Local tools
Files never leave your browser
Tools labelled Browser-local read your file with the browser's File API and process it in JavaScript on your device. The file is never uploaded to our servers.
Privacy
How your files are handled, in plain words
Every tool tells you whether it runs locally in your browser, on our server, or via an AI service. This page collects the rules in one place.
Server tools
Uploaded, processed, deleted
Tools labelled Server-side upload your file over HTTPS, process it, return the result, and delete the input within minutes. Retention is capped at 1 hour. We do not train models on your files.
AI tools
Sent to a model provider
Tools labelled AI send the relevant input to our AI provider to produce a response. We use providers with no-training defaults and short retention windows. The badge on each tool names the provider.
Third-party code
What runs on this page
To keep our local-first promise honest, we vendor third-party libraries instead of loading them from a CDN at runtime. The bundles below ship from our own origin.
- pdf-lib — read and write PDF files (MIT)
- pdf.js — render PDF pages, extract text (Apache 2.0)
- JSZip — pack multiple results into a single ZIP download (MIT/GPL)
- node-qrcode — generate QR codes (MIT)
These are the only third-party libraries needed for tool processing. If you accept analytics, a first-party loader requests Google Tag Manager so GA4 can count anonymous page views. It is not loaded before consent, and we do not load third-party fonts or ads.
Cookies
None for tool use
Free use of the tools doesn't require cookies. If you accept analytics, Google Analytics may set measurement cookies. Optional paid passes are handled through Stripe Checkout and saved locally in your browser after payment.
Analytics
Aggregated, not personal
We collect anonymous, aggregated usage events (a tool was opened, a task completed) so we know which tools to prioritise. After consent, Google Tag Manager also loads GA4 for page-view measurement. We never log file contents, file names, pasted text, or QR contents.
Ads
Reserved space, never in the flow
If we add ads, they will sit below the result area or in sidebars — never inside the upload or download steps.
Reach us
Privacy questions and data requests
Email hello@niftywebtools.dev for privacy questions, data deletion, or to report a security issue.
Anonymous usage telemetry
What we count and what we don't
If you accept the consent banner, we count six anonymous events so we know which tools to prioritise, and we load Google Tag Manager for GA4 page-view measurement. We never log file contents, file names, pasted text, or QR contents.
The six events
- pricing_view — the /pricing/ page first becomes visible.
- checkout_click — a Day Pass or Project Pass button is clicked. Records the tier (
dayorweek). - checkout_return_success — a verified checkout token renders the success page. Records the tier.
- entitlement_active_first_render — an allowlisted tool page first renders with an active entitlement. Records the tier and slug.
- tool_used — the primary action on an allowlisted tool runs with at least one accepted file. Records the slug. At most once per page load.
- limit_hit — the limit-gate rejected files or capped a batch. Records the slug and which cap was hit (
per-file,combined, orbatch).
Consent controls
Events are sent only when all three are true: (1) the telemetry.enabled config flag is on, (2) you accepted the consent banner, and (3) the event matches the allowlist above. Any one missing means no network call leaves your device.
Retention
The endpoint stores daily aggregate counters with a 90-day expiry. After 90 days the keys expire automatically. There is no per-event row, no backup, and no export. The only data we ever see is structurally aggregate.
Withdraw consent
You can stop sending anonymous totals at any time. There's no backend record to delete because there isn't one — the consent flag lives in your browser only.