Privacy Policy
Last updated: June 23, 2026
TL;DR
We do not collect, store, or transmit your data. Every tool on XilXil Tools Hub runs entirely in your browser. Your text, files, passwords, and calculations never leave your device. This isn't just a policy — it's how the code is written.
1. Information We Do NOT Collect
Unlike most online tool sites, we do not:
- Upload your text, files, or inputs to any server
- Store passwords you generate or analyze
- Track which tools you use or when
- Set tracking cookies (no Google Analytics on tool pages)
- Use third-party analytics that profile you
- Sell data to third parties (because we have none to sell)
- Use your data to train AI models
2. How Our Tools Work
All tools run as JavaScript in your browser tab. When you paste text into the Word Counter, it stays in your browser's memory. When you generate a password, it's created by your device's crypto engine (Web Crypto API) and never transmitted. When you compress an image, the processing happens on your CPU.
The only network requests made by tool pages are:
- Initial page load (HTML, CSS, JS, images)
- The tools.json catalog (cached locally by service worker)
- Optional external APIs (e.g., QR code generation via api.qrserver.com — clearly noted in tool descriptions)
- Optional Google Analytics (only on non-tool pages, with your consent)
3. Local Storage
Some tools (Todo List, Notes, Password Vault) store data in your browser using LocalStorage or IndexedDB. This data:
- Is stored only on your device
- Is encrypted with AES-GCM when sensitive (e.g., Password Vault)
- Is cleared when you clear browser data
- Never syncs to other devices (unless you enable browser sync yourself)
- Is never accessible to us or any other website
4. Cookies
We use a minimal set of cookies for site functionality:
- Essential: Theme preference, accept-cookie banner (stored in localStorage)
- Analytics (optional): Google Analytics, only on content pages (Home, Blog, About), with your consent
We do not use advertising cookies. We do not share cookie data with third parties.
5. External Services
A small number of tools use external APIs for live data:
- QR Code Generator: Uses api.qrserver.com to render QR images
- Currency Converter: Uses live exchange rate APIs (planned)
- Crypto Price Tracker: Uses CoinGecko or similar (planned)
Each external call is clearly disclosed in the tool description. We never send your input data to these services — only the parameters needed to fetch the public data.
6. Children's Privacy
Our service is suitable for all ages. We do not knowingly collect any personal information from anyone, including children under 13. COPPA and GDPR-K compliance is implicit because we collect nothing.
7. Your GDPR Rights
Under the GDPR, you have rights to access, rectify, erase, restrict processing, and data portability. Since we don't collect personal data, these rights are automatically satisfied. If you believe we have collected data about you, please contact us and we will investigate.
8. CCPA Compliance
Under the California Consumer Privacy Act, you have the right to know what personal information we collect, request deletion, and opt out of sale. We do not sell personal information, and we collect only what is described in this policy.
9. Security
We implement industry-standard security measures:
- HTTPS-only (HSTS enabled)
- Content Security Policy (CSP) headers
- X-Frame-Options: DENY (no clickjacking)
- X-Content-Type-Options: nosniff
- Web Crypto API for all cryptographic operations (no insecure Math.random for security-sensitive functions)
- Input validation and output escaping on all forms
- Subresource Integrity (SRI) for third-party scripts
10. Changes to This Policy
If we change this policy, we'll update the date at the top of this page and note the change in our changelog. We will never weaken privacy protections without clear notice.
11. Contact
Questions about privacy? Get in touch. We'll respond within 48 hours.