Skip to main content

How We Handle Your Data

Last Updated: June 16, 2026

Browser-First by Design

Every Tools-Hut tool is built to run in your browser by default — your data stays on your device. When a feature requires AI processing power (our Image Forensic Analyzer and Receipt Scanner), your file is sent securely to AWS — encrypted in transit, processed ephemerally, and never retained or stored.

1. How Each Tool Processes Your Data

Tools-Hut is browser-first by design. The table below shows exactly where processing happens for every type of tool on the platform.

Tool / FeatureWhere it runsYour data
Financial calculators (SIP, EMI, Tax, SWP…)100% in your browserNever leaves your device
Developer utilities (JSON, JWT, QR, Regex, Diff…)100% in your browserNever leaves your device
Image ConverterCanvas API in your browserNever leaves your device
Image Forensic AnalyzerAWS Rekognition (cloud scan)File sent to AWS, processed, not retained
Receipt ScannerAWS Textract (cloud scan)File sent to AWS, processed, not retained
Sign-in / account (optional)Amazon CognitoEmail stored in Cognito; JWT in memory / localStorage

What "not retained" means

When Image Forensic Analyzer or Receipt Scanner processes your file, it is transmitted over HTTPS to the AWS API, the result is returned to your browser, and the file is discarded immediately — AWS does not store it after the API call completes. We have no copy, no log of the file contents, and no way to retrieve it after processing.

2. LocalStorage Usage

Some tools use your browser's localStorage feature to enhance your experience. Here's what you need to know:

Tools Using LocalStorage

  • Theme Preferences: Remembers your light/dark mode choice
  • Recent Calculations: May save recent inputs for convenience (optional)

LocalStorage guarantees:

  • Data is stored only on your device
  • Data is never synced to cloud or servers
  • You can clear it anytime via browser settings
  • Data is isolated per browser and device
  • 5-10MB storage limit per site (browser-enforced)

Important: Clearing your browser data, cache, or cookies will also delete localStorage data.

3. Network Calls

Our tools make the minimum network requests possible. Here is the complete list:

All visitors (no account)

  • Page load: HTML, CSS, JavaScript, and fonts from CloudFront
  • CDN libraries: Font Awesome, FileSaver.js from trusted CDNs
  • Google Analytics: Anonymous page views and device type — no tool inputs
  • AI tool uploads (if used): File sent to our API Gateway → AWS Rekognition or Textract — encrypted in transit, result returned, file discarded

When you sign in (optional)

If you create a free account, these additional calls are made:

  • Cognito token exchange: https://cognito-idp.us-east-1.amazonaws.com/ — exchanges your credentials for a short-lived JWT (60-minute lifetime)
  • Silent token refresh: Same endpoint — refresh token used to renew your JWT without re-entering your password
  • Profile API: https://api.tools-hut.com/account — loads/saves your display name, tier, and preferences
  • Google OAuth (if used): https://accounts.google.com/ → Cognito hosted UI → redirects back with tokens

Signing out revokes all active tokens globally. Your JWT is held in JavaScript memory only — never written to a cookie.

Verify It Yourself

  1. Open Developer Tools (F12 or Ctrl+Shift+I)
  2. Go to the "Network" tab
  3. Use any browser-side tool and input your data
  4. Observe: no POST/PUT requests containing your tool input

For AI tools, you will see a single POST to our API endpoint — that is the file upload described above. Everything else stays local.

4. Account & Authentication Data

Creating a Tools-Hut account is always optional. All 25 tools work without signing in. When you do create an account, here is exactly what we collect and why.

What we collect

DataWhere storedWhyRetention
Email addressAmazon Cognito (encrypted at rest)Account identity and email verificationUntil account deletion
Display nameDynamoDB (encrypted at rest)Personalisation only — defaults to email prefixUntil account deletion
Subscription tierDynamoDB & Cognito user attributeFeature entitlement (free / plus / pro)Until account deletion
Stripe customer IDDynamoDBLinks account to payment processor — paid plans only. We never store card numbers.Until account deletion
Sign-in event logDynamoDB (TTL: 90 days)Security audit and fraud detection. IP stored as a one-way SHA-256 hash — the raw address is never recorded.90 days (automatic deletion)
PreferencesDynamoDBCross-device settings sync (currency, date format)Until account deletion

What we do NOT collect

  • Tool inputs — images, documents, and text you paste never reach our servers (processed in-browser)
  • Your password — handled entirely by Amazon Cognito; we never see it
  • Payment card details — handled entirely by Stripe; we never see them
  • Raw IP addresses — sign-in events store a one-way SHA-256 hash only

Access token security

Your JWT access token (60-minute lifetime) is held in JavaScript memory only — it is never written to localStorage or a cookie. The refresh token is stored in localStorage under the key th_rt. Signing out from the Account page revokes all active sessions globally.

Always Optional

All 25 tools remain fully functional without an account. Sign-in only unlocks higher cloud scan limits and cross-device sync.

Full Deletion

Delete your account from the Account page at any time. All profile data, sync history, and the Stripe subscription are removed immediately.

