Your Data Stays On Your Device

ToolkitDev is architecturally different from most web-based tools. Every operation — image compression, JSON formatting, QR code generation, Base64 encoding, and all other utilities — runs entirely within your browser using standard Web Platform APIs.

The JavaScript powering each tool is delivered as static, auditable files when you first visit. After that initial load, most tools function without any further network requests. You can verify this by opening your browser's DevTools Network panel while using any tool.

We distinguish carefully between data you process through our tools and information that might be collected as a by-product of operating a website.

Tool inputs — not collected

• Files you upload or paste into tools (images, code, text, documents)
• Query strings, URLs, or meta-tag data you enter
• Passwords you test in the Password Generator
• JWT tokens, Base64 strings, or any other encoded data
• QR code content, UUIDs, or generated output values

What our infrastructure may log

Like all websites, our hosting provider's servers generate standard access logs when your browser requests page resources (HTML, CSS, JavaScript files). These logs may contain:

• Your IP address (anonymised within 24 hours per hosting provider policy)
• Browser type and version (User-Agent header)
• The URL path requested (e.g. /tools/image-compressor)
• HTTP response code and bytes transferred
• Referring page (if navigated from another site)
• Timestamp of the request

We take a deliberately minimal approach to browser storage.

What we store locally

• Theme preference (light/dark mode) — stored in localStorage under the key 'theme'. Contains only the string 'light' or 'dark'. Never transmitted to our servers.
• URL state parameters — some tools encode your current input in the page URL (e.g. ?q=...) so you can bookmark or share a specific state. This data lives only in the URL bar and is never sent to us.

What we do not use

• Session cookies for user identification
• Cross-site tracking cookies
• Fingerprinting scripts
• Persistent analytics identifiers
• Third-party social media tracking pixels

This section exists because most competing tool sites quietly upload your files to their servers for processing. We want to be unambiguous: ToolkitDev does not operate file-processing servers.

• Image Compressor — Canvas API, fully in-browser
• Image Resizer — Canvas API, fully in-browser
• Image Format Converter — Canvas API + Blob URLs, fully in-browser
• Base64 Encoder/Decoder — btoa() / atob() Web APIs
• JSON Formatter — JSON.parse() / JSON.stringify(), no network calls
• YAML ↔ JSON Converter — js-yaml library, runs locally
• JWT Decoder — atob() on each JWT segment, no verification calls
• QR Code Generator — qrcode library, canvas-rendered in-browser
• Password Generator — WebCrypto API (crypto.getRandomValues())
• UUID Generator — crypto.randomUUID(), a native browser API
• Color Converter — pure JavaScript arithmetic
• Meta Tag Generator — string templating, no HTTP requests

If you are ever uncertain, open your browser's DevTools (F12), navigate to the Network tab, and clear it before using a tool. You will observe that no XHR or Fetch requests are made to toolkitdev.com or any third-party server as a result of your tool input.

ToolkitDev displays advertisements provided by Google AdSense to keep all tools free and accessible. This is the only third party with a presence on our pages.

What Google may collect via ad units

• Your IP address, used to approximate geographic location for ad targeting
• Browsing behaviour across sites that use Google services (if you are signed in to a Google account or have personalised ads enabled)
• Browser and device characteristics used for ad fraud prevention
• Interactions with ad units (impressions, clicks)

We have no access to data collected by Google AdSense beyond aggregated, anonymised performance metrics (e.g. total page impressions). Google's data practices are governed entirely by the Google Privacy Policy (policies.google.com/privacy).

AdSense compliance

This site complies with Google AdSense programme policies. We do not encourage invalid clicks, misrepresent our content to attract traffic, or place ads on pages with content that violates Google's policies. Ad units are clearly separated from tool content and are not designed to be mistaken for tool controls.

Because we do not collect or transmit personal data or user files, our attack surface is minimal. Nonetheless, we maintain the following security practices:

• All pages served exclusively over HTTPS with TLS 1.2+ and HSTS
• Content Security Policy (CSP) headers restrict which scripts and resources may load
• No third-party JavaScript beyond the Google AdSense script
• Static site architecture — no database, no session store, no authentication surface
• Subresource Integrity (SRI) on any third-party assets where applicable
• Regular dependency audits via automated tooling (npm audit)

If you discover a security vulnerability on ToolkitDev, please report it responsibly by emailing the address in the Contact section below.

Some pages on ToolkitDev may contain links to external resources such as documentation, specifications, or related tools on other websites.

Once you leave toolkitdev.com, this Privacy Policy no longer applies. We have no control over and accept no responsibility for the privacy practices or content of external sites. We recommend reviewing the privacy policy of any external site you visit.

ToolkitDev is a general-audience developer tools site. We do not knowingly collect any personal information from children under 13 years of age (or the applicable age in your jurisdiction). Our tools process no personal data by design.

If you are a parent or guardian and believe a child has provided personal information through this site, please contact us immediately using the details in the Contact section and we will take appropriate action.

Because ToolkitDev does not collect, store, or process personal data, the majority of data-subject rights (access, rectification, erasure, portability) are satisfied by design — there is no personal data to request, correct, delete, or transfer.

Regarding infrastructure logs that may briefly contain your IP address: these are anonymised within 24 hours per our hosting provider's data-processing agreement and are not accessible at the individual-request level.

For rights related to Google's data collection via AdSense, please use Google's Data & Privacy dashboard at myaccount.google.com/data-and-privacy.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. The 'Last updated' date at the top of this page will always reflect the most recent revision.

Material changes — such as the introduction of new data collection or third-party services — will be announced via a notice on the homepage for at least 30 days before taking effect. Continued use of ToolkitDev after a change constitutes acceptance of the revised policy.

If you have questions, concerns, or requests relating to this Privacy Policy or your data, please reach out:

• Email: privacy@toolkitdev.com
• Response time: we aim to reply within 5 business days
• Security disclosures: security@toolkitdev.com (PGP key available on request)