Privacy Policy

Effective: May 10, 2026  ·  Version 1.0

This Privacy Policy explains how [OPERATOR LEGAL NAME], a sole proprietor doing business as “Loft Tools” (“Loft Tools,” “we,” “us,” or “our”) handles personal information when you use our website at lofttools.com and the tools we make available there (together, the “Service”).

We’ve built Loft Tools so that the vast majority of what you do happens entirely in your browser. Your files, calculations, text, images, and other inputs are processed on your device. They are not uploaded to our servers, not sent to third parties, and not seen by us.

This policy is written in plain English, as required by Quebec’s Law 25 and as a general principle. If anything below is unclear, email us at legal@lofttools.com and we’ll explain.

1. The short version

• We do not require an account to use our tools.
• We do not upload your files to a server. PDF, image, audio, video, text, and similar tools run locally in your browser using WebAssembly, JavaScript, and the Canvas API.
• We do not currently use cookies for tracking, analytics, or advertising. We do not use fingerprinting, session-recording tools, or third-party tag managers. Our hosting provider (Cloudflare) sets a small number of strictly-necessary security cookies for bot management — see the Cookie Policy for details. (See also “Things that may change,” section 13.)
• We do not sell or share your personal information for cross-context behavioural advertising under the CCPA/CPRA, and we do not engage in “targeted advertising” as that term is defined under any U.S. state privacy law.
• We do receive minimal technical information that any web server receives when you load a page (your IP address, browser user-agent string, requested URL). We use this only to operate the site and detect abuse, and we do not build profiles from it.
• We do receive information you voluntarily provide — for example, when you email us, submit a feature request, or send a donation through a third-party platform.
• A small number of optional, clearly labelled “premium AI” tools may, in the future, send your input to a third-party AI provider for processing. Those tools will be opt-in, will display a notice before sending data, and are not enabled at launch.

If something on this page contradicts what a tool actually does, the actual behaviour controls — please report it to us so we can fix the documentation.

2. Who we are and how to reach us

• Operator: [OPERATOR LEGAL NAME], a California sole proprietor, doing business as Loft Tools.
• Mailing address: [OPERATOR MAILING ADDRESS]
• Privacy contact: legal@lofttools.com
• Privacy officer (Quebec Law 25): [OPERATOR LEGAL NAME] is the person responsible for the protection of personal information and can be reached at legal@lofttools.com.
• EU / UK representatives: Loft Tools does not currently meet the thresholds requiring an Article 27 GDPR or UK GDPR representative. If that changes, this section will be updated and a representative listed here.

3. What we collect, how we use it, and why we’re allowed to

We organise this into the categories used by the EU GDPR (“personal data”) and the California CCPA/CPRA (“personal information”). Where the laws use different words for the same concept, we use the simpler term.

3.1 Information you provide directly

We do not collect government IDs, payment card numbers, bank account numbers, biometric identifiers, precise geolocation, or special-category data (health, religion, political views, sexual orientation, etc.). If a future tool would require any of these, this policy will be updated and the tool will display a separate notice.

3.2 Information we receive automatically

When you load any web page, your browser sends technical information to the server hosting the page. That includes:

• your IP address (a network identifier, sometimes considered personal data under the GDPR);
• your user-agent string (browser name and version, OS family);
• the URL you requested and the URL that referred you (if any);
• the date and time of the request.

Our hosting provider (Cloudflare Pages and Cloudflare Workers; see section 5) processes these automatically as part of operating a website. We use this information only to:

• serve the page to you,
• mitigate abuse, denial-of-service attacks, and bot traffic, and
• diagnose errors when something breaks.

We do not link this information to any account, build a profile from it, or use it for advertising. Server access logs are retained for no longer than 30 days and then deleted or aggregated beyond identifiability.

Lawful basis (GDPR): legitimate interest in operating a secure, functional website (Art. 6(1)(f)).