Encrypted at Rest

All DynamoDB tables and Cognito User Pool data are encrypted at rest using AWS-managed KMS keys.

In-Transit Encryption

All API calls use TLS 1.2+. CloudFront enforces HTTPS-only — HTTP redirects automatically.

5. Feedback Form Data

Our Feedback & Wishlist form is live. When you submit feedback:

  • Voluntary Submission: You choose what to share — no account required
  • Minimal Required Fields: Only feedback text is required
  • Optional Contact Info: Email/name only if you want a response
  • Secure Storage: Encrypted database with access controls
  • Purpose-Limited Use: Only for improving Tools-Hut services
  • Retention Period: Deleted after 2 years unless action is pending
  • Spam Protection: Google reCAPTCHA v3 runs invisibly to prevent abuse (see Section 6)

6. Third-Party Services

Tools-Hut uses the following trusted third-party services. Your tool input data (images, documents, text) is never shared with analytics or advertising services.

ServicePurposeData Shared
Google Analytics 4Anonymous usage statisticsPage views, device type, location (city-level). No tool inputs.
Amazon CloudFront & S3Website hosting and CDN deliveryStandard server logs (IP, timestamp, page accessed). Retained per AWS default policy.
Amazon CognitoUser authentication and identityEmail address and hashed password (bcrypt). Required only if you create an account.
StripePayment processing for Plus & Pro plansEmail, payment card (never stored by us — Stripe handles PCI compliance). Required only for paid plans.
AWS RekognitionImage forensic analysis (cloud scan feature)Image files sent for analysis — processed ephemerally, not stored by AWS after the API call completes.
AWS TextractReceipt OCR scanning (cloud scan feature)Receipt images sent for text extraction — processed ephemerally, not stored after the call.
Google reCAPTCHA v3Spam protection on the feedback formDevice/browser info, interaction patterns (see below).
CDN (jsDelivr / Google Fonts)Fast library and font deliveryYour IP address (standard for all CDN requests).

Google reCAPTCHA

Our feedback form is protected by Google reCAPTCHA v3, which analyzes interactions to prevent spam and abuse. reCAPTCHA may collect:

  • IP address
  • Browser and device information
  • Mouse movements and interaction patterns
  • Cookies and similar tracking technologies

This data is processed by Google according to their Privacy Policy. reCAPTCHA v3 runs invisibly and does not require any user interaction.

Stripe

Stripe is PCI-DSS Level 1 certified. Payment card details are entered directly into Stripe-hosted fields and are never transmitted to or stored by Tools-Hut servers. See Stripe's Privacy Policy for details on how they handle payment data.

7. Your Rights

You have the following rights regardless of whether you have an account:

  • Access (no account): All tool inputs stay in your browser — there is nothing server-side to access.
  • Access (with account): View your stored profile data at any time on the Account page.
  • Rectification: Update your display name and preferences from the Account page.
  • Erasure (Right to be Forgotten): Delete your account and all associated cloud data permanently from the Account → Danger Zone section. This also cancels any active Stripe subscription.
  • Export: Many tools offer CSV or PDF export of results. Contact us to request a structured export of your profile data.
  • Opt-Out of Analytics: Block Google Analytics via browser extensions (e.g. uBlock Origin) or your browser's privacy settings.
  • Portability: Email admin@tools-hut.com to request a machine-readable copy of your stored profile data.
  • Question: Contact us at any time about data handling concerns — we respond within 5 business days.

For users in the EU/EEA, these rights are provided under GDPR Articles 15–20. For California residents, these rights align with the CCPA.

8. Security Measures

Even though data isn't transmitted, we implement security best practices:

  • HTTPS: All pages served over encrypted connections
  • Content Security Policy: Prevents cross-site scripting attacks
  • No Inline Scripts: Minimizes injection risks
  • Regular Updates: Dependencies kept current with security patches
  • Open Source Libraries: Using widely-audited, MIT-licensed code

9. Children's Privacy

Tools-Hut is designed for general audiences:

  • Account creation is optional and not targeted at or encouraged for children under 13
  • No advertising or behavioural tracking beyond anonymous analytics
  • Educational tools (e.g., Memory Game, Unit Converter) are kid-friendly and require no account
  • We do not knowingly collect personal data from children under 13. If you believe a child has created an account, contact admin@tools-hut.com and we will delete it immediately.

10. Changes to This Page

When we make material changes to how we handle data:

  • This page will be updated with a revised "Last Updated" date
  • Significant changes will be announced via a homepage banner
  • Signed-in users will receive an email notification for changes that affect their account data
  • Anonymous, client-side tools will always remain available without an account

Last Updated: June 16, 2026

11. Contact Us

Questions about how we handle data? We're transparent and happy to explain:

Our Philosophy

We built Tools-Hut because we wanted simple, privacy-respecting tools for everyday tasks. We believe your data is yours - that's why we designed every tool to run in your browser. As we grow, we'll maintain this principle: your privacy is never compromised for our convenience.