Legal
Privacy Policy
Last updated: June 28, 2026
Last updated: June 28, 2026
This Privacy Policy explains how ToolXero ("we," "us," or "our"), accessible at https://ToolXero.com, collects, uses, and protects information when you use our website and tools.
We built this site around a core principle: your files are your business, not ours. Most of our tools process your documents and images entirely inside your browser — they never reach our servers. This policy explains exactly what that means and the limited cases where data does leave your device.
Please read this policy carefully. By using our website, you agree to the practices described here.
1. The Short Version
- Your files: the vast majority of our tools process your files 100% inside your browser. Nothing is uploaded. Nothing is stored. We never see them.
- Server-side tools: a small number of tools (such as background removal) require server processing. Files are deleted immediately after processing. We do not store, analyze, or share them.
- Analytics: we use self-hosted Umami analytics — no cookies, no cross-site tracking, no fingerprinting, GDPR compliant by design.
- Advertising: we display Google AdSense ads. Google may use cookies to personalize ads. You can opt out.
- No accounts: we do not have accounts, sign-ups, or user profiles. We hold no personal data tied to your identity.
2. Information We Collect
2.1 Files You Process With Our Tools
Browser-side tools (the vast majority): When you use tools such as Compress PDF, Merge PDF, PNG to JPG, Image Compressor, QR Code Generator, Password Generator, and most other tools on this site, your file is processed entirely inside your browser tab using JavaScript libraries (pdf-lib, jsPDF, browser-image-compression, qrcode.js, Canvas API, and others). Your file is read into browser memory, processing occurs locally on your device, the result is offered for download directly to your device, and at no point is any data transmitted to our servers or any third party.
You can verify this at any time: open your browser's Developer Tools (F12), go to the Network tab, clear the log, and process a file. You will see zero outbound requests carrying your data.
Server-side tools (background removal and similar AI-powered tools): A small number of tools require server-side processing because they use AI models that cannot run efficiently in a browser. For these tools, your file is transmitted over HTTPS (encrypted) to our server, processing is performed immediately, the result is returned to your browser, and your file is permanently deleted from our server immediately after processing. We do not store, log, index, analyze, or share the content of these files, and no employee has access to files during or after processing. If you are concerned about uploading a sensitive document, use our browser-side tools where no upload occurs.
2.2 Analytics Data (Umami — Cookie-Free)
We use Umami, a self-hosted, open-source analytics platform. Umami is designed to be privacy-friendly: no cookies are set, there is no cross-site tracking (we only see activity on our own site), no fingerprinting, and no personal data is stored — Umami collects aggregate, anonymized data only.
The data we collect through Umami includes:
| Data point | Why we collect it |
|---|---|
| Page URL visited | To see which tools are most used |
| Referrer domain | To understand traffic sources |
| Browser type | To ensure compatibility |
| Operating system | To ensure compatibility |
| Device type | To optimize mobile experience |
| Country (approximate) | Aggregated only, not individual |
| Session duration | To measure engagement |
Your IP address is used to derive approximate country, then immediately discarded. We do not store IP addresses. This data is not shared with any third party.
2.3 Advertising Data (Google AdSense)
We display advertisements provided by Google AdSense. Google may use cookies to display relevant ads and measure performance. This is governed by Google's Privacy Policy.
Opt out of Google ad personalization: visit https://adssettings.google.com; EU users can visit https://www.youronlinechoices.com; US users can visit https://optout.aboutads.info.
2.4 Server Access Logs
Our web server maintains standard access logs (timestamp, URL, response code, IP address) retained for 30 days for security and diagnostic purposes only. They are not analyzed for marketing or shared with third parties.
3. How We Use Information
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide and improve our tools | Umami analytics | Legitimate interest |
| Display advertisements | Google AdSense | Legitimate interest / Consent |
| Diagnose errors and security issues | Server logs | Legitimate interest |
| Process files (server-side tools) | File content (deleted immediately) | Contract performance |
We do not use your data to build personal profiles, sell data to third parties, send marketing emails, or train AI models.
4. Data Sharing
| Party | What is shared | Why |
|---|---|---|
| Google (AdSense) | Ad impression data, cookie identifiers | Advertising |
| Our hosting provider | Encrypted server traffic | Operating the website |
We do not sell your personal information. We do not share your files or analytics data with data brokers or marketers.
5. Cookies
We do not set any first-party analytics cookies (Umami is cookie-free). Google AdSense sets third-party cookies to serve and measure ads. You can manage these through your browser settings or the opt-out links above.
6. Data Retention
| Data type | Retention period |
|---|---|
| Files (server-side tools) | Deleted immediately after processing |
| Files (browser-side tools) | Never stored — exists only in browser memory |
| Umami analytics | 24 months |
| Server access logs | 30 days |
| AdSense data | Per Google's retention policies |
7. Security
All connections are encrypted via HTTPS/TLS. Server-side files are deleted immediately after processing. We collect minimal data, reducing breach risk significantly. For browser-side tools, your files never leave your device — there is nothing to breach.
8. Children's Privacy
Our website is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. Contact us at hello@ToolXero.com if you have concerns.
9. Your Rights
European Economic Area (GDPR)
You have the right to access your data, correct inaccurate data, request erasure, restrict processing, data portability, object to processing, and withdraw consent. Contact us at hello@ToolXero.com to exercise these rights. You may also lodge a complaint with your national data protection authority.
California (CCPA / CPRA)
California residents have the right to know what data is collected, request deletion, and opt out of the sale of personal data. We do not sell personal data. Contact hello@ToolXero.com for any CCPA requests.
10. International Data Transfers
Our server is located in the European Union (Germany). Google AdSense data is processed globally by Google in accordance with their data transfer mechanisms (Standard Contractual Clauses).
11. Changes to This Policy
We update this policy when our practices change. We will update the "Last updated" date and, for significant changes, display a notice on our homepage.
12. Contact Us
ToolXero Email: hello@ToolXero.com Website: https://ToolXero.com
We respond to all privacy inquiries within 30 days.
Last reviewed: June 28, 2026.