Privacy Policy
Last updated 9 June 2026
Bulwark verifies that a visitor is human without tracking them, profiling them, or sending data to any third party or cloud. This is what it does and does not process.
no tracking cookies
no fingerprint profiles
no third-party calls
no data sold
self-hosted
What Bulwark processes
- IP address: used transiently to rate-limit abuse and decide whether to escalate to an interactive challenge. Held only in a short-lived counter (seconds to minutes), never in a persistent profile.
- Challenge interaction: when a puzzle is shown, Bulwark briefly analyses pointer timing and trajectory solely to tell a human from automation. It is evaluated at verification time and then discarded.
- Proof-of-work: your browser solves a math puzzle locally. Nothing about your device is collected to do this.
What Bulwark never does
- Sets no advertising or tracking cookies.
- Builds no cross-site profile and does not follow you between websites.
- Makes no calls to external clouds or analytics; everything runs on the operator's own server.
- Does not sell, rent, or share any data.
Cookies & retention
Bulwark sets no cookies. Verification uses short-lived, single-use tokens that are validated and then expire. Rate counters expire automatically and interaction data is not stored after a challenge is evaluated.
Bulwark is self-hosted. The operator of the site you are visiting runs their own instance and is the data controller. Operators should review and adapt this template, ideally with legal counsel, for their deployment and jurisdiction.
Your rights & contact
Because Bulwark builds no user profiles and retains no identifying data, there is normally no personal dataset to access or erase. For a specific deployment, contact the operator of the website where you encountered Bulwark.