How We Handle Your Data
Last Updated: June 16, 2026
Browser-First by Design
Every Tools-Hut tool is built to run in your browser by default — your data stays on your device. When a feature requires AI processing power (our Image Forensic Analyzer and Receipt Scanner), your file is sent securely to AWS — encrypted in transit, processed ephemerally, and never retained or stored.
1. How Each Tool Processes Your Data
Tools-Hut is browser-first by design. The table below shows exactly where processing happens for every type of tool on the platform.
| Tool / Feature | Where it runs | Your data |
|---|---|---|
| Financial calculators (SIP, EMI, Tax, SWP…) | 100% in your browser | Never leaves your device |
| Developer utilities (JSON, JWT, QR, Regex, Diff…) | 100% in your browser | Never leaves your device |
| Image Converter | Canvas API in your browser | Never leaves your device |
| Image Forensic Analyzer | AWS Rekognition (cloud scan) | File sent to AWS, processed, not retained |
| Receipt Scanner | AWS Textract (cloud scan) | File sent to AWS, processed, not retained |
| Sign-in / account (optional) | Amazon Cognito | Email stored in Cognito; JWT in memory / localStorage |
What "not retained" means
When Image Forensic Analyzer or Receipt Scanner processes your file, it is transmitted over HTTPS to the AWS API, the result is returned to your browser, and the file is discarded immediately — AWS does not store it after the API call completes. We have no copy, no log of the file contents, and no way to retrieve it after processing.
2. LocalStorage Usage
Some tools use your browser's localStorage feature to enhance your experience. Here's what you need to know:
Tools Using LocalStorage
- Theme Preferences: Remembers your light/dark mode choice
- Recent Calculations: May save recent inputs for convenience (optional)
LocalStorage guarantees:
- Data is stored only on your device
- Data is never synced to cloud or servers
- You can clear it anytime via browser settings
- Data is isolated per browser and device
- 5-10MB storage limit per site (browser-enforced)
Important: Clearing your browser data, cache, or cookies will also delete localStorage data.
3. Network Calls
Our tools make the minimum network requests possible. Here is the complete list:
All visitors (no account)
- Page load: HTML, CSS, JavaScript, and fonts from CloudFront
- CDN libraries: Font Awesome, FileSaver.js from trusted CDNs
- Google Analytics: Anonymous page views and device type — no tool inputs
- AI tool uploads (if used): File sent to our API Gateway → AWS Rekognition or Textract — encrypted in transit, result returned, file discarded
When you sign in (optional)
If you create a free account, these additional calls are made:
- Cognito token exchange:
https://cognito-idp.us-east-1.amazonaws.com/— exchanges your credentials for a short-lived JWT (60-minute lifetime) - Silent token refresh: Same endpoint — refresh token used to renew your JWT without re-entering your password
- Profile API:
https://api.tools-hut.com/account— loads/saves your display name, tier, and preferences - Google OAuth (if used):
https://accounts.google.com/→ Cognito hosted UI → redirects back with tokens
Signing out revokes all active tokens globally. Your JWT is held in JavaScript memory only — never written to a cookie.
Verify It Yourself
- Open Developer Tools (F12 or Ctrl+Shift+I)
- Go to the "Network" tab
- Use any browser-side tool and input your data
- Observe: no POST/PUT requests containing your tool input
For AI tools, you will see a single POST to our API endpoint — that is the file upload described above. Everything else stays local.
4. Account & Authentication Data
Creating a Tools-Hut account is always optional. All 25 tools work without signing in. When you do create an account, here is exactly what we collect and why.
What we collect
| Data | Where stored | Why | Retention |
|---|---|---|---|
| Email address | Amazon Cognito (encrypted at rest) | Account identity and email verification | Until account deletion |
| Display name | DynamoDB (encrypted at rest) | Personalisation only — defaults to email prefix | Until account deletion |
| Subscription tier | DynamoDB & Cognito user attribute | Feature entitlement (free / plus / pro) | Until account deletion |
| Stripe customer ID | DynamoDB | Links account to payment processor — paid plans only. We never store card numbers. | Until account deletion |
| Sign-in event log | DynamoDB (TTL: 90 days) | Security audit and fraud detection. IP stored as a one-way SHA-256 hash — the raw address is never recorded. | 90 days (automatic deletion) |
| Preferences | DynamoDB | Cross-device settings sync (currency, date format) | Until account deletion |
What we do NOT collect
- Tool inputs — images, documents, and text you paste never reach our servers (processed in-browser)
- Your password — handled entirely by Amazon Cognito; we never see it
- Payment card details — handled entirely by Stripe; we never see them
- Raw IP addresses — sign-in events store a one-way SHA-256 hash only
Access token security
Your JWT access token (60-minute lifetime) is held in JavaScript memory only — it is never written to localStorage or a cookie. The refresh token is stored in localStorage under the key th_rt. Signing out from the Account page revokes all active sessions globally.
Always Optional
All 25 tools remain fully functional without an account. Sign-in only unlocks higher cloud scan limits and cross-device sync.
Full Deletion
Delete your account from the Account page at any time. All profile data, sync history, and the Stripe subscription are removed immediately.
