Privacy Policy

Last updated: May 3, 2026

TL;DR — the short version:

We don’t use cookies.
We use Umami (self-hosted, cookie-free) for page-view counts, and Cloudflare as our CDN — both log standard request metadata. No third-party trackers, no fingerprinting, no advertising pixels.
We don’t sell or share your data.
We keep server logs for 30 days for security and debugging.
If you use the API, we record your API key and request volume for billing.

1. Who we are

4ort.xyz (“we”, “us”) is a knowledge graph operated by the 4ort team. You can reach us at [email protected]. The site is hosted in Germany (Hetzner Online GmbH).

2. What data we collect

We collect the minimum needed to operate the site. Specifically:

Server access logs — standard nginx logs containing your IP address, requested URL, browser user-agent, referrer, and timestamp. Written to disk on our server, rotated automatically after 30 days.
Umami analytics (self-hosted on our own VPS at analytics.4ort.xyz) — page views, referrer, browser type, OS, country (derived from IP, not stored). No cookies. No fingerprinting. No personal identifiers. Source: github.com/umami-software/umami.
Cloudflare CDN logs — Cloudflare proxies our traffic and records standard request metadata (timestamp, IP, user-agent, country, cache status, response size) for the purpose of CDN delivery, DDoS protection, and bot mitigation. See Cloudflare’s privacy policy.
API usage — if you use our public API with an API key, we record your key, the endpoint called, and the response status code so we can apply rate limits and bill correctly.
Email address — only if you sign up for an API key. We use it to send your key, billing notifications, and (rarely) service announcements. We never spam.

3. What we do NOT collect

Cookies — we don’t set any. Visit any page with browser developer tools open and confirm.
Third-party trackers — no Google Analytics, no Mixpanel, no Facebook Pixel, no advertising pixels, no behavioral profiling, no fingerprinting.
Cross-site embeds — we don’t embed anything that loads cross-origin scripts (no YouTube, no embedded social media). The only third-party requests on our pages are to our own self-hosted Umami at analytics.4ort.xyz.
Data brokers — we never sell, rent, or share your personal data.

4. Cookies

We don’t use cookies of any kind — not for analytics, not for advertising, not even for preferences. Umami is intentionally cookie-free; it identifies visitors via a daily-rotating hash of (IP + user-agent + day-salt), which can’t be linked across days. You can verify there are no cookies in any browser’s developer tools.

Because we don’t set cookies, we don’t display a cookie consent banner under GDPR or ePrivacy directives.

5. Server logs & lawful basis (GDPR)

We keep nginx access logs for 30 days. Logs include your IP address, which is considered personal data under GDPR.

Our lawful basis for this is legitimate interest (Article 6(1)(f) GDPR): we need server logs to detect abuse, debug errors, and protect the service from attacks. Logs are not used for marketing, profiling, or any secondary purpose.

After 30 days, logs are automatically deleted by Linux logrotate.

6. Third parties we use

We use the following providers:

Hetzner Online GmbH (Germany) — web hosting. Subject to GDPR. Acts as a data processor.
Cloudflare, Inc. (US, with EU presence) — CDN, DDoS protection, and TLS termination. Sees and logs all incoming requests as part of normal CDN operation. Privacy policy.
OpenAI / 4ort.io — for entity content enrichment. We send Wikidata content (which is public) but no user data.
DataForSEO — for search-volume metadata. We send entity names but no user data.

Of these, only Cloudflare receives your IP and request metadata as part of routing your visit. The others never see your visit at all — they only handle our backend data pipelines.

7. AI and LLM crawlers

4ort.xyz publishes an open knowledge graph derived from Wikidata under a CC0 license. We welcome AI crawlers (GPTBot, ClaudeBot, PerplexityBot, OAI-SearchBot, etc.) and our /llms.txt and /robots.txt files explicitly allow them.

This crawling does not involve your personal data — AI crawlers only read public entity pages.

8. Your rights (GDPR / UK GDPR / CCPA)

You have the right to:

Request a copy of any personal data we hold about you.
Request correction or deletion of your personal data.
Object to our processing of your data.
Lodge a complaint with your local data protection authority.

If you have an account

4ort accounts (and the linked KG API key) are managed at 4ort.ai. To export, correct, or delete your account and all associated data across the 4ort empire, sign in there and use Account Settings → Delete Account. Account deletion cascades to 4ort.xyz and other empire properties automatically.

If you don’t have an account

The only personal data we have is in 30-day-rotating server logs (your IP + standard request metadata). To request deletion sooner, email [email protected] with your IP and approximate visit time and we’ll purge.

Cloudflare and Umami logs follow the same 30-day rotation.

9. Children’s privacy

The site is suitable for general audiences but is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children.

10. Changes to this policy

We’ll update this page if our practices change. Changes will be posted here with an updated date at the top. Material changes will also be announced via the homepage.

11. Contact

Questions about this policy or your data: [email protected].

v1.0 · Effective April 30, 2026 · Plain-language privacy by design.