3.3 Information that stays on your device

Loft Tools is a Progressive Web App (PWA). To make tools work offline and to remember your preferences, we use the following device-local storage technologies. None of this leaves your browser:

• localStorage / IndexedDB: to save your tool preferences (e.g., last-used unit, selected theme, draft text in a notepad tool, recent files list).
• Service Worker cache: to cache the application shell and tool code so the Service works offline and loads faster.
• Web Workers: to process files (PDF, image, audio, video, OCR, etc.) on a background thread inside your browser.

You can clear all of this at any time from your browser’s site-data controls. Doing so will sign you out of any saved preferences but will not affect any data we hold on a server (because, in nearly all cases, there isn’t any).

3.4 Files you process with our tools

When you drag a PDF, image, audio file, video, spreadsheet, or other document into a Loft Tools tool, that file is read by JavaScript or WebAssembly running in your browser tab. The file is not uploaded to our servers. We have no copy of it. We cannot recover it. Once you close the tab, it is gone unless your tool offers an explicit “save” option that writes back to your device.

A small number of clearly labelled “premium AI” tools (none enabled at launch) may, in the future, transmit your input to a third-party AI provider (for example, an OCR provider that runs server-side, or a generative model). When that happens, the tool will:

• display a notice before transmitting,
• name the provider and link to its privacy policy,
• require an explicit opt-in for that session, and
• not retain the input on our side.

If you do not opt in, the tool will not send the data and will either offer a local-only fallback or display “unavailable for this input.”

3.5 If we ever add analytics or advertising

We have not enabled any analytics or advertising at launch.

When we eventually add analytics, we will use a privacy-preserving, no-cookie analytics provider (such as Plausible, Fathom, or Cloudflare Web Analytics) that does not use cookies, does not fingerprint, does not track users across sites, and does not collect personal data. We will update this Privacy Policy and the Cookie Policy at least 14 days before the change takes effect.

When we eventually serve advertising, we will:

• update this policy and the Cookie Policy before ads go live,
• display a clear cookie/consent banner where required (EEA, UK, Switzerland, Brazil, and any other jurisdiction with a prior-consent requirement),
• offer a Global Privacy Control (GPC) honour for U.S. visitors and a “Do Not Sell or Share My Personal Information” link where required,
• disclose the categories of advertising partners we use, and
• describe in section 13 of this policy what changes.

Until those things happen, no analytics or ad cookies are set, and no advertising data is collected.

4. What we do not do

For clarity:

• We do not sell personal information for money.
• We do not “share” personal information for cross-context behavioural advertising as defined by the CCPA/CPRA.
• We do not engage in “targeted advertising” or “profiling that produces legal or similarly significant effects” as those terms are defined under U.S. state privacy laws (Colorado, Connecticut, Virginia, Utah, Texas, and others).
• We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you (GDPR Art. 22).
• We do not knowingly collect personal information from children under 13. See section 9.
• We do not use dark patterns to obtain consent.

5. Sub-processors and service providers

We use a small number of vendors to operate the Service. Each is bound by its own privacy and data-protection terms.

We will update this table when sub-processors change. We do not currently use Google Analytics, Meta Pixel, TikTok Pixel, ad networks, A/B testing tools, session-replay tools, or third-party tag managers.

6. International data transfers

Loft Tools operates from the United States. When you visit our site from outside the U.S., the technical request information described in section 3.2 will, by the nature of the internet, be processed by infrastructure located in or routed through the U.S. and the global Cloudflare edge network.

For visitors in the EEA, UK, and Switzerland, we and our hosting provider rely on the following transfer mechanisms:

• Standard Contractual Clauses (EU Commission Decision 2021/914) for transfers from the EEA to the U.S.;
• the UK International Data Transfer Addendum for transfers from the UK; and
• where applicable, the EU–U.S. Data Privacy Framework for participating recipients.

Cloudflare publishes its transfer impact assessment and supplementary measures publicly; we rely on those.

