Privacy Policy

man1k.xyz is a static personal website for independent music artist MAN1K (Yaroslav Boruk). There are no user accounts, no login system, and no payment processing. This policy describes what data is collected, how it is used, and what choices are available to you.

Measurement ID: G-5M1G8HHZW4. When DNT/GPC is not active, Google Analytics 4 is loaded with the following privacy-preserving configuration:

• anonymize_ip: true
• allow_ad_personalization_signals: false
• restricted_data_processing: true
• cookie_flags: SameSite=Lax; Secure
• cookie_expires: 180 days
• send_page_view: false (fired manually on init only)

The following account-level data sharing settings are enabled in the Google Analytics dashboard:

• Google products & services: enabled — aggregated, de-identified data shared with Google to improve their products; Google will not use this data for ad personalisation
• Modeling contributions & business insights: enabled — aggregated, de-identified measurement data used for predictions and benchmarking
• Technical support: enabled — Google support representatives may access account data to resolve technical issues
• Recommendations for your business: enabled — Google may use account configuration and usage data to provide optimisation recommendations

GA4 is completely blocked for detected bots and crawlers. The GA4 script is served from googletagmanager.com and is never cached by the site's own Service Worker.

Data processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Privacy Policy →

Simple Analytics is active on all pages as a privacy-first, cookie-free analytics layer. It operates via a <noscript> pixel — no JavaScript required. It sets no cookies, performs no fingerprinting, and collects no personal data. Simple Analytics respects DNT and GPC signals: when either is active, no data is transmitted. No GDPR consent is required.

Data processor: Simple Analytics BV, Keizersgracht 482-1, 1017 EG Amsterdam, Netherlands. Simple Analytics Privacy Policy →

JavaScript errors are captured via window.onerror and unhandledrejection events. Error events are only forwarded to Google Analytics 4 when GA4 is active (i.e. when DNT/GPC is not set). Data collected per error event:

• Error message (truncated to 200 characters)
• Source filename (basename only, no full path)
• Line and column number
• Current page pathname, site version, timestamp
• Stack trace (truncated to 500 characters)

man1k.xyz uses a Service Worker (/sw.js) for offline support and performance. The following content is cached locally in your browser — this data is stored solely on your device and is never transmitted to any third-party server by the Service Worker itself:

• Pages: /, /about, /music, /lives, /gallery, /services, /subscribe, /press, /contact, /legal, /tap, /vv17ch0uz3 (cache: mk-v7)
• Assets: /global.js, /polyfills.js, logos, icons, fonts
• Game: /game/ and associated engine files (cache: mk-game-v4)
• Gallery images: Cached after first load from i.ibb.co with background revalidation (cache: mk-gallery-v3)

Cache is automatically cleared when a new Service Worker version activates — all caches except mk-v7, mk-game-v4, and mk-gallery-v3 are purged on activation. Bots and crawlers bypass the Service Worker entirely.

The following third-party services may be embedded or contacted on specific pages. Each operates under its own privacy policy — man1k.xyz does not control their tracking behavior.

The browser-based game VOID SIGNAL at /game/ uses the following client-side technologies. No personal data is collected or transmitted by any of these features:

• SoundCloud: Iframe loaded with auto_play=false; music starts only on explicit PLAY action via the SC Widget API — not on page load
• WebAudio API: All game sound effects are generated procedurally in real time via OscillatorNode — no external audio files are loaded
• IndexedDB: Database vxd (version 1), object store s — stores a single record containing the highest game score. Fallback: localStorage key vxb. No personal data is stored.
• Vibration API: Brief haptic feedback (5ms) on mobile touch control presses
• VisualViewport API: Resizes game container to match the visual viewport on mobile (accounting for on-screen keyboards)
• Canvas 2D: Full-screen rendering with VHS post-processing overlays (scanlines, grain, chroma shift, vignette)

man1k.xyz uses browser localStorage (not cookies) for the following purposes. No personal data is stored, and none of this data is transmitted externally:

• _m1k_v1 (homepage) — Aesthetic visit counter. Alters a decorative text element after 3+ visits. Purely cosmetic; not suppressed by DNT.
• mk_r, mk_b (all pages) — Client-side rate limiter state. Persists across page reloads.
• vxb (/game/) — High score fallback when IndexedDB is unavailable.

man1k.xyz does not operate its own database or user accounts. No personal data is stored on man1k.xyz servers. For third-party services: Google Analytics 4 retains data for 14 months by default. Simple Analytics retains only aggregated, non-personal visit data. All other services retain data per their own policies.

