Skip to content
YourDevToolsPro

Privacy Policy

Last updated: May 18, 2026

This policy explains what data YourDevTools collects, why we collect it, who we share it with, and the choices you have. We tried to keep it plain English. If anything is unclear, write to contact@yourdevtools.pro.

1. Data Controller

The data controller for personal data processed through YourDevTools is:

[ADMINISTRATOR_NAME] [ADMINISTRATOR_ADDRESS] Poland Contact: contact@yourdevtools.pro

We do not appoint a separate Data Protection Officer (DPO) because the scope and risk of processing do not require one under GDPR Article 37. You can always reach the controller directly at the email above.

2. Service Architecture

YourDevTools is a catalogue of 300+ developer and everyday utilities. The site is built so that, whenever possible, your input never leaves your device. This is not a marketing claim, it is a technical property of how each tool is written.

There are two kinds of tools on the site:

  • Client-side tools. All processing happens in your browser. Your input (passwords, JWT tokens, files for QR or image tools, BIP-39 seed words, AES plaintext, regex tests, JSON to format, CSS to generate, calculator inputs, color values, etc.) is read, transformed and displayed entirely by JavaScript running on your machine. Nothing about that input is sent to our server. We could not see it even if we wanted to.
  • Server-side tools. A smaller set of tools needs a server because the work cannot be done in a browser without leaking your IP or breaking the same-origin policy. These include DNS lookup, WHOIS, SSL certificate inspector, OG preview, favicon-pack fetcher, AI text detector, PDF text extraction, image OCR, file conversions handled by a worker, NTP drift check, robots/sitemap validator, HTTP request tester, email DNS checker, and the llms.txt validator. For these tools, your input is processed in memory and discarded as soon as the response is returned. We do not write tool input to disk and we do not keep request logs that include it.

Two tools store data on purpose because that is their job:

  • Webhook receiver and Mock API generator persist the endpoints and payloads you create so you can hit them later. Each endpoint is bound to a one-time owner token shown to you on creation. Storage is kept for 24 hours of sliding access, meaning the timer resets every time you use the endpoint and the data is automatically deleted 24 hours after the last access.

3. Data We Collect

3.1 Browsing data

When you visit a page we record, at minimum:

  • the URL path of the page (no query string content)
  • your chosen locale
  • a coarse browser_lang derived from the Accept-Language header
  • the referring URL, if any
  • a coarse country code from CDN headers (e.g. PL, DE, US)

This data flows through two paths:

  • Umami (privacy-friendly, cookieless, self-hosted) keeps aggregate page-view counters. It does not set cookies and does not fingerprint your device.
  • An internal events warehouse stores one JSON line per page view in daily-rotated files. We use these to spot broken tools and decide which utilities to build next.

3.2 Visitor identifier

To count unique visitors per day without storing your IP address, every event is tagged with a 128-bit visitor hash. The hash is produced by HMAC-SHA-256 over your IP, user-agent and a daily-rotated server-side secret. The secret rotates every 24 hours, so historical hashes cannot be linked back to your IP, and yesterday's hash cannot be cross-referenced with today's hash. The hash is one-way and not reversible to your IP.

3.3 Tool inputs (server-side tools only)

When you use one of the server-side tools listed in section 2, your input is sent to our server, processed in memory, and the result is returned. The input is not written to disk and is not kept in request logs that we can read.

3.4 User-created endpoints

The Webhook receiver and Mock API generator persist whatever payloads you push to the endpoint you created, for up to 24 hours of inactivity. You can also delete them yourself at any time by visiting the endpoint with its owner token.

3.5 Cookies and local storage

A small number of cookies and localStorage entries are described in detail in section 6.

3.6 Error reports

When something throws an unexpected error, we forward a stack trace to Sentry so we can fix it. Before the report leaves your browser, a PII scrubber strips anything that looks like a JWT, an email address, a Bearer token, or a long hex hash from the payload. We never attach your tool input to the error report.

4. Data We Do NOT Collect

To be explicit, the following data is never collected, transmitted or stored by YourDevTools:

  • Tool input to client-side tools. Passwords from the password generator, JWTs from the JWT verifier, files dropped into image or PDF tools, AES plaintext, BIP-39 seeds, regex patterns and test strings, JSON snippets, CSS values, color pickers, calculator inputs - all of this stays on your machine. Open the browser DevTools Network tab on any client-side tool and you will see zero outbound requests carrying your input.
  • Your name, postal address, phone number, date of birth or any other identity field. We do not have any form on the site that would ask for it.
  • Payment data. Nothing on YourDevTools is paid.
  • Special-category data under GDPR Article 9 (health, biometrics, political opinions, religion, sexual orientation, etc.). We do not have fields for this and we do not infer it.
  • Device fingerprints beyond the salted visitor hash described in section 3.2. We do not run canvas fingerprinting, font enumeration, WebGL fingerprinting or any equivalent technique.

5. Legal Basis (GDPR Article 6)

We rely on the following legal bases:

  • Article 6(1)(f) - legitimate interest: aggregate Umami analytics, the internal events warehouse, abuse prevention and rate-limit buckets. Our legitimate interest is keeping a free site online, improving it, and preventing abuse. The processing is minimal, identifiers are short-lived and you can object at any time (see section 11).
  • Article 6(1)(b) - performance of a contract: the Webhook receiver and Mock API generator. When you create an endpoint, you ask us to keep your payloads for 24 hours; storing them is necessary to deliver that service.
  • Article 6(1)(a) - consent: Google Analytics 4 and Google AdSense (when enabled). Neither is loaded until you grant consent in the cookie banner, and you can withdraw consent at any time.

