Privacy Policy
Effective 2026-05-16 · Last updated 2026-05-17
This page describes what data ToolBox(operated by Johin Johny, an individual sole proprietor based in Mumbai, India) collects, who we share it with, how long we keep it, and how you can exercise your rights under applicable data protection laws (GDPR, UK GDPR, India's DPDP Act 2023, and CCPA where applicable).
1. Data we collect
When you use free tools without signing in:
- The pages you load (URL path, referrer, browser type) for server logs and aggregate analytics.
- Your IP address, briefly, for security and abuse prevention; we do not store it past 24 hours unless we have an active abuse investigation.
- Cookieless aggregate page-view counts via Umami.
When you create an account:
- Email address (required for sign-in and account recovery).
- Optional display name and avatar.
- Your saved preferences, favorites, workspaces, and presets (only if you opt in to cross-device sync).
- Hashed authentication tokens managed by Supabase Auth.
When you purchase Pro:
- Subscription status and product tier (we receive this from our payment processor).
- We do not see, store, or have any access to your card details, full billing address, or banking information; those are handled entirely by Dodo Payments.
If you use the hosted Pro features:
- Webhook Inbox: inbound request method, path, query, headers (with credential-like headers redacted before storage), body up to 1 MB, a SHA-256 hash of the sender IP (using a rotating salt) and timestamp. Retained 30 days on Free, 90 days on Pro, deletable any time.
- Mock API server: your endpoint definitions (path, method, status, headers, response body, latency, scenario). Stored until you delete them.
- Flows: flow names, step configurations (including any regex patterns or search/replace strings you set), and a rolling 30-day per-step run history (status, duration, truncated output).
- Personal MCP server: SHA-256 hash of each personal access key, the human-readable name you gave it, last-used timestamp.
If you consent to analytics or advertising cookies:
- Pseudonymous device/browser identifiers used by Google Analytics 4 and Google AdSense.
- IP address (anonymized for GA4; truncated/processed by Google for AdSense).
2. Tool input data
Most tools run entirely in your browser using JavaScript. Anything you type, paste, or upload stays on your device. These tools are not capable of sending your data to our servers because there is no server-side endpoint involved.
Some tools, however, must reach external APIs that browsers cannot call directly because of CORS restrictions. For those tools the data you submit (typically a URL or a short piece of text) is forwarded by our serverless proxy to the third-party API and the response is returned to you. We do not persist the input or output; it is processed in memory and discarded after the response. Tools in this category include: DNS Lookup, SSL Checker, IP Address Lookup, Link Checker, Grammar Checker (LanguageTool), Text Translator (MyMemory), SEO Analyzer, PageSpeed Checker, HTTP Headers Checker, Redirect Checker, Speed Test, OG Fetcher, and Exchange Rates.
BYOK (Bring Your Own Key) AI tools (AI CSS Generator, AI Regex Generator, etc.) send your prompt directly from your browser to the AI provider (OpenAI or Anthropic) using the API key you supply. Your key is stored only in your browser using non-extractable browser cryptography; we never see it.
On-device AI tools (AI Chat, AI Code Explainer, AI Summarizer) run open-weight models entirely inside your browser using WebGPU. Prompts and responses never leave your device. Model weights are downloaded from a public CDN (Hugging Face) the first time you load a model and cached by your browser.
3. Third parties we share data with
The following processors handle data on our behalf. Each appears here because there is no practical way to provide the service without them.
| Processor | Purpose | Data |
|---|---|---|
| Cloudflare | Hosting, CDN, DDoS protection | IP, request metadata |
| Supabase (AWS, US/EU) | Accounts, authentication, encrypted database | Email, hashed password, profile |
| Dodo Payments | Payments, invoicing, tax (Merchant of Record) | Card, billing address, email |
| Umami | Cookieless aggregate analytics | Page URL, referrer, screen size |
| Google Analytics 4 (opt-in) | Detailed usage analytics | Anonymized IP, pseudonymous ID |
| Google AdSense (opt-in) | Display advertising | Cookies/IDs, IP, request data |
| Hugging Face | CDN for on-device AI model weights | IP, request URL |
| LanguageTool, MyMemory, Frankfurter (ECB), ipapi.co, crt.sh, RDAP, Cloudflare DoH | Specific tool functionality (you pick when you click the tool) | Only what you submit (URL, text, IP) |
BYOK AI tools send your prompts directly to OpenAI or Anthropic using your own API keys; we are not in the request path for that data.
