privacy-policy

Last updated: 3 July 2026

PrivacyKit is designed so that this policy can be short and true. The core idea: the tools run on your device, not on a server, so for most of what you do here there is no data for anyone to collect. This page explains that in detail, names the few tools that are exceptions, and describes the cookies that third parties may set.

Tools run in your browser

Nearly every tool on PrivacyKit is built entirely from client-side JavaScript. When you generate a password, decode a JWT, format JSON, strip EXIF data from a photo, or hash a string, the work happens inside your browser tab using your own device's processor and the Web Crypto API. Your input is not transmitted to PrivacyKit, is not logged, and is not stored anywhere. It stays in the page until you close or reload the tab, at which point it is gone. You can verify this at any time by opening your browser's developer tools and watching the Network panel while you use a tool — you will see no request carrying your data.

The tools that do make a network request

Three tools cannot do their job without contacting an outside service. Each states this on its own page, and here is exactly what each one sends:

These external services have their own privacy practices. If you would like the detail on how they handle requests, see Cloudflare's and Have I Been Pwned's respective policies.

Analytics

PrivacyKit currently runs no analytics. There is no Google Analytics, no third-party tracking script, no pixel, and no cookie set by the site itself to follow you around. The site does not build a profile of you or count you as a visitor beyond the standard server logs described below. If that ever changes, this policy will be updated first.

Advertising

Ads are not enabled at the time of writing. When advertising is switched on, PrivacyKit will use Google AdSense. Google and its partners may then use cookies — including the DoubleClick cookie — to serve ads based on your visits to this and other sites. You can read how Google uses information from sites that use its services at policies.google.com/technologies/partner-sites, and you can review or turn off personalised advertising at adssettings.google.com. If you are in the EEA, the UK or Switzerland, you will be asked for consent before any advertising or measurement cookies are set, and you can decline. None of this is active until ads are enabled.

Affiliate links

Some pages link to third-party products. When you follow one of these affiliate links, the destination site may set a cookie to attribute the visit, which is how any commission is credited. That cookie is set by the destination, not by PrivacyKit, and is governed by that company's privacy policy. Following the link is entirely optional. The affiliate disclosure has more.

Hosting and server logs

PrivacyKit is hosted and served through Cloudflare, which acts as the site's host and content delivery network. Like any web host, Cloudflare processes the standard information that every request carries — your IP address, the time of the request, the page requested, and your browser's user-agent string — in order to deliver the page and protect the site from abuse. This is ordinary request logging, handled under Cloudflare's own privacy terms; PrivacyKit does not combine it with anything else or use it to identify you.

Your data and questions

Because the site stores no personal data of its own, there is generally nothing for it to export or delete on request. If you have a question about how a particular tool handles your input, or anything else in this policy, email [email protected] and I will answer.

Changes to this policy

If the site's data practices change — most likely when ads are enabled — this page will be updated and the date at the top revised. Material changes will be reflected here before the new practice takes effect.