How we protect your data
Transparency over marketing. Here's exactly what we do — and what we deliberately don't do — to keep your data safe.
Zero data collection on content
We don't see, store, or log anything about the files and text you process. Everything runs inside your browser's JavaScript sandbox. Our servers never touch your content.
Client-side processing
PDF merging, image compression, OCR, AI rewrites, and every other tool run directly in your browser using WebAssembly, Canvas, and Web APIs. Our servers only serve the HTML/JS for the tool itself.
HTTPS everywhere
Every page and asset is served over HTTPS with HSTS preloading and modern TLS 1.3. Mixed content is blocked. HTTP requests are permanently redirected.
Security headers
X-Frame-Options: DENY (no clickjacking), X-Content-Type-Options: nosniff, strict Referrer-Policy, Permissions-Policy disabling camera/mic/geolocation by default, and CSP on inline scripts.
Compliance & infrastructure
- Transport encryption via Vercel's managed TLS
- No personal data stored on our servers (see Privacy Policy for exceptions)
- Rate limiting on all public API endpoints to prevent abuse
- Regular dependency audits and automated security patches
- Supabase row-level security on the tiny amount of data we do persist (anonymous feedback)
- No third-party tracking, no fingerprinting, no advertising cookies
Vulnerability disclosure
Found a security issue? We appreciate responsible disclosure. Please email security@toolkiya.com with details. We'll respond within 48 hours.
Do notpublicly disclose the vulnerability until we've had a chance to patch it. We don't offer a formal bug bounty yet, but we will credit you in our security changelog if you prefer.