Privacy Policy

HeoLab (“we”, “us”, or “our”) operates heolab.com (the “Service”). This Privacy Policy explains what data we collect, why we collect it, and how we protect it.

The short version: Most HeoLab tools process data entirely in your browser or transiently on our servers with zero retention. We don't sell your data. We don't track you across the web. We use only what we need to make the service work.

1. Tool input data (no retention)

When you use a developer tool (JSON formatter, JWT decoder, Base64 encoder, etc.), your input data is processed transiently. We do not log, store, or retain your tool inputs or outputs. Processing may happen in your browser or on our servers — either way, no content is persisted.

2. Usage analytics (anonymized)

We collect anonymized, aggregated usage data to understand which tools are popular and how the service is used. This includes:

• Which tool was used (e.g., “json-formatter”)
• Approximate timestamp
• A hashed (non-reversible) IP address for rate limiting
• Session ID (randomly generated per visit)

Raw IP addresses are never stored. Only a one-way hash is retained, making it impossible to reverse to your actual IP.

3. Account data (if you sign up)

If you create an account, we collect your email address, display name, and authentication data via Supabase Auth. This is required to provide account features (saved items, history, API access). We store:

• Email address
• Display name (optional)
• Profile picture URL (from OAuth provider, if used)
• Account creation and last-updated timestamps

4. Saved items (opt-in)

If you explicitly save a tool result, we store that input and output linked to your account. You can delete any saved item at any time from your dashboard.

5. AI usage (when you use AI features)

When you use AI-enhanced features, we record token usage (not your content) for cost monitoring and rate limiting. The content you submit to AI enhancement is sent to our AI provider (currently OpenAI) under their privacy terms. We do not store your AI prompts or responses.

6. Technical logs

Our servers automatically record HTTP request logs including request path, response status code, and response time. These logs are retained for up to 7 days for debugging and are then deleted automatically. They do not contain tool input content.

We use minimal browser storage:

We do not use advertising cookies, third-party tracking pixels, or Google Analytics.

We use collected data solely for:

• Operating the Service — providing tool functionality, authentication, and account features
• Rate limiting and abuse prevention — protecting against automated abuse using hashed IP data
• Product improvement — understanding which tools are used to prioritize development
• Cost monitoring — tracking AI token usage to manage operational costs
• Responding to you — if you contact us via email or the contact form

We will never use your data for advertising profiling, resell it to third parties, or use it for any purpose not listed above.

We share data with third-party services only as required to operate:

• Supabase — Database and authentication provider. Stores user accounts and saved items. Data is hosted in the EU region. Supabase Privacy Policy ↗
• OpenAI — AI enhancement provider. Content you submit to AI features is processed by OpenAI. We do not store it. OpenAI Privacy Policy ↗
• Vercel — Hosting provider. Serves the application and temporarily processes HTTP requests. Vercel Privacy Policy ↗

We will disclose data if required by law, court order, or to protect the rights and safety of our users.

Depending on your location, you may have rights under GDPR, CCPA, or other privacy laws. Regardless of law, we honor the following for all users:

• Access — Request a copy of the data we hold about you
• Correction — Update inaccurate profile information
• Deletion — Delete your account and all associated data
• Portability — Export your saved items in JSON format
• Opt-out — Use all core tools without creating an account; anonymous usage is fully supported

To exercise any of these rights, email trongngo08082002@gmail.com with the subject line “Privacy Request”. We respond within 30 days.

We take security seriously:

• All data in transit is encrypted via HTTPS (TLS 1.3)
• Database access requires authentication with Row Level Security (RLS)
• Authentication tokens are stored in HttpOnly cookies
• No raw IP addresses are stored — only one-way SHA-256 hashes
• Security headers are set on all responses (X-Frame-Options, CSP, etc.)

While we implement strong safeguards, no internet service is 100% secure. Please do not submit sensitive production secrets (API keys, database passwords) to any online tool.

HeoLab is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has submitted personal data, contact us and we will delete it promptly.

We may update this policy as the service evolves. Material changes will be communicated by updating the “Last updated” date and, for registered users, by email notification.

Continued use of HeoLab after changes constitutes acceptance of the updated policy.

Privacy questions or data requests: trongngo08082002@gmail.com. You can also use the contact form.