Privacy Policy
Last updated: 2026
TL;DR
Every tool on this site runs in your browser. Your .envcontent is never sent to us, never logged, and never stored on our servers.
What we collect
- Anonymous page views. Path, referrer, country (if available from the CDN), and a per-session random ID. No IP address is stored.
- Tool opens. The slug of the tool you opened (e.g.,
env-validator). Not what you pasted into it. - Ratings. 1–5 stars keyed by a hashed IP, to prevent duplicate votes. We don't keep the IP itself.
Breach check (opt-in only)
When you click "Check online" on a detected secret, or use the quick-check widget, here is exactly what happens:
- For password-type values: Your browser computes a SHA-1 hash of the value. Only the first 5 characters of that hash are sent to our server, which forwards them to the HaveIBeenPwned API (k-anonymity). The complete hash and the original value never leave your browser.
- For API keys and tokens: Your browser computes a SHA-256 hash. That hash — not the original value — is sent to our server, which checks it against our database of known-leaked secret hashes.
We do not log breach check queries. Breach checking is never automatic — it only happens when you explicitly click "Check online."
What we never collect
- The content of your .env files.
- The secrets you generate.
- Login info — there isn't any login.
Hosting
This site is hosted on servers provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.
Contact / Impressum
Responsible for content: Ailiniyazi Maimaiti
E-Mail: aliniyaz.mamat@gmail.com
Questions? Open an issue on the repository.