Privacy Policy
Last updated: July 2026
The short version
We do not want your tool data. For browser-based tools on XpressDevTools, the content you paste, type, drop, or generate is designed to remain in your browser and is not intentionally uploaded to or retained by us.
Limited technical requests required to operate, secure, measure, and improve the website may still occur. The main exceptions are the Feedback form, where you choose to send us a message, and the What's My IP tool, which must ask our server what IP address your request arrived from. Both are described below.
Tools that run in your browser
For every tool except the Feedback form and What's My IP, processing is designed to happen locally in your browser. Inputs, outputs, and intermediate state are not intentionally uploaded to our server.
This includes JSON, YAML, CSV input, JWTs, certificates, keys, regex patterns, file hashes, encoded or decoded text, and other content you paste, drop, type, or generate through the tools.
Standard web infrastructure may still process limited technical information needed to deliver the site, protect it from abuse, troubleshoot issues, provide advertising where enabled, and measure site performance.
The Feedback form
When you click Send in the Feedback dialog, we transmit the following to our server:
- Your name, email address, subject, and message — exactly as you typed them.
-
Your IP address, read from headers such as
CF-Connecting-IP,X-Forwarded-For, or the connection itself. This is used for spam protection, rate limiting, Cloudflare Turnstile validation, and optional country lookup. -
A country code derived from your IP via Cloudflare's
CF-IPCountryheader or, if absent, an ipstack lookup. Country is recorded on the email itself so we can prioritize responses and detect abuse patterns.
The message is delivered to a real inbox by email. We do not persist it in a database. Feedback emails older than 90 days are deleted from the inbox as a matter of standard hygiene. If you would like yours deleted sooner, send another feedback message asking us to delete it.
The What's My IP tool
By design, this tool displays the public IP address and country that our edge/server sees for your request. We read that IP server-side from the same headers described above and return it to your browser.
We do not intentionally retain or associate the IP address returned by this tool with your activity beyond normal short-term server logging required to operate, troubleshoot, and secure the Service.
The remainder of the report, including browser, locale, timezone, screen size, and similar information, is collected client-side and remains in your tab unless you explicitly copy, export, download, or submit it somewhere yourself.
Server logs
Like most web servers, ours may record standard access logs, including timestamp, request path, status code, response size, user-agent, referrer, and source IP address.
These logs are kept for up to 14 days for abuse prevention, security monitoring, operational debugging, and service reliability, then rotated out.
Analytics
We may use lightweight analytics to understand which tools are popular, how the site performs, and where improvements are needed. Analytics events are not intended to identify you personally and are not associated with the content you process through the tools.
The text, files, tokens, keys, certificates, hashes, or other tool inputs you provide are not sent to analytics providers by us.
If we use a specific analytics provider, such as Cloudflare Analytics, Google Analytics, Plausible, Umami, or similar services, that provider may process limited technical information according to its own privacy policy.
Advertising
We may display ads through third-party advertising networks such as Google AdSense. These networks may use cookies or similar technologies to serve, measure, and personalize ads, depending on your consent choices and applicable law.
You can opt out of personalized advertising via Google Ads Settings or through your browser's tracking-protection controls.
We do not share tool input data with advertisers. Ads are placed based on page context, advertising settings, consent choices, and third-party ad network behavior — not on the content you paste into tools.
Cookies and local storage
The site uses a small number of cookies and similar browser storage mechanisms:
- Theme preference — stored in localStorage and used to remember your dark/light mode choice.
- Cookie consent — stored in localStorage and used to remember whether you accepted or rejected non-essential cookies on this site.
- Cloudflare Turnstile — used only where bot protection is required, such as the Feedback dialog.
- Advertising cookies — may be set by Google AdSense or related advertising services where present and where permitted by your consent choices and applicable law.
- Analytics cookies or identifiers — may be used by analytics services where enabled and permitted.
Non-essential cookies are only loaded after consent where required by applicable law.
You can clear cookies and local storage at any time through your browser settings. Where available, you may also reset your choices through the cookie banner or consent controls.
Third-party services
We may use third-party services and providers, including but not limited to:
- Cloudflare, including TLS, edge services, security, and Turnstile;
- Google Fonts;
- Google AdSense;
- Font Awesome;
- ipstack, for country lookup on Feedback submissions; and
- Analytics, hosting, infrastructure, or performance providers.
These services may process limited technical information according to their own privacy policies and terms.
Legal basis for processing
Where applicable under privacy laws such as GDPR, UK GDPR, or similar privacy frameworks, we process limited personal information on the following bases:
- Legitimate interests — operating the Service, protecting it from abuse, preventing spam and fraud, debugging issues, maintaining security, and improving reliability.
- Consent — where you choose to submit feedback, accept non-essential cookies, interact with advertising services, or use optional features that require additional processing.
- Legal obligations — where processing is required to comply with applicable laws, regulations, or lawful requests.
International data transfers
Some third-party providers used by the Service, such as Cloudflare, Google, ipstack, hosting providers, and infrastructure services, may process limited technical information in countries outside your own jurisdiction, including the United States.
These providers maintain their own privacy, security, and transfer safeguards. Your use of the Service may involve processing by those providers according to their own policies.
GDPR / UK GDPR / data subject rights
Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or request a copy of personal information associated with you.
In practice, XpressDevTools stores very little identifying information: there is no account, no profile, and no database row with your name on it.
If you submitted a Feedback message, you can ask us to delete the resulting email at any time. Use the Feedback form for the contact method and include enough detail for us to locate the message.
Server logs are short-lived and normally cannot be searched by name or email address because they are not stored with that context.
Children's privacy
XpressDevTools is not directed at children under 13. We do not knowingly collect personal information from children.
Changes to this policy
We may update this policy occasionally. The current version will always be available at this URL and will include the updated effective date.
Related
Use of XpressDevTools is also governed by our Terms of Service.
Contact
Questions about this Privacy Policy?
Please use the Feedback button available in the site navigation.