Personal MCP server and third-party AI providers
When you connect an AI assistant (Claude Desktop, Cursor, Windsurf, or any other MCP client) to your personal MCP URL, the assistant fetches your flow configurations, workspace data, and any data captured by your Webhook Inbox into the AI provider's request context. We are not a contracted processor for that leg of the data flow.
You are responsible for ensuring you have a lawful basis under DPDP s.6 / GDPR Art. 6 to expose any personal data of third parties (for example, identifiable information inside captured webhooks from your customers) to that AI provider. Treat your personal MCP key like production credentials. Revoke it from /mcp/personal the moment a device or workstation is compromised.
4. Cookies and similar technologies
We use cookies and similar storage (localStorage, IndexedDB) in three categories:
- Strictly necessary: authentication session, saved theme, language, and your consent choice. Always on.
- Analytics: Google Analytics 4 with IP anonymization. Off unless you opt in.
- Advertising: Google AdSense cookies and identifiers. Off unless you opt in. Pro subscribers see no ads regardless.
You can change your choice at any time:
5. Legal bases (GDPR / DPDP)
- Contract: account creation, Pro subscription delivery, payment.
- Legitimate interest: security logging, abuse prevention, cookieless aggregate analytics.
- Consent: analytics cookies, advertising cookies, marketing email (if you opt in).
- Legal obligation: tax records, fraud investigation, court orders.
6. Data retention
- Server access logs: 24 hours rolling, longer only during an active security investigation.
- Account and profile data: until you delete your account.
- Webhook Inbox captures (including hashed sender IPs): 30 days on Free, 90 days on Pro, deletable on demand. Hashed IPs are retained for the capture lifetime as a security measure under legitimate interest (GDPR 6(1)(f) / DPDP 7(c)).
- Mock API definitions and Flow configurations: until you delete them.
- Flow run history: 30 days rolling.
- Personal MCP key hashes: until you revoke the key.
- Billing records: 7 years (Indian tax law requirement).
- Marketing email subscriptions: until you unsubscribe.
- Analytics data (Umami / GA4): up to 14 months.
7. Your rights
If you are in the EU/UK/EEA (GDPR), India (DPDP Act), or California (CCPA), you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (right to erasure).
- Export your data in a portable format.
- Withdraw consent for any optional processing at any time.
- Object to processing based on legitimate interest.
- Lodge a complaint with your supervisory authority. EU users: your national DPA. UK: ICO. India: Data Protection Board (DPBI).
To exercise any of these rights:
- If you have an account: visit your account page and use the Export or Delete buttons.
- Or email johinjohny144@gmail.com from the address on file.
We respond to requests within 30 days.
8. International transfers
Some of our processors (Supabase, Cloudflare, Google, Hugging Face) are headquartered in the United States. Where we transfer personal data from the EU/UK/EEA to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) executed with the processor.
9. Security
Data in transit is encrypted with TLS. Account data is stored in Supabase Postgres with Row-Level Security enforcing per-user isolation. Passwords are hashed (argon2id via Supabase Auth). API keys you enter in BYOK tools are encrypted in your browser with a non-extractable AES-GCM key stored in IndexedDB and never transmitted to us.
If we ever experience a data breach affecting your personal data, we will notify affected users without undue delay and, where required, within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
10. Children
ToolBox is not directed to children under 13 (or under 16 in some jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Do Not Track
We do not respond to browser Do-Not-Track signals because there is no industry-wide standard for them. Use the consent banner controls described above to manage your preferences.
12. Changes to this policy
Material changes will be announced via a banner on the site and/or by email if you have an account. The “Last updated” date at the top of this page always reflects the most recent revision.
13. Contact
Data Fiduciary (DPDP Act 2023) / Data Controller (GDPR): Johin Johny, Mumbai, Maharashtra, India.
Email: johinjohny144@gmail.com