Privacy Policy

Last updated: April 2026

Our Commitment to Privacy

Agorist.Market is committed to respecting your privacy. As agorists, we believe in minimal data collection and maximum personal freedom. This policy explains what little information we collect, how we handle it, and what we deliberately do not do. Every claim on this page is verifiable — open your browser's developer tools and check.

One Cookie. Zero Trackers.

The core of our privacy story is short: we use one cookie, set only after you log in, and we run zero third-party tracking scripts. There is no Google Analytics, no Facebook pixel, no Cloudflare beacon, no ad networks, no fingerprinting libraries, no behavioral analytics SDK — none of it.

Anonymous Browsing

If you are not logged in, we set no cookies at all. You can browse every listing, search, read articles, watch embedded videos, and explore the entire site with the same cookie footprint as a static HTML file: nothing. Open browser dev tools → Application → Cookies on agoristmarket.com — if you have not logged in, the list is empty.

The Session Cookie

When you sign in with a magic link to manage your listing, we set a single session cookie called PHPSESSID so the server knows it is you on subsequent requests. That is its only purpose. It is configured with the strictest settings the web supports:

  • Secure — only sent over HTTPS, never plaintext
  • HttpOnly — JavaScript cannot read it (so injected scripts cannot steal your session)
  • SameSite=Lax — not sent on cross-site POST requests, blocking common cross-site attacks
  • 24-hour lifetime — automatically expires, no "remember me forever"

That is the entire cookie story. There is no second cookie, no preference cookie, no analytics ID, no tracking pixel.

Authentication Without Passwords

We use magic-link authentication. When you log in, we email you a one-time link that expires in 15 minutes. Click it, and you are logged in. There is no password to remember, no password to be stolen in a future breach, no password reuse risk between sites.

Login tokens are stored as SHA-256 hashes, not plaintext. Login attempt records use hashed email addresses, not the raw email — so a leaked attempt log cannot enumerate user accounts.

Information We Collect

Business Listings

When you submit a business listing, we collect only the information you provide:

  • Business name
  • Description of products and services
  • Contact information (website, email, social handles — only what you choose to share)
  • Location (as precise or as vague as you want — country only is fine)
  • Shipping information
  • Accepted payment methods
  • Optional images

This information is displayed publicly on the site as part of your listing. Email addresses on listings are obfuscated (base64 + click-to-reveal) so scraping bots cannot harvest them. We do not store any additional personal information about business owners beyond what you put in your listing.

User Accounts

If you create an account to manage your own listings, we store: your email address (so we can send magic links), your chosen display name, your listings, your reviews, and any social or domain verifications you have completed. This is the minimum needed to operate an account-based directory.

Email Newsletter

If you subscribe to our email updates, we collect only your email address. We deliberately do not store the IP address you signed up from. We use the address solely to send you information about new listings, events, and counter-economy news. We do not share it with third parties. Every email contains a one-click unsubscribe link.

Server Logs

Like every web server, ours logs basic access information: IP address, requested URL, browser user agent, response code, response time. These logs are used for security (rate limiting, abuse detection) and operational diagnostics. They are not analyzed for marketing or behavioral profiling, and they are never shared with third parties. If you want zero IP exposure, browse over Tor — the entire site works without JavaScript.

Payments

We use Prompt.cash for Bitcoin Cash payments on hosting and advertising upgrades. Payments are non-custodial and go directly to our wallet — Prompt.cash never holds your funds. We store the order ID, amount, and a truncated form of the payment address (first 8 + last 4 characters) for accounting. We do not store full BCH addresses, real names, billing addresses, or any other identifying payment metadata.

Information We Do NOT Collect or Use

  • No tracking cookies, ever
  • No Google Analytics, Facebook Pixel, Hotjar, Mixpanel, Segment, or any other analytics service
  • No advertising network code, no retargeting pixels
  • No browser fingerprinting libraries
  • No third-party JavaScript at all (the only scripts loaded come from agoristmarket.com itself)
  • No social-media share buttons that phone home (we link to social platforms, but no embedded widgets)
  • No payment information stored locally (BCH payments are non-custodial via Prompt.cash)
  • No requirement to create an account to browse — accounts only exist if you want to manage a listing
  • No data sold or shared with third parties, ever
  • No "necessary cookies vs analytics cookies" consent theater — there is nothing to consent to

Security Measures

We take the security of any information we do hold seriously:

  • HTTPS everywhere with HSTS — your browser refuses to connect over plain HTTP
  • Content-Security-Policy blocks loading of unauthorized scripts, plugins, frames, and workers
  • Cross-origin isolation via COOP — protects against cross-window attacks
  • CSRF tokens on every form submission
  • Rate limiting on signups, logins, searches, and contact forms
  • Per-record file storage with optimistic locking — no shared database that can leak everyone's data in one breach
  • Email obfuscation on public listings to defeat scrapers
  • Image upload validation by content type, not extension

No system is 100% secure, and we do not pretend otherwise. If you have a particularly sensitive threat model, consider browsing over Tor and using a throwaway email for any account interactions.

Third-Party Links and Embeds

Listings frequently link to external sites (business websites, social profiles, payment processors, video embeds). Embedded videos from YouTube, Rumble, Odysee, Vimeo, BitChute, Spotify, Bandcamp, and SoundCloud may set their own cookies and run their own scripts only if you actually play the embed. We are not responsible for the privacy practices of these external services. If you want to avoid their tracking, do not interact with the embedded players.

We do not control external advertiser sites linked from our directory. Reviewing their privacy policies before transacting is a good idea.

Your Rights

You have the right to:

  • Browse the site completely anonymously, with no cookies or account required
  • Request removal of your business listing at any time
  • Export all data we hold about your account (Pro feature)
  • Unsubscribe from our email list with one click
  • Contact us with any privacy questions or concerns

Contact Us

If you have any questions about this privacy policy or our practices, please use our contact form.

Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date.