Privacy Policy

This is the real privacy policy for Toolpile, written by the person who built the site. It is not template text. It describes what actually happens to your data when you use toolpile.org, and where to push back if any of it isn’t okay with you.

The short version

Almost every tool on Toolpile runs entirely inside your browser. Your files, your text, your inputs — they don’t leave your device. The site itself records anonymous product analytics, shows ads from Google, and (if you sign in) stores an account record so we know who is on the Pro plan.

Who runs this

Toolpile is operated as a sole proprietorship by Umur Yavuz, based in Middelburg, the Netherlands. There is no company, no team, and no third-party data broker hidden behind it. Contact: [email protected].

What stays in your browser

The vast majority of tools — PDF merging, splitting, compressing, image resizing, format conversion, QR code generation, hashing, encoders, formatters, calculators, generators — execute as JavaScript in your browser tab. The file you drop or the text you paste is held in memory on your machine, processed there, and the result is handed back to you. Toolpile’s servers never see the contents.

This is not a marketing claim that we then quietly contradict in the fine print. It is structural: there is no upload endpoint for those tools to upload to.

The exceptions — tools that talk to third parties

A handful of network and lookup tools cannot work in pure JavaScript because they need to query the public internet. When you use them, your browser makes a direct request to a third-party API. Toolpile does not proxy or log it, but the third party will see your IP address and the value you typed in. Specifically:

• DNS Lookup and Business Name Checkerquery Cloudflare’s public DNS-over-HTTPS endpoint (cloudflare-dns.com).
• IP Address queries api.ipify.org and ipapi.co.
• WHOIS Lookup queries rdap.org.
• SSL Checker queries ssl-checker.io.

Each of those services has its own privacy policy. We picked them because they’re the standard public endpoints for those lookups, not because we have any commercial relationship with them.

The AI-branded tools (Rewriter, Translator, Summarizer, Email Writer, Grammar, Code Explainer) are currently disabled at the server level. When they ship, they will send your text to a model provider (Anthropic Claude) and that fact will be re-disclosed here.

Accounts

You don’t need an account to use the tools. If you create one — only required for the Pro subscription — sign-in is handled by Supabase Auth. We store your email address, an opaque user ID, your plan (free or pro), and (if you subscribe) the Stripe customer and subscription IDs that link your account to your billing record.

We do not store passwords; Supabase handles the hashing if you use an email/password flow, and OAuth flows hand back a token rather than a password. Supabase is hosted in the EU.

Payments (Stripe)

Pro subscriptions (€4.99/month) are processed by Stripe. When you check out, you enter your card details directly into a Stripe-hosted page; Toolpile never sees the card number, CVC, or full billing address. Stripe sends us a webhook with your customer ID, subscription ID, country, and VAT/tax info, which is what we need to honour the subscription and meet EU billing rules. Stripe is the data controller for the payment data itself.

Product analytics (PostHog)

We use PostHog, hosted on their EU cloud (eu.i.posthog.com), to understand which tools people actually use. It captures page views, button clicks, and a session recording with all input fields masked — we cannot replay what you typed.

PostHog sets a first-party cookie to keep your visits stitched together as one user. If you choose “Essential only” in the cookie banner, we call posthog.opt_out_capturing() and no events leave your browser at all.

Internal usage events (Supabase)

Alongside PostHog, the site writes a small row to a Supabase table called tool_events each time you open or finish a tool. The row contains the tool ID, a category, an anonymous session UUID generated in your browser, your device type (mobile/tablet/desktop based on screen width), and the document referrer. It does not contain the contents of the file or text you processed.

Advertising (Google AdSense)

Free users see ads served by Google AdSense (publisher ID ca-pub-2432189288620156). Google and its partners may set cookies and use device identifiers to personalise those ads, measure performance, and detect fraud. Choosing “Essential only” in the cookie banner switches AdSense into non-personalised mode where supported.

You can review and adjust Google’s ad settings at adssettings.google.com. Pro subscribers do not see ads — the AdSense script still loads (Google requires it for verification) but its containers are hidden in CSS.

Search and audience measurement (Google)

We run Google Analytics 4 (measurement ID G-TSN8TR4LL7) and Google Search Console alongside PostHog. GA4 uses cookies and IP-based geolocation to attribute traffic. It is included in the “analytics” consent group, so “Essential only” suppresses it.

Hosting and DNS

The site is served through Cloudflare’s CDN, which sits in front of our origin host. Cloudflare logs the standard access data (IP, request URL, user agent, timestamp) for caching, DDoS mitigation, and bot protection. We don’t add custom logging on top of that.

Cookies and local storage

The site uses the following:

• Essential. Supabase auth cookies (only after sign-in), the language preference, and the cookie-banner choice itself, stored in localStorage under tp_consent.
• Analytics.PostHog’s first-party cookie, Google Analytics’ _ga family of cookies, and a few localStorage keys we use to remember favourites, the daily-use counter, and the current session ID.
• Advertising. Cookies set by Google AdSense and its ad-tech partners. These are loaded only when consent is granted (or when consent has not yet been recorded — see below).

Default consent state

Until you make a choice in the banner, Toolpile treats analytics and advertising cookies as not consented in the EU/UK and consented elsewhere. If you ignore the banner, no PostHog events fire and AdSense runs in non-personalised mode for visitors we believe to be in the EU/UK based on language headers.

Your rights (GDPR)

If you’re in the EU, UK, or any other GDPR-aligned jurisdiction, you have the right to access, correct, export, or delete the personal data we hold on you, to restrict or object to processing, and to lodge a complaint with your data protection authority. Email [email protected] and we’ll respond within 30 days. For Dutch residents the supervising authority is the Autoriteit Persoonsgegevens.

Children

Toolpile is not aimed at children under 16. We don’t knowingly collect data from them. If you’re a parent and believe your child has used the site, write to [email protected] and we’ll delete what we have.

Changes to this policy

We’ll update this page when something changes — a new subprocessor, a new tracker, a new tool that talks to a third party. The “last updated” date at the top moves with each change. Material changes that affect existing users will be announced in-app before they take effect.