inyourbrowser.com

/ LEGAL

Privacy policy

Last updated: May 2026. What inyourbrowser.com collects, what it does not collect, and how to verify the claims for yourself.

The short version

How the tools work locally

Every tool is a small JavaScript program that runs inside your browser tab. Files you select or text you paste are loaded into the browser's memory and processed using standard browser APIs (File API, Canvas, Web Crypto, Web Workers). The result is returned to you as a download or as text in the page, then released from memory when you close the tab. Nothing is written to disk, IndexedDB, or Cache Storage, and nothing is transmitted to our servers.

The Content Security Policy

Every page carries a Content Security Policy (CSP) header containing the directive connect-src 'none'. This instructs your browser to refuse all outbound connections from scripts on this site: no fetch(), no XMLHttpRequest, no WebSockets, no Server-Sent Events. The browser blocks the connection before any data can leave your tab.

This is the technical mechanism behind the no-upload promise. You can inspect the header yourself in your browser's Network tab; /verify-local walks through how. The CSP is enforced by your browser (Chrome, Firefox, Safari, Edge all honour the spec), not by us.

What we actually collect

Server access logs

When you request a page, the hosting provider's servers record standard access log data: IP address, requested URL, HTTP status, timestamp, and user-agent string. These exist for operational reasons (outage diagnosis, abuse blocking, debugging) and are managed by the provider under its standard practices. We do not link them to any other identifier.

Browser localStorage

The site writes two keys to your browser's localStorage. theme stores light or dark (your visual preference). nc_dismissed stores 1if you have closed the floating "no data sent" pill, so it stays hidden on later visits. Both keys live on your device only and you can delete them through your browser's site-data settings.

That is the complete list

We do not collect or retain:

Camera permission (QR code scanner only)

The QR code scanner can optionally use your camera. The camera is activated only when you click "Start camera" in that tool, and your browser then prompts for permission. Once granted, the video feed is attached to a <video> element, individual frames are sampled into an off-screen <canvas>, and the open-source jsQR library decodes them locally. The stream is not recorded, transmitted, or retained, and the camera is released when you stop the scanner or close the tab. You can revoke the permission at any time in your browser's site settings.

Cookies and third parties

This site sets zero cookies, has no cookie banner (nothing to consent to), and includes no third-party analytics, advertising, tag managers, error trackers, social-media widgets, or external iframes. There are no <script> tags pointing to any external domain.

The site does use open-source JavaScript libraries: pdf-lib, pdfjs-dist (PDF.js), qrcode, jsqr, jsbarcode, marked, js-yaml, sql-formatter, and cronstrue. These are bundled into the site at build time and served from the same origin. They run in your browser without contacting their original authors. See the licenses page.

Architectural commitment, not warranty

The local-only architecture is a design intent and a best-effort technical commitment, not a contractual warranty. Software contains bugs, browsers contain bugs, and third-party libraries can in principle be compromised. The CSP described above is the reasonable measure we have taken, and we encourage you to verify the behaviour yourself before processing sensitive content. Legal terms are in Section 3 of the Terms of Service.

GDPR (users in the European Economic Area)

The site is operated from Sweden. Processing of personal data falls under the GDPR (Regulation (EU) 2016/679). The only personal data we process is the standard server-access log data described above; the legal basis is our legitimate interest (GDPR Article 6(1)(f)) in operating, securing, and debugging the site. Logs are retained for the limited period required for those purposes and are not used for anything else.

Because we do not maintain a queryable database linking log entries to identities, we cannot fulfil data-subject access requests beyond what is in those logs. You may lodge a complaint with the supervisory authority in your country of residence. In Sweden the supervisory authority is Integritetsskyddsmyndigheten (IMY), www.imy.se.

California residents (CCPA / CPRA)

The only category of personal information collected through this site is the server-access log data described above (which may include IP address). We do not sell or share personal information for cross-context behavioural advertising, and do not use sensitive personal information for any purpose beyond operating the site.

Children's privacy

The site is a set of general-purpose utilities and is not directed to children under 13 (United States) or under 16 (European Union, where applicable). We do not knowingly collect personal information from children. Since the site requires no accounts or personal data beyond server logs, this section is included for completeness.

Data retention & policy changes

The localStorage keys persist in your browser until you clear site data. Server access logs are retained by the hosting provider for the period needed for technical operation and security. No other data is retained because no other data is collected. If we make material changes to this policy we will update the date at the top of this page; continued use after a change constitutes acceptance.

Contact

Technical questions about how the tools work are addressed on the about page and the verification page. For direct enquiries, email contact. EEA residents may also contact their national supervisory authority (in Sweden, IMY at www.imy.se).