Encrypted at Rest
All DynamoDB tables and Cognito User Pool data are encrypted at rest using AWS-managed KMS keys.
In-Transit Encryption
All API calls use TLS 1.2+. CloudFront enforces HTTPS-only — HTTP redirects automatically.
5. Feedback Form Data
Our Feedback & Wishlist form is live. When you submit feedback:
- Voluntary Submission: You choose what to share — no account required
- Minimal Required Fields: Only feedback text is required
- Optional Contact Info: Email/name only if you want a response
- Secure Storage: Encrypted database with access controls
- Purpose-Limited Use: Only for improving Tools-Hut services
- Retention Period: Deleted after 2 years unless action is pending
- Spam Protection: Google reCAPTCHA v3 runs invisibly to prevent abuse (see Section 6)
6. Third-Party Services
Tools-Hut uses the following trusted third-party services. Your tool input data (images, documents, text) is never shared with analytics or advertising services.
| Service | Purpose | Data Shared |
|---|---|---|
| Google Analytics 4 | Anonymous usage statistics | Page views, device type, location (city-level). No tool inputs. |
| Amazon CloudFront & S3 | Website hosting and CDN delivery | Standard server logs (IP, timestamp, page accessed). Retained per AWS default policy. |
| Amazon Cognito | User authentication and identity | Email address and hashed password (bcrypt). Required only if you create an account. |
| Stripe | Payment processing for Plus & Pro plans | Email, payment card (never stored by us — Stripe handles PCI compliance). Required only for paid plans. |
| AWS Rekognition | Image forensic analysis (cloud scan feature) | Image files sent for analysis — processed ephemerally, not stored by AWS after the API call completes. |
| AWS Textract | Receipt OCR scanning (cloud scan feature) | Receipt images sent for text extraction — processed ephemerally, not stored after the call. |
| Google reCAPTCHA v3 | Spam protection on the feedback form | Device/browser info, interaction patterns (see below). |
| CDN (jsDelivr / Google Fonts) | Fast library and font delivery | Your IP address (standard for all CDN requests). |
Google reCAPTCHA
Our feedback form is protected by Google reCAPTCHA v3, which analyzes interactions to prevent spam and abuse. reCAPTCHA may collect:
- IP address
- Browser and device information
- Mouse movements and interaction patterns
- Cookies and similar tracking technologies
This data is processed by Google according to their Privacy Policy. reCAPTCHA v3 runs invisibly and does not require any user interaction.
Stripe
Stripe is PCI-DSS Level 1 certified. Payment card details are entered directly into Stripe-hosted fields and are never transmitted to or stored by Tools-Hut servers. See Stripe's Privacy Policy for details on how they handle payment data.
7. Your Rights
You have the following rights regardless of whether you have an account:
- Access (no account): All tool inputs stay in your browser — there is nothing server-side to access.
- Access (with account): View your stored profile data at any time on the Account page.
- Rectification: Update your display name and preferences from the Account page.
- Erasure (Right to be Forgotten): Delete your account and all associated cloud data permanently from the Account → Danger Zone section. This also cancels any active Stripe subscription.
- Export: Many tools offer CSV or PDF export of results. Contact us to request a structured export of your profile data.
- Opt-Out of Analytics: Block Google Analytics via browser extensions (e.g. uBlock Origin) or your browser's privacy settings.
- Portability: Email admin@tools-hut.com to request a machine-readable copy of your stored profile data.
- Question: Contact us at any time about data handling concerns — we respond within 5 business days.
For users in the EU/EEA, these rights are provided under GDPR Articles 15–20. For California residents, these rights align with the CCPA.
8. Security Measures
Even though data isn't transmitted, we implement security best practices:
- HTTPS: All pages served over encrypted connections
- Content Security Policy: Prevents cross-site scripting attacks
- No Inline Scripts: Minimizes injection risks
- Regular Updates: Dependencies kept current with security patches
- Open Source Libraries: Using widely-audited, MIT-licensed code
9. Children's Privacy
Tools-Hut is designed for general audiences:
- Account creation is optional and not targeted at or encouraged for children under 13
- No advertising or behavioural tracking beyond anonymous analytics
- Educational tools (e.g., Memory Game, Unit Converter) are kid-friendly and require no account
- We do not knowingly collect personal data from children under 13. If you believe a child has created an account, contact admin@tools-hut.com and we will delete it immediately.
10. Changes to This Page
When we make material changes to how we handle data:
- This page will be updated with a revised "Last Updated" date
- Significant changes will be announced via a homepage banner
- Signed-in users will receive an email notification for changes that affect their account data
- Anonymous, client-side tools will always remain available without an account
Last Updated: June 16, 2026
11. Contact Us
Questions about how we handle data? We're transparent and happy to explain:
- Email: admin@tools-hut.com
- Contact Form: Contact Us
- Privacy Policy: Full Privacy Policy
Our Philosophy
We built Tools-Hut because we wanted simple, privacy-respecting tools for everyday tasks. We believe your data is yours - that's why we designed every tool to run in your browser. As we grow, we'll maintain this principle: your privacy is never compromised for our convenience.