Logs

Apache logs are kept for three days, after which they are discarded. I'd be more than happy to disable logs altogether, but I need the IP of troublemakers so I can ban them and I can't check the logs everyday.

I'm also using Piwik to gather statistics. The last three bytes of the IP addresses are masked, which means 12.34.56.78 is logged as 12.0.0.0. I have no javascript code on the page to track visits, I only scan the apache logs once a day.

Forums

The forum software is custom-made and is not currently open-source. The only reason for this is lack of time, as I plan to release it eventually. I was looking for a light-weight forum that included a moderation feature, but I couldn't find any. So I wrote one.

I log the IP of every poster, which I keep for two days. This allows me to ban users more easily. I'll see in a couple of weeks if I still get spam (which was overwhelming with the previous forums). If I don't, I'll disable this completely. I'm still keeping the apache logs though.

Passwords are hashed using PHP's password_hash() with bcrypt and a cost of 12.

Tracking

I'm using cookies to remember the language preference (while logged out) and to log you in. You may browse the website without cookies or javascript and post anonymously on the forums.

baretorrent

The torrent client itself does not phone home. The only time it communicates with this server is to check for updates, which can be disabled in the options. To do this, it fetches a text file containing the most recent version number and does the comparison locally on your machine.

This does mean that I have a log of every single user of the program along with IP addresses from the web server. This is what happens with any program that checks for updates. I discard these logs after three days. I have no interest in them.

The only visible piece of information that says you are using baretorrent is the user-agent, which is sent to any peer when connecting to it. This is currently "baretorrent/x.x libtorrent/y.y", where x.x and y.y are the respective versions. This may be changed in the advanced options under "bt.session.user_agent" if you want to spoof it to something else.

Final words

Privacy matters. You may have nothing to hide, but the decision should be yours. I treat my users as I would want to be treated (and I'm a little paranoid).