Privacy Policy
Effective 2026-05-12.
Summary (in plain English)
- Most tools run entirely in your browser. Files you process (PDFs, images, JSON, etc.) never leave your device unless a tool explicitly tells you it needs server processing.
- We don't sell your data. Ever.
- You don't need an account to use any tool. Sign-in is optional and gives you cross-device sync, saved presets, and shareable URLs.
- We use a few well-known third parties (Stripe for billing, Cloudflare for security, optionally Google AdSense for ads) — each is named below with what it sees.
1. What we collect
When you use a tool without an account
- Standard server logs — IP address, user-agent string, the URL you requested, and a timestamp. Kept for 30 days for security and abuse-prevention; then deleted.
- Cookies and local storage — small browser-only bits we use to remember your preferences (theme, last-used inputs, dismissed banners). See §5 below.
- Embed analytics — when one of our tools is embedded on a third-party site, we record the tool slug and the referring domain (no IP, no user-agent). This is used to understand which tools get embedded and where; you can opt the entire site out via the
TOOLENZA_EMBED_ANALYTICS=falsesetting if you self-host.
When you create an account
- Email address — for account access, password reset, and (if you opt in) product updates.
- Password — stored as a one-way bcrypt hash; we never see your actual password.
- Data you save — sticky notes, saved places, shared items, todos, etc. — encrypted in transit and stored in our database.
- Optional profile fields — display name, handle, avatar (only used on shared pages you create).
When you subscribe to a paid plan
- Billing is handled by Stripe (see §3). We store only a customer ID and subscription state — never your card number.
2. What we don't collect
- The contents of files you process. PDF merge, image resize, JSON format, etc. all run in your browser. The file never reaches our servers.
- Your tool inputs. Calculator values, regex patterns, color codes, etc. are not logged.
- Cross-site tracking identifiers. We don't set tracking cookies that follow you across the web.
3. Third parties we use
| Service | What it does | What it sees |
|---|---|---|
| Stripe | Payment processing for Pro / API / Team subscriptions | Your email, billing address, and payment method (handled entirely on Stripe's side — never touches our servers) |
| Cloudflare | CDN, DDoS protection, optional Turnstile bot challenge | Your IP address and request metadata (standard CDN logs, kept by Cloudflare per their privacy policy) |
| Twilio Verify | SMS verification for accounts that opt in to phone verification | Your phone number, only when you explicitly enter it for verification |
| OpenAI | Powers AI tools (summarise, rewrite, translate, etc.) | The text you submit to AI tools, processed by OpenAI per their API data-usage policy. Not used to train their models for API requests. |
| Google AdSense (when enabled) | Ad serving — supports the free tier | Standard ad-serving data (IP, user-agent, page URL). Subject to Google's privacy policy. We do not pass identifying information to AdSense. |
| Resend / Postmark (transactional mail) | Sends password resets, receipts, reminders | Your email address and the message body |
4. Cookies and local storage
We use three categories of browser storage:
- Essential — session cookies for keeping you logged in, CSRF tokens. Cannot be disabled if you want the site to work.
- Preference — your selected theme, dismissed banners, last-used tool inputs. Stored in browser
localStorageonly; never sent to our servers. - Advertising (when ads are enabled) — set by Google AdSense. You can opt out of personalised ads at Google's Ad Settings.
5. Your rights
If you're in the EU/UK (GDPR), California (CCPA), or any jurisdiction with similar rights, you can:
- Export all data tied to your account. Visit your account → Data → Export, or email us.
- Delete your account and all associated data. Visit your account → Data → Delete, or email us. Deletion is permanent and immediate.
- Correct any inaccurate data. Most fields are self-editable in your account; otherwise email us.
- Opt out of marketing communications via the unsubscribe link in any email.
6. Data retention
- Server logs — 30 days, then deleted.
- Account data — kept while your account is active. Deleted within 30 days of account deletion.
- Shared items (free tier) — auto-expire per the retention shown on each shared page (typically 30–90 days).
- Shared items (Pro) — kept indefinitely while your subscription is active.
- Billing records — retained per tax-law requirements (typically 7 years).
7. Security
We use industry-standard practices: TLS in transit, bcrypt for password hashing, encrypted database backups, isolated production environments, and timely security patching. No system is perfectly secure — if you believe you've found a vulnerability, please email us at support@toolenza.com with details.
8. Children
Toolenza is not directed at children under 13 (under 16 in the EU). We don't knowingly collect data from minors. If you believe a child has provided personal information, please contact us so we can delete it.
9. International transfers
Our infrastructure runs in the United States and the European Union. By using Toolenza, you consent to your data being processed in those regions, subject to the safeguards described above.
10. Changes to this policy
We'll update this page when we change our practices. Material changes will be highlighted at the top of the page and (where required) emailed to active accounts.
11. Contact
Questions about this policy? Email support@toolenza.com.