7. How long we keep things

We delete or anonymise personal data when it is no longer needed for the purpose for which it was collected, unless a longer retention is required by law.

8. Your rights

Depending on where you live, you have the following rights. We honour all of them globally — you do not need to live in a particular jurisdiction to exercise them.

• Access: ask whether we hold information about you and request a copy.
• Correction (rectification): ask us to fix inaccurate information.
• Deletion (erasure): ask us to delete information we hold about you.
• Restriction: ask us to stop processing in certain circumstances.
• Portability: ask for a structured, machine-readable export.
• Objection: object to processing based on legitimate interests, including any profiling (we don’t profile).
• Withdraw consent: where we rely on your consent, withdraw it at any time.
• Opt out of “sale” or “sharing”: under the CCPA/CPRA. (We do not currently sell or share, but your opt-out will be honoured if anything changes.)
• Opt out of targeted advertising and profiling for significant decisions: under Colorado, Connecticut, Virginia, Texas, Utah, and other U.S. state privacy laws.
• Right to non-discrimination: we will not deny you the Service, charge you a different price, or provide a different quality of service for exercising these rights.

How to exercise: email legal@lofttools.com with the subject line “Privacy Request” and tell us (a) which right you’re exercising and (b) enough information for us to identify what data you mean. Because we hold so little, that’s usually just the email you’re writing from.

Verification: because we do not maintain accounts, our verification is proportionate and minimal. For most requests we’ll simply confirm we hold no responsive data, or process the request based on the email address you contact us from. We will never ask for sensitive identifiers (government IDs, financial credentials).

Response timelines:

• GDPR / UK GDPR: within 30 days, extendable by 60 days for complex requests with notice.
• CCPA / CPRA: acknowledgement within 10 business days; substantive response within 45 calendar days, extendable by 45 days with notice.
• LGPD (Brazil): within 15 days.
• PIPEDA (Canada): within 30 days; if we cannot respond in 30 days we will tell you why and when you can expect a reply.

Authorised agents: California residents may use an authorised agent. We will need written proof of the authorisation.

Right to complain:

• EEA / EU: your local Data Protection Authority — list at edpb.europa.eu/about-edpb/about-edpb/members_en
• UK: the Information Commissioner’s Office — ico.org.uk
• Quebec: the Commission d’accès à l’information du Québec — cai.gouv.qc.ca
• Canada (federal): the Office of the Privacy Commissioner — priv.gc.ca
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
• California: the California Privacy Protection Agency — cppa.ca.gov

We’d appreciate a chance to fix things first — but you do not have to contact us before going to a regulator.

9. Children

The Service is intended for users aged 13 and over, and 16 and over in the EEA, UK, and Switzerland unless verifiable parental consent is provided. We do not knowingly collect personal information from children under 13 (or under the applicable age in your jurisdiction).

If you believe a child has provided personal information to us, email legal@lofttools.com and we will delete it promptly. As a general-audience site, we do not direct content to children, and we do not use age-targeting or behavioural advertising. The 2025 amendments to the Children’s Online Privacy Protection Rule (COPPA) inform our handling of any data we receive that may relate to a child under 13.

10. Security

We use a range of technical and organisational measures, proportionate to the limited personal data we hold, to protect against unauthorised access, disclosure, alteration, or destruction. These include:

• HTTPS for every page;
• HTTP Strict Transport Security (HSTS), Content Security Policy, and other modern security headers;
• Cloudflare’s managed DDoS protection, firewall, and bot mitigation;
• principle of least privilege for any administrative access;
• multi-factor authentication on operator accounts;
• the design choice that your data does not leave your device for the overwhelming majority of tools.

No internet service is perfectly secure. If we discover a personal data breach that affects you, we will notify the appropriate supervisory authority within 72 hours where required, and notify affected individuals without undue delay where there is a high risk to their rights and freedoms.

