← DevTools

Trust & Security

How your data is actually handled

Last updated: July 2026

🔒 The core architecture

Every tool listed below runs its logic entirely inside your browser using plain JavaScript and the Web Crypto API. When you paste a regex pattern, a JWT, a SQL query, or anything else into a tool, that content is never transmitted to any server — there is no network request carrying your input, because there is no backend function that needs it. You can verify this yourself: open your browser's Network tab while using any tool below and watch that no request fires when you type or paste.

Tools that never contact a server

RegexLabCronBuilderJSONCraftHashLabURLInspectorDiffViewerColorSystemProCSVStudioAPITesterJWT DecoderTimestamp ConverterYAML ⇄ JSONPassword GeneratorSQL Formatter.env Comparer

InvoiceZen generates its PDF using your browser's native print engine — the invoice content also never leaves your device. The only exception across the entire platform is explicitly described below.

The one exception: Pro "Save" features

If you are logged in with a Pro plan and explicitly click a "Save" button inside a tool, that specific piece of content (a regex pattern, a cron expression, a JSON snippet) is sent to our database so it can be shown back to you on another device. This only happens on explicit action — never automatically, never on page load, never while you're just using a tool without an account.

Deliberately excluded from saving

JWT Decoder, Password Generator, and .env Comparer do not offer a Save button at all — even for Pro users. Saving a decoded JWT, a generated password, or raw environment variables would encourage storing secrets in the wrong place, so that capability was intentionally left out rather than added for consistency.

How saved data is protected

Row Level Security

Every saved-item table has Postgres RLS enabled. Direct database access without going through our authenticated API is blocked at the database layer, not just the application layer.

Password hashing

Account passwords are hashed with bcrypt — never stored or logged in plain text.

Encrypted transport

All traffic between your browser and our servers is encrypted via HTTPS — no exceptions.

Per-tool scoping

Saved items are scoped to the specific tool that created them, so a pattern saved in RegexLab cannot appear in JSONCraft or vice versa.

Rate limiting

Checkout and save endpoints are rate-limited per IP/account to reduce abuse potential.

What we do collect

Account data

Name, email, and a bcrypt password hash — only if you register.

Payment metadata

We never see or store your card number. AamarPay (Bangladesh) and Lemon Squeezy/Stripe (international) handle payment details directly.

Anonymous analytics

Google Analytics 4 tracks page views and which tools are used, to understand what to improve. It does not see tool input content.

Local browser storage

Theme preference and "recently used tools" are stored in your browser's localStorage and sessionStorage — never sent to us.

Reporting a security issue

If you find a security vulnerability — an authentication bypass, a way to access another user's saved data, or anything else that concerns you — please report it via hakeemify.com/contact rather than posting it publicly. We aim to acknowledge reports within 48 hours and will credit researchers who report responsibly, if they'd like to be named.

Privacy PolicyTerms of ServiceDocumentation