You may opt out of analytics tracking by enabling DNT or GPC in your browser. Additionally:

• TikTok Pixel opt-out: enable DNT or GPC in your browser, or adjust ad settings at tiktok.com/legal/privacy-policy
• Google Analytics opt-out: tools.google.com/dlpage/gaoptout
• Request deletion of Google Analytics data: contact Google directly
• SoundCloud data rights: soundcloud.com/pages/privacy
• Direct inquiries: [email protected]

If you are an EU resident, your rights under the GDPR are preserved — see Section 10 below.

man1k.xyz uses the TikTok Pixel (ID: D7958NBC77U5V754BC6G), loaded on all pages. When active, it collects:

• Page View events — URL, page title, referrer, timestamp
• Device & browser data — IP address, browser type, OS, device type
• Expanded Data Sharing (enabled) — page metadata, click interactions, time on page, page load speed
• Advanced Matching / AAM (enabled) — if personal data was previously submitted on this site, it may be collected in SHA-256 hashed form (email, name, phone, address) for audience matching
• First-party cookies — set from man1k.xyz domain for cross-session attribution

Data is transmitted to TikTok Technology Limited and used for advertising audience building, ad performance measurement, retargeting, and Lookalike Audience creation. TikTok acts as an independent data controller.

Legal basis (GDPR Art. 6(1)(f)): Legitimate interests — advertising and audience analytics for an independent music artist. The pixel is suppressed entirely for users with DNT or GPC active.

TikTok privacy policy: tiktok.com/legal/privacy-policy. Cookie details: Cookie Policy, Section 03.1.

man1k.xyz processes no personal data directly. The following measures ensure full compliance with the General Data Protection Regulation (EU) 2016/679:

• No personal data collected by the site itself — no accounts, no sign-ups, no server-side logs of personal data
• Analytics suppressed by default for DNT/GPC users — Google Analytics 4 is not loaded when DNT or GPC signals are detected, meaning no analytics cookies and no data transmission to Google for those users
• When GA4 is active — configured with anonymize_ip: true, allow_ad_personalization_signals: false, and restricted_data_processing: true; Google Ireland Limited acts as data processor under EU adequacy
• Newsletter (Buttondown) — email address is processed only on explicit opt-in submission. Buttondown is the data processor; you may unsubscribe at any time via the link in any newsletter email
• No cross-border data transfers without safeguards — third-party processors (Google Ireland, Cloudflare, GitHub/Microsoft) operate under Standard Contractual Clauses or EU adequacy decisions
• Hosting — site files served via GitHub Pages (Microsoft Corporation); GitHub may log IP addresses and request metadata per their privacy policy
• Data minimisation — only technically necessary data is processed. Note: TikTok Pixel (Section 09.2) is active for advertising purposes and collects page, interaction, and device data; suppressed entirely for DNT/GPC users
• Retention — Google Analytics data: 14 months; no other retention periods applicable as no personal data is stored by the site

Your rights as an EU resident (Articles 15–22 GDPR): right to access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object. To exercise rights regarding analytics data, use the Google Analytics opt-out or contact Google directly. For newsletter data, unsubscribe and contact Buttondown. For any other enquiries, contact [email protected].

All pages declare Referrer-Policy: strict-origin-when-cross-origin. Your full URL is sent as the Referrer only to same-origin requests. Cross-origin requests receive only the origin (https://man1k.xyz) without path or query. No referrer is sent when downgrading from HTTPS to HTTP.

Exception: The Buttondown newsletter form on /subscribe uses referrerpolicy="unsafe-url", overriding the global policy for that form submission. The full page URL (including the /subscribe path) is sent to Buttondown as the Referrer header.

The merch store at shop.man1k.xyz operates as a separate service powered by Fourthwall and is governed by its own privacy policy. man1k.xyz is not responsible for data collected by the store. Relevant store documents:

• Store Privacy Policy →
• Store Terms of Service →
• Returns & Refunds Policy →