That Free Online Tool You Just Used? It Probably Kept Your Data.

I want you to think about the last time you used a random online tool.

Maybe you needed to format some JSON. Or decode a JWT. Or check if a sketchy link your cousin sent you was actually safe to open. Whatever it was, you probably did what most people do: you Googled it, clicked the first result, pasted your data in, hit a button, and moved on with your day.

Here’s the thing nobody talks about: what happened to that data after you closed the tab?

The dirty secret behind most “free” tools

Most free online tools aren’t charities. They’re businesses. And if you’re not paying for the product, you already know how that sentence ends.

But it goes deeper than just ads. I spent a few weekends last year poking around the network requests of some of the most popular online tool sites. The ones that show up on page one for “JSON formatter” or “base64 decoder.” What I found wasn’t exactly shocking, but it was… uncomfortable.

Out of the 15 sites I checked:

• 11 of them sent the contents of the input field to their server, even for operations that could easily run in the browser.
• 8 of them loaded tracking scripts from five or more third-party domains.
• 4 of them didn’t even have a privacy policy page. At all.
• 1 of them — and I wish I was making this up — was sending the full text input to what appeared to be an analytics endpoint before the user even clicked “submit.”

None of these sites are doing anything illegal, technically. Their terms of service (when they bother to have one) usually include some vague line about “data processing” that covers them. But the average person pasting their company’s API response into a JSON formatter at 2am isn’t reading terms of service. They’re just trying to figure out why their code is broken.

“But it’s just a JSON formatter, who cares?”

You’d be surprised what ends up in those input boxes.

I’ve watched coworkers paste entire API responses containing customer emails into online formatters. I’ve seen people decode JWTs that contained user IDs, permissions, and session data using some random website. I once caught a junior dev pasting a .env file contents into a “Base64 encoder” to encode a database connection string.

The data people paste into online tools is often way more sensitive than they realize in the moment. You’re in debugging mode. You’re frustrated. You just need this one thing to work. You’re not thinking about where that data goes.

And that’s what these sites count on.

How to tell if a tool is actually running in your browser

Here’s a quick trick that takes about 5 seconds:

1. Open the tool in your browser.
2. Open DevTools (right-click → Inspect → Network tab).
3. Clear the network log.
4. Paste some text and click the action button.
5. Look at what network requests fire.

If you see a POST request going to the site’s server with your input data in the payload? Your data just left your machine. It’s on someone else’s server now. What they do with it after that is between them and their privacy policy (which, again, might not exist).

If you see nothing — no requests, no fetches, no XHR calls — then the tool is genuinely running client-side. Your data never left your browser. It was processed in JavaScript right there on your machine, and when you close the tab, it’s gone.

That’s the difference. And it matters.

Why we built Janchly the way we did

When we started building Janchly, we made one rule before writing a single line of code: if a tool can run in the browser, it runs in the browser. Period.

Our JSON Formatter? Client-side. The Base64 Encoder? Client-side. JWT Decoder? Client-side. Regex Tester? Client-side. Even the QR Code Generator renders everything on a local HTML canvas — your text never touches a server.

The only tools that have to contact a server are the ones where it’s physically impossible to do the job otherwise. The URL Safety Checker needs to actually reach out and inspect a URL’s destination. The Redirect Chain Checker needs to follow HTTP redirects. You can’t do that from a browser tab due to CORS restrictions. So those tools use our API — but we don’t log the input, we don’t store it, and we rate-limit the endpoints so nobody can abuse them.

No accounts. No sign-ups. No email collection. No “just give us your name so we can personalize your experience.” You open a tool, you use it, you leave.

That’s it.

The “sign up to continue” trap

While we’re on the subject — can we talk about how many tool sites now force you to create an account to use basic functionality?

You want to format more than 5 JSON documents? Sign up. You want to download your QR code at full resolution? Sign up. You want to use the tool more than 3 times today? Sign up.

I get it from a business perspective. Email lists are valuable. User accounts let you track engagement. Investors love “monthly active users” as a metric.

But from a user perspective? I just want to decode a base64 string. I don’t want a relationship. I don’t want to remember another password. I don’t want marketing emails about your “exciting new premium tier” six months from now.

Every tool on Janchly is free. No usage limits. No accounts. No premium tiers. No “sign up to unlock.” We keep the lights on with straightforward display ads, and that’s the whole business model. Nothing clever. Nothing hidden.

What you should actually care about

Look — I’m not saying every online tool is secretly harvesting your data for some nefarious purpose. Most of them probably just have lazy architectures. It’s easier to send data to a server and process it there than to write efficient client-side JavaScript. A lot of these sites were built quickly, without much thought about privacy implications, and they’ve just… kept running.

But “they probably aren’t doing anything bad with your data” is a pretty low bar. Especially when the alternative — tools that provably never see your data in the first place — exists.

Here’s my checklist when I need an online tool:

1. Does it work with the network tab open and no requests firing? If yes, great. Your data stays local.
2. Does it have a clear privacy policy? Not a 47-page legal document, just something that plainly says what they do with input data.
3. Does it ask for an account for no good reason? A JSON formatter does not need to know my email address.
4. Does it load a reasonable number of third-party scripts? Two or three (analytics, ads) is normal. Fifteen is a red flag.

If a tool fails most of those checks, close the tab and find a better one. There are plenty.

The boring conclusion

This isn’t a dramatic story. Nobody’s data got leaked. No scandal. No breach notification.

That’s kind of the point.

The privacy cost of using bad online tools isn’t dramatic. It’s mundane. It’s a thousand small moments where your data — a snippet of code, a customer email, an API key, a URL you’d rather not explain — quietly ends up on a server you’ll never think about again, processed by code you can’t inspect, retained for a duration nobody specified.

It adds up. And the fix is stupidly simple: use tools that don’t collect your data in the first place.

We built Janchly to be that fix. Fifty-plus tools, all free, most of them running entirely in your browser. No sign-ups, no data collection, no nonsense.

Go try a tool. Open the network tab while you do it. See for yourself.

Janchly is a collection of free, privacy-first browser tools for developers, marketers, and anyone who works with data. Check out all tools at janchly.com/tools.

Most free online tools send your data to their servers. Here’s how to tell which ones are safe — and why client-side tools are the smarter choice.

online-privacy, browser-tools, developer-tools, data-privacy,
client-side-processing, free-tools, no-signup-tools, json-formatter,
web-security, privacy-first, open-web, online-safety

free online tools privacy

are online tools safe

client side vs server side tools

online tool data privacy

browser based tools