Privacy

No data ever leaves your browser. No cookies. No analytics. No CDN. No fonts loaded from third parties. No tracking. Nothing is stored server-side because there is no server.

encryptalotta is a single-page web application. Every tool — PGP key generation, encryption, signing, hashing, KDFs, parsers, encoders, IBAN/VAT/BIC checks, and the rest — runs entirely in your browser as JavaScript inside the page you loaded. The site has no backend that could collect, log, or process your inputs because there is no backend.

What the site never does

No file uploads. When you select a file, the browser hands it to the JavaScript in the page. The bytes never reach any network.
No remote API calls. The page's Content Security Policy is set to connect-src 'none'. The browser will refuse any outbound fetch, XMLHttpRequest, WebSocket, EventSource, or navigator.sendBeacon initiated from the page.
No analytics. No Google Analytics, no Plausible, no Fathom, no Cloudflare Web Analytics, no custom telemetry — not even "anonymous usage metrics."
No cookies. The page sets none and reads none.
No CDN. All JavaScript, fonts, and images come from the same origin that serves the page.
No third-party fonts. The interface uses the system font stack — what's already installed on your device.
No fingerprinting. The language is detected from navigator.language on the first visit and your choice is stored in localStorage on your device. Country is never inferred — no IP geolocation, no timezone-based country guessing. The same site is served to everyone.
No accounts. There is nothing to sign up for. There is nowhere to sign up to.

What is stored on your device

The page uses localStorage on your device — not a server — for two narrow things:

Your chosen language and theme (light / dark), so the next visit looks the way you left it.
Nothing else. No tool ever writes your inputs, keys, passphrases, or outputs to localStorage, sessionStorage, IndexedDB, or any other browser-side persistent store.

You can clear this at any time from your browser's site-data controls. The site will behave correctly afterwards — it will just detect your language again from navigator.language.

What the static host sees

The site is served as static files from a static host. When you load the page, the host's web server records the same minimum information any web server records — the IP address that made the request, the time, the User-Agent, the URL requested. encryptalotta has no admin access to those logs and does not use them. The host's own privacy policy is the relevant document for that retention. The site is hosted on Cloudflare Pages; Cloudflare's policy applies to that traffic.

Nothing about which tool you used, what you typed, or what the tool produced ever reaches the host. The host only sees that some browser somewhere asked for the page.

GDPR, CCPA, and similar regulations

encryptalotta does not collect or process personal data. There is no data subject access request to file because there is no data to access. There is no data processing agreement to sign because there is no processor. This is not a legal opinion — it's a structural observation about a site that has no server-side state.

If you are a procurement or compliance reviewer evaluating whether this site is suitable for use in your organization:

Read the security disclosure policy.
Read the threat model.
The full SBOM is published in CycloneDX 1.5 format.
Source is on GitHub; audit it.

For high-risk users

If your threat model includes a network adversary capable of substituting page bytes during loading, see THREAT-MODEL.md. The recommended posture is to download the single-file portable build (encryptalotta-portable.html) once, verify its SHA-256, and run it from file:// on a freshly-installed OS with no non-essential browser extensions.

Changes to this policy

The site's privacy posture is enforced by the code, not the document. If the code's privacy posture changes, the change ships on GitHub first, this page is updated to describe the new posture, and the date at the top of this page bumps. Any change that would reduce privacy guarantees would also have to relax the CSP — which would surface in the audit script, and in the diff against the prior release manifest.

Contact

For privacy questions or a vulnerability report, see SECURITY.md.