Security & Privacy

How I handle data across my sites: rigourhero.com, killclog.com, tracker.killclog.com, 420kc.dev. Short version: raw IPs never get stored, and the only analytics in use is GoatCounter (privacy-first, IP-anonymized).

Your IP is hashed before it touches a log

Every HTTP request exposes your IP to whatever server it hits. That's TCP/IP, unavoidable on any website.

What I do differently: raw IPs never land in any persisted log on my servers. Two layers:

• Webserver (nginx): access logs are off across every site. Nothing IP-shaped is written to disk at the front door.
• App-level audit: when the app does need a per-device fingerprint (rate limiting, anti-abuse), it stores an ipHash, not the IP. The hash is HMAC-SHA256 with a server-local secret salt that never touches source control. Only the running server process can read it.

What I don't store

• Raw IPs, anywhere
• Real names, emails, phone numbers, addresses
• Browser fingerprints, device fingerprints, advertising identifiers
• Cookies for tracking. No Google Analytics, no Facebook Pixel, no ad networks.
• Any Jagex account credentials. I never ask, never receive, never store. The only OSRS data I touch is the public hiscores and TempleOSRS clog data, both of which anyone can already see.

The one analytics tool I do use

GoatCounter, on killclog.com only. It counts page views. By design it doesn't use cookies, doesn't fingerprint, and hashes IPs in memory for ~8 hours before discarding them. I picked it specifically because it's the rare analytics tool that lines up with the IP pledge above. If you'd rather opt out, the script honors Do Not Track.

Reporting something

If you find a vulnerability or notice something that looks off, message @ 420 kc in-game or email security@rigourhero.com. I respond within 48 hours and won't take legal action against good-faith researchers.

Built by 420 kc.