Published strokes reveal where they were placed and the direction from which they were
authored. Graffiti does not require an account or retain a movement history. A random
installation identifier is stored privately with publications to make retries safe and
limit abuse; it is not included in public stroke data.
To protect publication from automated abuse, Graffiti uses Cloudflare Turnstile.
Cloudflare processes security signals including IP address, TLS fingerprint, user agent,
site key, and origin to detect and block bots and improve Turnstile. Read Cloudflare’s
Turnstile Privacy Addendum.