Architecture
Lurk is built to eliminate tracking at both application and network layers. No usernames, passwords, or email addresses are collected. Access is authorized via a cryptographic token. Only a SHA-256 hash of the token is stored — the plaintext is never written to disk. IP addresses, browser fingerprints, and behavioral metadata are never collected.
What We Collect
| Item | Collected | Purpose |
|---|
| Token hash (SHA-256) | Yes | Authentication |
| Payment transaction ID | Yes | Ledger validation |
| IP addresses | No | Never logged |
| Search queries | No | Never stored |
| Browser fingerprints | No | Never collected |
| Email addresses | No | Not required |
| Names | No | Not required |
Network and Delivery
Traffic is routed through a privacy-configured edge network with logging completely disabled. No browser metrics, user agents, request identifiers, or referrer URLs are preserved at the network layer. All connections are encrypted in transit.
Payment Processing
Payments are processed through third-party cryptocurrency payment processors. We process only what is necessary to confirm payment and activate your token. No IP address, email, or physical identity is processed during payment. Monero transactions provide additional privacy through stealth addresses and ring signatures by default.
Cookies
One first-party session cookie retains your hashed token in the browser during your session. This is strictly necessary for the authenticated query loop and is exempt from consent requirements under Article 5(3) of the ePrivacy Directive. No analytical, behavioral, marketing, or tracking cookies are used. No third-party scripts are executed.
Third-Party Breach Data
We process publicly disclosed breach data under GDPR Article 6(1)(f) legitimate interest. The data has already been publicly exposed by third parties — our indexing does not create new privacy harm. We invoke the Article 14(5)(b) exemption for individual notification as contacting billions of breach subjects is impossible without violating data minimization principles.
Opt-Out
Submit your identifier at lurk.st/optout to be permanently excluded from search results. We store only a SHA-256 hash of your identifier — the plaintext is never written to disk. Future searches matching the hash are automatically excluded.
Your GDPR Rights
Right of access, rectification, erasure, restriction, and objection are all supported. Because we collect no identifying user data, most requests are handled via the opt-out system at lurk.st/optout. You may lodge a complaint with your national supervisory authority at any time.
Data Retention
Token hashes are retained while the token is valid, then deleted. Payment records are retained for statutory accounting requirements. Search queries are never stored. Everything else is not collected.
Contact
Data protection inquiries: lurk.st/contact
Opt-out requests: lurk.st/optout