DevTools Surf logo
Sign in

Privacy Policy

Last updated: April 17, 2026

DevTools Surf ("we", "us") operates https://devtools.surf. This policy explains what data we collect, why we collect it, and the choices you have. It applies to every visitor and signed-in user of the site.

1. The short version

  • Most of our tools run entirely in your browser. Data you paste into a tool is processed on your own device and is not sent to us unless the tool page explicitly says so.
  • If you sign in, we store your email, display name and avatar (from Google OAuth) plus a usage log tied to your account.
  • We use privacy-respecting analytics and advertising pixels to understand traffic and measure ad conversions. You can opt out at any time — see "Your choices" below.
  • We do not sell your personal data.

2. Information we collect

2.1 Information you give us

  • Account info — when you sign in with Google, we receive your email address, name, Google user id and profile picture URL.
  • Payment info — credit-card details are collected by our payment processor (currently Stripe / Razorpay). We never see or store full card numbers; we only store a customer id and the last four digits of the card for reference on your receipts.
  • Content you submit — comments, tool suggestions, shared snippet payloads, profile text. These are stored in our database and may be displayed publicly if the feature is public by design (e.g. tool comments, shared share-links).

2.2 Information collected automatically

  • Usage history — each tool run is logged (tool id, timestamp, credit cost, success/failure). We do not store the actual input or output.
  • Log data — IP address, browser user-agent, referrer, device type. Kept for up to 90 days for abuse prevention and debugging.
  • Cookies and local storage — session cookies for login, preference cookies for theme and recent tools, and analytics cookies (detailed below). No ad retargeting cookies are set unless you visit an external linked site.

3. How we use your information

  • To authenticate you and give you access to your credit balance and history.
  • To process payments and provide receipts.
  • To display public contributions (comments, shared links, leaderboard entries).
  • To prevent abuse, detect fraud, and enforce our Terms.
  • To improve the product — usage aggregates help us prioritise new tools and fix bugs.
  • To measure the effectiveness of advertising campaigns so we can control costs.
  • To send transactional email (receipts, security alerts). We do not send marketing email without opt-in.

4. Third-party services

We rely on the following vendors. Each one is a data processor under our control — we only share what is strictly needed for the service to work.

  • Google (Sign-In, Analytics, Ads) — authentication, traffic measurement and ad-conversion tracking. See Google's privacy policy.
  • Google Tag Manager, Microsoft Clarity, Hotjar, Meta Pixel, LinkedIn Insight, X Pixel, PostHog, Plausible — loaded only if their environment variable is set and only when the ad/analytics partner is enabled for the campaign you arrived from.
  • Stripe / Razorpay — payment processing. They are PCI-DSS compliant and receive card details directly; we never touch them.
  • Sentry — server-side and browser error reporting. IPs are scrubbed.
  • Crisp — live chat, loaded on demand.
  • Cloud hosting — our application runs on a commercial VPS in Europe/US regions. Database backups are encrypted at rest.

5. Cookies

Cookie / storagePurposeDuration
authjs.session-tokenKeeps you signed in30 days
themeRemembers chosen UI theme1 year
recent-toolsLast 10 tools used, for the header dropdown1 year
_ga, _gidGoogle Analytics session + unique visitorup to 2 years
_fbp, _ttp, _uetsid, li_sugrAd-platform conversion attribution90 days
posthog, clarity, hotjarProduct analytics / session replayup to 1 year

6. Data retention

  • Account data — until you delete your account, then immediately removed from our live database and purged from backups within 30 days.
  • Usage history — kept for 24 months, then aggregated and anonymised.
  • Payment records — kept for 7 years (tax and accounting requirement).
  • Server logs — 90 days.

7. Your choices & rights

  • Access / export — download your usage history as CSV from /history. Email us for a full profile export.
  • Delete — delete your account from /settings. This wipes all personal data.
  • Opt out of analytics — browser-level Do-Not-Track is respected; we also honour the Global Privacy Control signal.
  • GDPR / CCPA rights — if you reside in the EEA, UK, California or another jurisdiction with equivalent rights, you may request access, correction, portability, erasure, or object to processing by emailing the address below.

8. Children

The service is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

9. International transfers

Your data may be transferred to and processed in countries outside your own, including the United States. Where required we rely on Standard Contractual Clauses or equivalent safeguards.

10. Changes to this policy

We will post the updated policy here and change the "Last updated" date. Material changes trigger an in-app banner and, for signed-in users, a notification.

11. Contact

Questions, requests, or complaints: privacy@devtools.surf. For GDPR / UK GDPR enquiries you may also contact your local data protection authority.

This policy is provided as a starting point and does not constitute legal advice. You should have it reviewed by a qualified lawyer before relying on it in production.