Documentation

Privacy And Data

What DesertCMS stores for analytics, comments, ratings, forms, shop orders, media, sessions, and backups.

Source: PRIVACY_AND_DATA.md

DesertCMS is local-first. The CMS stores site data in SQLite and generated public files on the server. It does not require CDN-hosted scripts, remote fonts, or external analytics.

This page is product documentation, not legal advice. Before launch, create a public Privacy Policy page that matches your actual deployment, jurisdiction, and third-party services.

Analytics

When analytics are enabled, DesertCMS records page-view events in the local database:

  • path
  • referrer
  • timestamp
  • HMAC-hashed IP
  • HMAC-hashed user agent
  • raw IP address when analytics_store_raw_ip = 1
  • country code, country, region, and city after local GeoIP lookup

GeoIP lookup uses local range data. Runtime page-view collection does not send visitor IP addresses to a geolocation API.

Search Engine Submission

Site Settings can connect a Google account for Search Console sitemap submission and can submit sitemap URLs through IndexNow. These actions send public URLs and sitemap locations to search-engine services. They do not send DesertCMS analytics events, visitor IP logs, comments, form submissions, shop orders, private originals, or unpublished content.

Google OAuth tokens and IndexNow keys are stored in the local settings table. Treat the database and backups as sensitive.

Comments

Public comments store:

  • display name
  • comment body
  • post id
  • optional parent comment id
  • HMAC-hashed browser token
  • HMAC-hashed IP
  • HMAC-hashed user agent
  • timestamps

The browser token supports reply notifications and rate limiting. Admin deletion removes the comment row from public and admin views.

Ratings

Post ratings store one 1-5 star value per post and visitor IP hash. Re-voting from the same IP hash updates the existing rating.

Forms

The Forms module stores submissions locally:

  • name
  • email
  • subject
  • message
  • status
  • HMAC-hashed IP
  • HMAC-hashed user agent
  • timestamps

Review form retention before launch and periodically archive or delete old submissions according to your policy.

Shop Orders

The Shop module uses Stripe Checkout. DesertCMS stores local order records:

  • listing id
  • media asset id
  • rights type
  • order status
  • currency and amount
  • customer email and name when provided by Stripe
  • Stripe Checkout session id
  • Stripe payment intent id
  • Stripe webhook event id
  • timestamps

Stripe is the payment processor. Do not store card numbers in DesertCMS.

Media

Original image uploads are stored privately outside the public webroot. Public pages and shop listings use generated display derivatives.

Media records include owner and uploader context so admins can identify whether a photograph belongs to the main deployment or a contributor site.

Sessions And Admin Accounts

Admin sessions use random tokens stored as SHA-256 hashes. Passwords use PBKDF2-HMAC-SHA256 with a per-password salt. DesertCMS is single-admin by design; reset-admin is the recovery path.

Backups

Backups may include the SQLite database, private originals, editable themes, and metadata. Treat backup archives as sensitive because they can contain unpublished content, private image originals, comments, form submissions, analytics, and shop order data.

Public Privacy Policy Checklist

A launch Privacy Policy should cover:

  • what analytics are collected
  • whether Search Console or IndexNow submission is enabled
  • whether raw IP storage is enabled
  • how GeoIP lookup works
  • comments and reply notifications
  • post ratings tied to IP hashes
  • form submission storage and retention
  • Stripe Checkout and Stripe's separate processing role
  • cookies used for admin sessions and public theme preference
  • how users can request removal or correction
  • how long backups and logs are retained