Yes, free. No accounts, no sign-in, no paywalls. Every page works for first-time visitors with zero state required. Some tools (like WhoAmI) ask for explicit consent before reading browser-side data — you can decline and the page still shows the server-derived information.

The codebase is open source under the MIT License — see the GitHub repository for source, plans, and design specs.

No analytics layer is currently wired in — no Google Analytics, no Meta pixel, no third-party tag manager, and no first-party counter either. The only cookie set is a CSRF token used by future form submissions; it's sameSite=strict and never echoed off-origin.

The cookie-consent banner is in place to support an opt-in counter if one is added later — anonymized only, with hashed-and-salted IPs and zero third-party calls. Declining the banner today blocks nothing because nothing is collected.

The site uses Catppuccin Mocha — a dark palette chosen for sustained reading on terminal-themed UIs. There's no theme toggle currently; the design is dark-only by default. JetBrains Mono is used for monospace accents (commands, code, hashes), Geist Sans for body text. If a light variant ships later it will use Catppuccin Latte with the same geometry and accent tokens swapped.

All routes are fully responsive. Layouts collapse from 3-column → 2-column → 1-column at standard Tailwind breakpoints (lg → md → base). Heavy modules (WhoAmI deep tier, Weather) were tested on iPhone Safari, Android Chrome, and iPad in landscape. If something looks off on your device, please file an issue on GitHub with a screenshot.

Two tiers, both consent-gated:

• Server tier (always-on, no consent): your public IP via the request headers, plus geolocation lookup against ipwho.is (with ipapi.co as fallback). The IP is masked for display (last octet stripped) and hashed for logs.
• Basic browser tier (consent required): navigator API surface (language, platform, hardware concurrency, device memory), screen dimensions, and WebGL renderer.
• Deep tier (separate re-consent): canvas + audio SHA-256 fingerprints, WebRTC IP leak probe, and permission-state queries.

Many browsers — including Chromium-based ones — return denied from navigator.permissions.query() by default for Camera and Microphone on origins that have never requested them. It's the safe default, not a record of your past choice. WhoAmI only queries the state; it never calls .request(), so no real prompt fires regardless of the displayed status.

Nowhere except your clipboard / Downloads folder. Both actions are pure browser APIs — no network request fires. You can verify in DevTools → Network: clicking either button produces zero new entries. The Visit Comparison card likewise stores its snapshot in your browser's localStorage; the server never sees it.

That's the test working as intended. WebRTC peer connections discover your real public IP via STUN to enable NAT traversal — even when you're behind a VPN, unless the VPN client explicitly blocks WebRTC. The only way for the card to show the leak is to perform the leak itself (talking to Google's STUN server). The result lives entirely in your browser — the discovered IP is not transmitted back to this origin.

Open-Meteo — a free, no-key weather API that aggregates NOAA, DWD, and ECMWF data. Geocoding, current conditions, hourly forecast, daily forecast, and air quality each hit a separate endpoint, all proxied through the /api/weather route to keep your IP off their logs.

Both live in localStorage via Zustand's persist middleware (key: kursataknc-weather). Clearing site data resets them. There's no server-side user state.

The European AQI bands from Open-Meteo (different from US EPA bands):

• 0–40 Good (green)
• 41–60 Fair (info / blue)
• 61–100 Moderate (yellow)
• 101–150 Poor (red)
• 151+ Very Poor (dark red)

The card's accent border colour reflects the band so you can scan air quality at a glance.

Either ipwho.is and ipapi.co are both rate-limiting the VPS (rare — there's a 10-second timeout per provider with automatic fallback), or you're running on a local network where the source IP resolves to a private range. The page degrades gracefully: server cards show “Lookup unavailable” while the rest of the module continues to work.

That's expected — by design, this site never persists user state on the server. Use Share Profile → Download .json on WhoAmI to keep snapshots offline; favorites in Weather are gone after a clear unless re-added. The trade-off is deliberate: privacy requires no trust.

Quick diagnostic checklist:

1. Hard reload: Ctrl/Cmd + Shift + R
2. Open DevTools → Console; share any error lines starting with “Refused” or “Uncaught”
3. Disable browser extensions one at a time (ad blockers can break legitimate scripts)
4. Try a different browser to isolate

If the issue persists, please contact me with the failing URL, browser version, and a console screenshot.