11. California-specific disclosures (CCPA / CPRA)

Even though we do not currently meet the CCPA’s applicability thresholds, we provide the following for transparency and to honour California residents’ privacy expectations.

• Categories of personal information collected in the past 12 months:
  • Identifiers: IP address (server logs), email address (if you contact us).
  • Internet or other electronic network activity: request URLs, user-agent string, referrer URL.
• Sources: directly from you (email); automatically via your browser (server logs).
• Business purposes: operating the Service, responding to you, security, and abuse prevention.
• Categories disclosed to third parties for a business purpose: to our hosting and email providers as described in section 5.
• Sold or shared: No.
• Sensitive personal information collected: None.
• Retention: as set out in section 7.

To exercise your rights, see section 8. We honour the Global Privacy Control (GPC) browser signal as a request to opt out of sale and sharing — for now this is symbolic, since we don’t sell or share.

12. State law disclosures (other U.S. states)

For residents of states with comprehensive privacy laws (including but not limited to Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, and Kentucky): the rights described in section 8 apply, on the timelines and verification standards set out in your state’s law. To exercise them, contact legal@lofttools.com.

13. Things that may change, and how we’ll tell you

We expect to add the following over time:

• Privacy-preserving analytics (no cookies, no fingerprinting). When we do, this section, the Cookie Policy, and section 3.5 will be updated. Material changes get at least 14 days’ notice via a banner on the site.
• Optional account features (e.g., to sync preferences across devices). Accounts will be opt-in; this policy will describe what an account stores and why before they launch.
• Advertising on free-tier surfaces. When ads go live, this policy and the Cookie Policy will be updated, a consent banner will be shown where required, and the categories of advertising partners will be listed.
• Premium AI-powered tools. Each will display its own notice before sending data; the policy will list the providers in section 5.

We will revise the Effective date at the top of this policy whenever we make changes. Material changes will be highlighted at the top of this page for at least 30 days. We do not send out email notifications about policy changes (because we don’t have your email unless you’ve contacted us).

A complete change history is available on request to legal@lofttools.com.

14. Jurisdiction-specific addenda

The following short addenda apply to specific jurisdictions and prevail over anything inconsistent in the body of this policy.

14.1 European Economic Area, United Kingdom, and Switzerland

• Controller: [OPERATOR LEGAL NAME] dba Loft Tools.
• Lawful bases are identified per processing activity in section 3.
• Article 27 representative: not currently appointed (thresholds not met). If appointed, contact details will appear here.
• Right to lodge a complaint: see section 8.

14.2 United Kingdom

• The UK GDPR and the Data Protection Act 2018 apply. The Information Commissioner’s Office (ICO) is the supervisory authority.

14.3 California

• See sections 11 and 8. We do not have a financial incentive program, so we do not need to provide a financial-incentive notice.

14.4 Quebec

• This policy serves as our confidentiality policy under An Act respecting the protection of personal information in the private sector (Law 25).
• The person responsible for the protection of personal information is [OPERATOR LEGAL NAME], reachable at legal@lofttools.com.
• We do not transfer personal information outside Quebec for storage of identifiable personal data of Quebec residents beyond what is described in section 6 (server logs incidental to operating a global website). If we begin to transfer Quebec residents’ personal data to a jurisdiction whose laws provide a level of protection meaningfully lower than Quebec’s, we will conduct and document a privacy impact assessment as required by Law 25.

14.5 Brazil

• The LGPD applies. The Autoridade Nacional de Proteção de Dados (ANPD) is the supervisory authority.

15. Contact

Email: legal@lofttools.com Mail: [OPERATOR MAILING ADDRESS]

We aim to acknowledge privacy requests within 5 business days and to substantively respond within the timelines in section 8.

This Privacy Policy is provided as the operator’s good-faith description of its practices. It is not legal advice. If a court or regulator finds any provision unenforceable, the remaining provisions remain in effect.