No cookies. No tracking. No analytics.

This page is the receipt for the footer claim on every page of roam-code.com.

What we don't do

• No cookies. The site sets zero first-party cookies. Inspect with browser dev tools — you'll find none.
• No tracking pixels. No Facebook, Twitter, LinkedIn, or any other tracking pixel.
• No analytics scripts. No Google Analytics, no Plausible, no Fathom, no PostHog, no Hotjar, no anything.
• No third-party fonts. Self-hosted Latin-subset Space Grotesk + IBM Plex Mono. No call to fonts.googleapis.com.
• No third-party scripts. Inspect view-source:https://roam-code.com/ — only inline JSON-LD (data, not code) and Cloudflare's email-obfuscation helper.
• No fingerprinting. No canvas, no WebGL, no audio, no font-list probing.

What we do collect (server logs only)

• HTTP request logs via Cloudflare: IP address, User-Agent, requested path, response code, timestamp
• Retained 30 days for security / abuse prevention (legal basis: legitimate interest, GDPR Art. 6(1)(f))
• Not joined to any other dataset; not sold; not shared

See the full Privacy Policy for the details.

How to verify

Open browser dev tools and load this page. Check:

• Application → Cookies — empty
• Application → Local Storage / Session Storage — empty
• Network — only roam-code.com hosts. The single Cloudflare email-decode script is loaded from the same origin via /cdn-cgi/scripts/...

What about the email-obfuscation script?

Cloudflare auto-injects a tiny script (email-decode.min.js, ~1 KB) when it rewrites mailto: links to defeat email scrapers. It runs on click, sets no cookies, and reports nothing back. We could disable it but the spam-prevention is genuinely useful. If you prefer to block it, your tracker-blocker probably already does.

What about CDN edge caching?

Cloudflare caches the static page bytes at edge POPs worldwide. That improves your latency. Cache nodes log the same fields as above (IP / UA / path / code / timestamp). No personal data is stored or processed by the static page itself.

What changes when paid services launch?

Roam Cloud and Roam Review are authenticated apps — they will set a session cookie for sign-in. That's a strictly-necessary cookie and exempt from cookie consent under the EU ePrivacy Directive Art. 5(3). They still won't run analytics or tracking scripts.

Source code never leaves your machine from the open-source CLI. Roam Cloud receives metrics only. Roam Review processes PR diffs in our cloud (or yours, if self-hosted) and discards them after analysis. See Privacy Policy for the complete list of what's transmitted.

Questions? [email protected].