No ads, no trackers, no nonsense
What CrocOps collects, what it doesn't, and how comments work.
This site is run by me, Croclius. Wherever I can, I use privacy-focused, open-source tools on infrastructure I control. The goal is to publish educational offensive-security content, not to mass-collect or exploit reader data. This policy covers croclius.com, the newsletter, and the account, comment, and membership features built into the site. By using any of them, you agree to what's below.
Disclaimer
Everything on croclius.com is for educational and informational purposes only. The writeups, guides, and techniques here describe attacks against machines I own or am authorised to test. I do not condone or support illegal activity of any kind, and nothing here is permission to attack a system you don't own or haven't been contracted in writing to assess. Always act ethically and get signed authorisation before testing any system. Any misuse of what you read here is the sole responsibility of the user.
Privacy
CrocOps shows no ads and runs no behavioural tracking or third-party advertising. You can read every post, search the site, and follow the RSS feed without an account and without giving me any personal information.
The site only collects data when you choose to act on it: send a message, subscribe, sign in to comment, or support the work. Each of those is broken down under Collected information below.
External content & integrations
Some posts embed or link to content hosted elsewhere, such as an advisory, a tool's repo, or the occasional video. When that content loads, the site serving it can see you requested it and may set its own cookies, exactly as if you'd visited directly. I keep embeds to a minimum and prefer plain links for this reason.
Collected information
Everything the site collects, grouped by the feature that collects it.
Page reads are counted by Umami, a cookieless, privacy-first tool I run myself, so the data never leaves my infrastructure. It records aggregates only:
- Page views and referrers
- Rough country
- Browser and device type
No cookies, no cross-site identifiers, no stored IP, no personal profile. Nothing is ever sold or sent to an ad network.
Sends only the fields you fill in, and only when you submit. The form posts to this site's own server, which delivers it through Resend as an email I can reply to, just name, email, subject, and message, nothing more.
To comment you sign in, which gives the site a verified email. Stored alongside it:
- An optional display name
- A generated avatar, never a photo or upload
- Your account creation date
- Your comments, replies, and likes
Your email is never shown publicly, readers only see your display name and avatar. Sign in with Google, GitHub, or a one-time email link. Whichever you pick only proves you control an address. I never receive a password or anything from your profile beyond the verified email.
Paid membership and one-time tips run end to end through Stripe. Card details go straight to Stripe and are never seen or stored by CrocOps. From a successful payment I keep only what's needed to manage access:
- Your email
- Membership status
- Plan type
- Renewal date
Tip or subscribe and the confirmation page asks if you'd like to be listed on the membership page. Skip it or choose "No thanks" and you show as "Anonymous backer".
Your rights to your data
Ask what's stored about you, ask me to correct it, or ask me to delete it. Most of this is self-serve:
- Delete your own comments
- Delete your account
- Unsubscribe from any newsletter footer
For anything you can't do yourself, email contact@croclius.com from your account address and I'll handle it.
Data sharing
I never sell, rent, or trade your data. The only parties that ever receive any of it are the providers running the features above, each doing one job under its own policy:
- Mailchimp for the newsletter
- Resend for email delivery: the contact form, sign-in links, and comment notifications
- Stripe for payments
- Google / GitHub for sign-in, if you choose it
Sending anything to them is your choice, made by using the feature. For a lawful legal or law-enforcement request, I comply only where legally required.
Data security
Data is encrypted in transit. The site runs behind a reputable edge provider with bot protection and the standard security headers, and access to any stored personal data is limited to me. No system is ever perfectly secure, and I won't pretend otherwise, but the site is built to collect very little, which is the best protection there is.
Data retention
External links
Posts link out to tools, advisories, and other people's writeups. Those sites aren't mine, they run their own tracking, and following a link is your call. Read their policies before interacting with them.
Children's privacy
CrocOps isn't aimed at children and doesn't knowingly collect data from anyone under the age of digital consent in their country. If I learn a minor created an account or subscribed, I remove the data. If you're a minor, get a parent or guardian's permission before creating an account.
Changes to this policy
If this policy changes in a way that matters, the date up top moves and the change shows here. When it affects subscribers, I'll note it in the newsletter. Continuing to use CrocOps after an update means you accept the current version.
Contact
Questions or concerns? Email contact@croclius.com or use the contact form.
Comment guidelines
Comments are open because good discussion makes the posts better: a cleaner approach, a correction, a tool or detail that's moved on since I wrote it. Keep it useful and it stays open.
Comments are moderated and I have the final call on what stays. Repeated abuse loses commenting access.