Privacy Policy

ToolChamp is designed with privacy as a default. The vast majority of our tools run entirely inside your browser using JavaScript and WebAssembly — your files and data never leave your device. We do not require an account, we do not sell your data, and we do not build advertising profiles on users.

This Privacy Policy explains what limited data we do collect, why we collect it, how we handle it, and the rights you have over your data under applicable law.

ToolChamp (“we”, “us”, “our”) operates the website at toolchamp.app and the tools it provides. For the purposes of the EU General Data Protection Regulation (GDPR), ToolChamp is the data controller for the limited data described in this Policy. You can reach us at [email protected].

This Policy covers data processing in connection with your use of the ToolChamp website and its tools. It does not cover third-party websites or services you may reach through links on our site; those are governed by their own privacy policies, which you should review.

We collect only the minimum data needed to run the Service:

• Files you upload to server-side tools. Some tools — such as AI features, transcription, and large-file video conversion — process your files on our servers or via third-party APIs. Files are transmitted only for the duration of the requested operation, are processed, returned to you, and then deleted.
• Server logs. Like any web server, ours automatically records basic technical data when you visit: IP address, user-agent string, requested URL, timestamp, referrer, and HTTP status code. Logs are used for security, abuse prevention, and diagnosing errors, and are retained for up to 30 days.
• Analytics. Aggregated, anonymized usage statistics via Google Analytics 4 (see “Analytics” below).
• Cookie consent choice. If you interact with our cookie banner, your choice is stored in your browser's localStorage so we do not ask again.
• Contact correspondence. If you email us, we retain your message and contact details to respond and for reasonable record-keeping.

We do not collect your name, email, phone number, government ID, precise location, biometrics, or any other personally identifiable information unless you voluntarily provide it (for example by emailing us).

If you are in the European Economic Area or United Kingdom, we process personal data on these legal bases:

• Consent — for analytics cookies and any non-essential processing. You can withdraw consent at any time via the cookie banner or browser controls.
• Contract / service delivery — to process a file you voluntarily upload for a requested server-side tool.
• Legitimate interests — for server logs used to keep the Service secure, prevent abuse, and diagnose errors. Your rights and freedoms have been balanced against these interests.
• Legal obligation — where we must retain or disclose data to comply with applicable law.

• To operate, maintain, and improve the Service
• To deliver the specific tool function you request
• To monitor traffic levels, detect abuse, and prevent fraud
• To diagnose and fix technical problems
• To respond to messages and support requests
• To comply with law and enforce our Terms of Service

We do not sell, rent, or trade personal data. We share data only in the following narrow circumstances:

• Service providers (processors) — infrastructure and tool providers who process data on our behalf under contract, including our hosting provider, Cloudflare (CDN and DDoS protection), Google (Analytics), and third-party AI/ML APIs used by specific tools. These providers may only use data as needed to perform their service.
• Legal requirements — if required by valid legal process (such as a court order, subpoena, or legally binding request from a government authority), we may disclose data to the extent required by law.
• Safety and rights — to protect the Service, its users, or the public from fraud, abuse, or serious harm.
• Business transfers — if ToolChamp is involved in a merger, acquisition, reorganization, or sale of assets, data may be transferred as part of that transaction. We will notify users via the Service before data is transferred and becomes subject to a different privacy policy.

Our servers and those of our service providers may be located in the United States, the European Union, the United Kingdom, or other jurisdictions. When we transfer personal data from the European Economic Area, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or equivalent protections. You can request a copy of the relevant safeguard by contacting us.

We use a minimal set of cookies and localStorage entries:

• Strictly necessary — your cookie consent choice and rate-limiting tokens. Required for the Service to function; no consent needed under GDPR.
• Analytics (optional) — Google Analytics cookies (e.g. _ga, _ga_*) are set only if you accept analytics via our cookie banner.

We do not use advertising cookies, retargeting pixels, or third-party tracking cookies. You can control or delete cookies using your browser settings at any time; doing so may affect the functionality of the Service.

We use Google Analytics 4 with IP anonymization enabled to understand aggregate usage — which tools are popular, general traffic trends, and performance. Analytics data is aggregate; we do not use it to identify individual users.

• Analytics are loaded only after you accept cookies via our consent banner.
• You can opt out at any time by declining in the cookie banner, clearing your browser storage, or installing the Google Analytics Opt-out Browser Add-on.
• Analytics data retention is set to 14 months.
• Google processes this data under Google's privacy policy.

Some browsers offer a “Do Not Track” (DNT) signal or a Global Privacy Control (GPC) signal to express a preference for not being tracked. Because no universal standard currently governs DNT, we do not respond to it. However, we respect GPC signals from compliant browsers and treat them as an opt-out of analytics where applicable under your local privacy law.

• Files uploaded for processing are deleted automatically after the operation completes — typically within seconds.
• No database of user files is maintained.
• Server logs are kept for up to 30 days, then deleted.
• Analytics data is retained for 14 months per Google Analytics settings.
• Contact correspondence is retained as long as necessary to resolve your request and for a reasonable period thereafter for record-keeping.

We use industry-standard safeguards to protect data: HTTPS encryption in transit, hardened server configurations, rate limiting, regular security updates, and limited access controls. However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you share data with us at your own risk.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

• Access — request a copy of personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — request deletion of your data (“right to be forgotten”), subject to legal exceptions.
• Restriction — ask us to limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.
• Complaint — lodge a complaint with your local data protection authority.

To exercise these rights, email [email protected]. We respond within 30 days. Because we collect very little personal data, we may be unable to identify a specific individual in our records — in that case we will describe the limitations of our data holdings in our response.

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights:

• Right to know what personal information we collect and why
• Right to delete personal information we collect
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing of personal information — ToolChamp does not sell or share personal information as defined by the CCPA
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, email the address in the Contact section below. We do not require an account to submit a request, and we do not discriminate against users who exercise their rights.

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other U.S. states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of targeted advertising and the sale of personal data. ToolChamp does not engage in targeted advertising or sale of personal data. To exercise your rights, email the Contact address below.

We do not make decisions based solely on automated processing — including profiling — that produce legal effects or similarly significantly affect you. Some tools use AI to generate Output on request, but the Output is informational; any decision you make based on it is yours alone.

The Service is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If we learn that we have collected such data without verified parental consent, we will delete it promptly. If you believe a child under 13 has provided us with personal data, please contact us.

The Service may contain links to third-party websites or embed third-party APIs. We are not responsible for the privacy practices of those third parties. We recommend reviewing their privacy policies before providing any personal data.

We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be reflected in an updated effective date at the top of this page and, where appropriate, a notice on the Service. Your continued use of the Service after changes take effect indicates your acceptance of the revised Policy.

For privacy-related questions, data subject requests, or to exercise any of your rights, contact us at:

[email protected]

We respond to privacy requests within 30 days. You also have the right to lodge a complaint with your local data protection authority — for example, the UK Information Commissioner's Office (ICO), your EU member-state supervisory authority, or the California Privacy Protection Agency (CPPA).