account after signing in; this removes your OAuth link, your likes, your comments, and your view history. Public events you created from your account remain in the public corpus in pseudonymous form.

Children

War-Tracker is not directed at children under 13 (under 16 in the EU). We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

International transfers

Our servers and our processors operate in multiple jurisdictions, including the EU and the United States. By using War-Tracker you consent to your request metadata being transferred to and processed in those jurisdictions, subject to standard contractual clauses where required.

Changes

We will update this page when our data practices change. The "last updated" date at the top of the page reflects the most recent change. Material changes will additionally be announced on our blog at /blog.

Contact

• Privacy enquiries: privacy@war-tracker.com
• Sales and partnerships: sales@war-tracker.com

For our service terms, see /terms. For the methodology that produces the data we publish, see /methodology.