6. Cookies and Local Storage

Browsers do not draw a clean line between cookies and localStorage. We list everything here regardless of mechanism.

6.1 Strictly necessary

  • Theme preference (localStorage, key theme). Saves whether you picked light or dark mode. No legal basis required, this is purely a UI preference set by you.
  • Klaro consent record (localStorage, key klaro). Remembers your cookie choices for 1 year. Required so the banner does not nag you on every page.
  • Locale routing. Next.js may set a short-lived locale cookie to keep you on the language you picked. Strictly necessary for the site to work.

6.2 Analytics (consent-gated)

  • Google Analytics 4 (_ga, _ga_*). Set only if you accept analytics cookies. Lifetime up to 13 months. Used to measure aggregate traffic.

6.3 Marketing (consent-gated, planned)

  • Google AdSense. May set cookies when ads are enabled on the site. Set only if you accept marketing cookies. Currently disabled.

6.4 Cookieless

  • Umami is fully cookieless. It uses no cookies and no localStorage. Under Recital 30 of the ePrivacy Directive this does not require consent. It is on by default.

You can change your choices at any time using the "Manage cookies" link in the footer.

7. Processors and Third Parties

We use the following processors. Each one is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards.

  • Vercel Inc. - hosting and edge networking. Our servers run in the European Union region.
  • Google LLC - Google Analytics 4 and Google AdSense, loaded only after you grant consent.
  • Sentry GmbH (Functional Software Inc.) - error tracking, with the PII scrubber described in section 3.6.
  • jsDelivr CDN - delivers a small worker script for the PDF tools (pdf.js). No cookies, no user data sent in the request body.
  • HaveIBeenPwned - the password-pwned tool sends only the first 5 hexadecimal characters of the SHA-1 hash of your password (k-anonymity). The full hash and the password itself never leave your browser.

If our processor list changes materially, we update this section and bump the date at the top of the page.

8. Transfers Outside the EEA

Google LLC is established in the United States. When you grant consent and GA4 or AdSense loads, some data is processed in the US. Google transfers data under the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). You can review Google's commitments at policies.google.com/privacy/frameworks.

All other processing happens on EU-located servers (Vercel EU region, NL).

9. Data Retention

| Data type | Retention | |---|---| | Aggregate Umami counters | 2 years | | Events warehouse (JSONL files) | 90 days rolling | | Daily visitor hash | the salt rotates every 24 hours, so linkability is broken after that | | Webhook receiver and Mock API endpoints | 24-hour sliding TTL from last access | | Sentry error reports | 90 days | | Rate-limit buckets | in-memory only; lost on server restart |

When the retention period expires, the data is deleted automatically.

10. Data Security

We take security seriously. Measures we have in place include:

  • HTTPS only with HSTS (production)
  • Content-Security-Policy with per-request nonces and strict-dynamic
  • SSRF guard on every outbound fetch from server-side tools (safe-fetch.ts)
  • DOMPurify on every snippet that uses dangerouslySetInnerHTML
  • PBKDF2 at 600,000 iterations for the in-browser AES tool
  • JWT and DKIM keypairs generated client-side - private keys never travel over the network
  • Web Crypto API used for every cryptographic primitive
  • CSRF / Origin guard on state-changing POST requests
  • Sentry PII scrubber that strips JWTs, emails, Bearer tokens and long hashes before reports leave the browser

No system is perfectly secure. If you find a vulnerability, write to contact@yourdevtools.pro and we will acknowledge within 72 hours.

11. Your Rights Under GDPR

Articles 15 to 22 of the GDPR give you the following rights regarding personal data we hold about you:

  • Article 15 - access: you can ask us what we have on you.
  • Article 16 - rectification: you can correct it.
  • Article 17 - erasure ("right to be forgotten"): you can ask us to delete it. For the warehouse this means we run a purge for your daily visitor hash range. For local storage this is faster: clear the YourDevTools entries in your browser's site data.
  • Article 18 - restriction of processing: you can tell us to keep the data but stop processing it.
  • Article 20 - portability: you can ask for a machine-readable copy.
  • Article 21 - objection: you can object to processing based on legitimate interest (section 5). On objection we stop processing unless we have compelling overriding grounds.
  • Article 7(3) - withdrawal of consent: for anything where consent is the legal basis (GA4, AdSense), you can withdraw at any time using the "Manage cookies" link in the footer. Withdrawing consent does not affect lawful processing that already happened.

To exercise any right, write to contact@yourdevtools.pro. We respond within 30 days (one month) as required by Article 12.

You also have the right to lodge a complaint with a supervisory authority. The Polish supervisory authority is:

Prezes Urzędu Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warszawa, Poland uodo.gov.pl

12. Children's Privacy

YourDevTools is a general-audience developer site and is not directed at users under 16. We do not knowingly collect data from children. If you believe a child has used the site in a way that left identifiable data with us, write to contact@yourdevtools.pro and we will delete it.

13. Changes to this Policy

We update this policy from time to time. The "Last updated" date at the top of the page reflects the latest revision. If the change is material (new processor, new category of data, change of legal basis), we display a banner on the site for at least 14 days after the change takes effect.

14. Contact

For any privacy question, to exercise your GDPR rights, or to report abuse (e.g. an illegal mock endpoint hosted on the site), write to contact@yourdevtools.pro.