How we handle privacy and analytics
Vercel Analytics, no personal tracking, opt-in email only, and stateless HMAC unsubscribes.
We use Vercel Analytics — a privacy-first, no-cookie page-view counter — and that is the entirety of our analytics stack. No personal tracking, no fingerprinting, no third-party pixels. Email opt-in is double-confirmed and unsubscribes are stateless via HMAC tokens.
Vercel Analytics counts page views by hashing each request's IP address + user agent + page path into a daily anonymous bucket. It does NOT drop a cookie, fingerprint the browser, or correlate across days. Each day's bucket is independent.
The dashboard surfaces aggregate counts per page and per country — nothing more. We never see an individual user's path through the site.
A deliberately short list — these are the patterns we have actively chosen against:
- ▸No Google Analytics. No Plausible script. No Fathom. No Mixpanel. No Segment.
- ▸No third-party advertising pixels (no Meta Pixel, no LinkedIn Insight, no X Pixel).
- ▸No session replay (no Hotjar, no FullStory, no LogRocket).
- ▸No cookies of any kind on hundo-hunter.com — open DevTools and verify.
- ▸No localStorage tracking beyond functional preferences (theme, language).
- ▸No A/B test framework that fingerprints visitors into buckets.
If a page surfaces an email opt-in (rare — currently only the monthly events recap), the opt-in is double-confirmed: you enter your email, we send a confirmation link, you click. We store only the email and a confirmation timestamp.
Lists are kept in a single Postgres table, never exported to any third-party mailer. We send via a single transactional provider (Postmark) on a dedicated subdomain.
unsubscribe_url = `${BASE}/u/${hmac_sha256(email, UNSUB_SECRET)}`
On click:
candidate_emails = SELECT email FROM subscribers
for each email:
if hmac_sha256(email, UNSUB_SECRET) == token:
DELETE FROM subscribers WHERE email = $1
return 200 "You are unsubscribed."The HMAC-only design means an unsubscribe link in a forwarded email still works (no session, no login). The token is per-email and revealing nothing else.
On delete we wipe the email row entirely — we do NOT keep a tombstone or hashed re-suppression list. If you resubscribe, you start fresh.
The iOS app is the same posture. No analytics SDK is linked into the binary — no Firebase, no Amplitude, no Mixpanel. Crash reports go through Apple's built-in crash reporting only (opt-in at the OS level).
Captured Pokémon data stays on-device in a local SQLite database. It never leaves the phone except via the user's own iCloud backup (Apple-encrypted, opaque to us).
How Hundo Hunter solves the CP formula backward to find IVs.
How Hundo Hunter ranks the top 12 counters for every raid boss.
How Hundo Hunter curates the top-12 picks per league.
How Hundo Hunter computes the hundo and floor CP for every raid catch.
How Hundo Hunter assigns S / A+ / A / B / C tiers to attackers.
How Hundo Hunter maps the in-game appraisal stat bars to exact 0-15 IVs.
The DPS × Effectiveness × Bulk formula behind every counter list on Hundo Hunter.
The 91% IV threshold, XL-relevance check, and per-species candy economics behind every Pinap recommendation.
Per-level CPM math, Lucky halving, Best Buddy stack, and why our estimates can differ from in-game by 1-2%.
ASC API + ct= campaign tokens, per-source attribution, and zero personal data on the install funnel.
LeekDuck → ScrapedDuck → our API, with 1-hour refresh, Postgres translation cache, and graceful fallback.
Where the "mons" / "the game" convention applies, where the trademarked name is allowed, and why.