Privacy Policy

Our Fundamental Privacy Commitment

UltraTools is built on a foundational principle: your files never leave your device. This is not a marketing promise—it is a technical guarantee enforced by our architecture.

Information We Do NOT Collect

Unlike traditional online tools, UltraTools does NOT collect, store, transmit, or process:

• Your uploaded files - PDFs, images, documents, or any other files you process
• File contents or metadata - We never see what's inside your files
• Personal information from documents - Resume data, contact details, or business information
• Passwords or sensitive credentials - Even when using the Password Breach Checker (see section below)
• Usage patterns - We don't track which tools you use or how often
• Account data - We don't require accounts, so we have no user databases

How Client-Side Processing Works

Understanding our technical architecture helps explain why your privacy is guaranteed:

PDF to JPG Converter

Uses the PDF.js library (developed by Mozilla) to render PDF pages directly in your browser's canvas element. The conversion to JPG images happens in your browser's memory. Download links are generated using data URLs—the images never touch our servers.

Image Optimizer

Utilizes the browser-image-compression library to analyze and compress images locally. All compression algorithms run in your browser using Web Workers for performance. Optimized images are created in browser memory and made available for download via blob URLs.

QR Code Generator

Generates QR codes entirely in your browser using the QRCode.js library. Your WiFi passwords, URLs, or WhatsApp messages are never transmitted—they're encoded directly into QR codes in your browser's memory.

Password Breach Checker

This tool deserves special mention because it demonstrates our privacy-first approach even when external APIs are involved:

• Your password is never sent to our servers or to Have I Been Pwned
• We use the k-anonymity model: your password is hashed using SHA-1 in your browser
• Only the first 5 characters of the hash are sent to Have I Been Pwned's API
• Matching against the breach database happens in your browser, not on any server
• This approach, designed by security expert Troy Hunt, ensures even the API provider never sees your password

Information We DO Collect

For transparency, here's what minimal data we collect:

Standard Web Server Logs

Like all websites, our hosting provider (Cloudflare Pages) collects standard server logs:

• IP addresses - Anonymized after 24 hours for DDoS protection
• Browser type and version - To ensure compatibility
• Page URLs visited - To understand which tools are popular
• Referral sources - To know how people find our site
• Timestamp of visits - For analytics and security

This data is aggregated and anonymized. We cannot and do not track individual users across sessions.

Google Analytics (If Enabled)

We may use Google Analytics to understand website traffic and improve user experience. This service collects:

• Pages visited and time spent on each page
• Device type (mobile, desktop, tablet)
• General geographic location (country/city level, not precise GPS)
• Browser language and settings

You can opt out of Google Analytics using browser extensions like uBlock Origin or by enabling Do Not Track in your browser.

Google AdSense Cookies

We display advertisements via Google AdSense to keep the service free. Google may collect:

• Cookie data for ad personalization
• Ad interaction data (clicks, views)
• Device and browser information

You can control ad personalization through Google Ad Settings. We do not have access to Google's ad tracking data.

Third-Party Services

CDN Libraries

We load JavaScript libraries from CDNs (Content Delivery Networks) for better performance:

• Cloudflare CDN (Tailwind CSS, PDF.js, jsPDF, pdf-lib)
• Google Fonts (typography)

These services may log requests but do not have access to your file data since all processing is client-side.

Have I Been Pwned API

The Password Breach Checker queries the Have I Been Pwned API, but as explained above, only sends partial password hashes using the k-anonymity model. Your actual password never leaves your device.

Data Retention

Since we don't collect your files or personal data, there's nothing to retain. Here's what happens to different types of data:

• Your files: Processed in browser memory and automatically cleared when you close the tab or navigate away. Never stored.
• Server logs: IP addresses anonymized after 24 hours, full logs deleted after 30 days.
• Analytics data: Retained by Google Analytics according to their retention policies (typically 26 months).
• Ad cookies: Managed by Google AdSense with standard cookie expiration (typically 30 days to 2 years).

Your Rights

Under GDPR, CCPA, and other privacy laws, you have rights regarding your data. Since we don't collect personal data from your files, these rights primarily relate to analytics and advertising data:

• Right to Access: Request what data third-party services (Google) have collected
• Right to Deletion: Request deletion of analytics data
• Right to Opt-Out: Disable cookies or use ad blockers
• Right to Portability: Download your data from Google services

To exercise these rights regarding Google's data collection, visit:

• Google Account Settings
• Google Ad Settings

Children's Privacy

UltraTools does not knowingly collect information from children under 13 (or 16 in the EU). Our services are designed for general audiences and do not target children. Since we don't collect user data from file processing, children can use our tools with the same privacy protections as adults.

Security Measures

While we don't store your files, we implement security best practices for the website itself:

• HTTPS Encryption: All connections use TLS 1.3 encryption via Cloudflare
• Content Security Policy: Prevents XSS attacks and unauthorized script execution
• No Database: There's no database to breach because we don't store user data
• Open Source Libraries: We use well-maintained, security-audited libraries
• DDoS Protection: Cloudflare provides enterprise-grade DDoS mitigation

Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify users of significant changes by:

• Updating the "Last updated" date at the top of this page
• Displaying a prominent notice on our homepage for 30 days
• For material changes affecting data collection, providing advance notice

International Data Transfers

UltraTools is hosted on Cloudflare Pages, which uses a global CDN. Your requests may be served from data centers around the world for optimal performance. However, since all file processing happens in your browser, your files never cross international borders via our infrastructure.

For users in the European Economic Area (EEA), we comply with GDPR requirements. Analytics data processed by Google may be transferred to the United States under Google's Privacy Shield certification and Standard Contractual Clauses.

About UltraTools

UltraTools was developed by experienced System Administrators who understand the critical importance of data security in today's digital landscape. Having worked with sensitive corporate and government systems, we built UltraTools with a privacy-first architecture from day one.

Our mission is to provide powerful productivity tools that respect user privacy by design, not as an afterthought. Client-side processing isn't just a feature—it's the foundation of everything we build.

Contact Information

If you have questions about this privacy policy or our data practices, please contact us:

Legal Compliance

This privacy policy complies with:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Children's Online Privacy Protection Act (COPPA)
• ePrivacy Directive (Cookie Law)

This privacy policy was last reviewed and updated to reflect current data protection best practices and legal requirements.