Privacy Policy

1. Who we are

PXLTools ("we", "us", "our") operates pxltools.com. We provide free online tools for file processing, code formatting, QR code generation, and related utilities. This privacy policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data controller

For questions about this policy or to exercise your data rights, contact us via our contact form.

3. What data we collect

3.1 Tool usage (no account required)

All file processing (image compression, PDF merging, format conversion, etc.) happens entirely in your browser. Files you process are never uploaded to our servers. We do not see, store, or have access to the content you process.

3.2 Local storage (browser)

We use your browser's localStorage to track daily usage counts per tool category for guest users. This data stays on your device, is never sent to our servers, and resets daily. It is used solely to enforce free-tier daily limits (e.g., 5 image conversions per day for guests). You can clear this data at any time via your browser settings.

3.3 Account data (if you register)

If you create an account, we collect and store:

Your email address (used for login and account recovery), a securely hashed version of your password (we cannot read your password), your newsletter preference (opt-in only), and your account creation date.

3.4 Saved QR codes (logged-in users)

If you choose to save QR codes to your account, we store the QR code image data, the label you provide, and the encoded content. You can save up to 10 QR codes. Saved QR codes are automatically and permanently deleted after 6 months. If you save more than 10, the oldest are deleted to make room. You can manually delete any saved QR code at any time from your account page.

3.5 Processing history (logged-in users)

For logged-in users, we store metadata about your last 10 processing actions: the tool used, filename, file size, and output size. We do not store the actual files. This history is automatically and permanently deleted after 24 hours. Only the 10 most recent entries are kept; older entries are deleted immediately when new ones are added.

3.6 Contact form

If you submit our contact form, we store your name, email address, subject, message, and your IP address (for abuse prevention). Contact submissions are retained for 12 months and then deleted.

3.7 Analytics

We use Google Analytics 4 (GA4) to understand how our tools are used and to improve our service. GA4 collects anonymized usage data such as pages visited, time on page, device type, and approximate location (country/city level). Google Analytics uses cookies to distinguish users. You can opt out of Google Analytics by using the Google Analytics opt-out browser add-on or by declining analytics cookies via our Clickio consent banner.

3.9 Consent management (Clickio CMP)

We use Clickio as our Consent Management Platform (CMP) to obtain and manage your cookie preferences in compliance with GDPR and the ePrivacy Directive. When you first visit our site, a consent banner allows you to accept or decline non-essential cookies. Your consent preferences are stored by Clickio and can be changed at any time by clicking the cookie settings link in our footer. Clickio may process your IP address and consent choices. Clickio Privacy Policy.

3.8 Security logs

We log security-relevant events such as failed login attempts, account lockouts, and CSRF violations. These logs include IP addresses and user agents and are automatically deleted after 30 days. This data is processed under our legitimate interest in maintaining the security of our service (GDPR Article 6(1)(f)).

4. Cookies

We use the following cookies:

Session cookie (pxl_session): An HttpOnly, secure cookie that maintains your login session. This is a strictly necessary cookie and does not require consent under GDPR. It expires after 7 days or when you log out.

Google Analytics cookies (_ga, _ga_*): Used for analytics purposes. These require your consent, which we obtain via the Clickio consent banner on your first visit. You can withdraw consent at any time by clicking the cookie settings link in our footer.

Clickio CMP cookies: Used to store your cookie consent preferences. These are strictly necessary for the consent mechanism to function and do not require separate consent.

We do not use advertising cookies or tracking pixels.

5. Legal basis for processing

We process your data under the following legal bases:

Consent (Article 6(1)(a)): Analytics cookies, newsletter subscription.

Contract performance (Article 6(1)(b)): Account creation, QR code storage, processing history.

Legitimate interest (Article 6(1)(f)): Security logging, rate limiting, abuse prevention.

6. Data retention

Session data: Deleted after 7 days or on logout.

Saved QR codes: Deleted automatically after 6 months.

Processing history: Deleted automatically after 24 hours.

Security logs: Deleted automatically after 30 days.

Contact submissions: Deleted after 12 months.

Account data: Retained until you delete your account. After account deletion is requested, all data is permanently removed within 30 days.

localStorage usage data: Resets daily. Not transmitted to us.

7. Your rights (GDPR)

Under the GDPR, you have the right to:

Access your personal data — view your saved QR codes and history via your account page.

Rectification — correct inaccurate data by contacting us.

Erasure — delete your account and all associated data via Account Settings, or contact us.

Restriction — request that we limit how we use your data.

Data portability — request a copy of your data in a structured, machine-readable format.

Object — object to processing based on legitimate interest.

Withdraw consent — withdraw consent for analytics cookies at any time via the Clickio consent banner (click the cookie settings link in the footer).

To exercise any of these rights, use our contact form with the subject "Privacy Request."

8. Third-party services

Google Analytics (Google LLC) — analytics and usage statistics. Data may be processed in the United States under Google's Standard Contractual Clauses. Google Privacy Policy.

Clickio — consent management platform (CMP). Manages cookie consent preferences. Clickio Privacy Policy.

Google Fonts — web fonts served from Google's CDN. Google may log your IP address when fonts are loaded. Google Fonts Privacy.

We do not sell, rent, or share your personal data with any other third party.

9. Data security

We implement industry-standard security measures including HTTPS encryption in transit, bcrypt password hashing (cost 12), HttpOnly/Secure/SameSite session cookies, CSRF protection, progressive login lockout, rate limiting, and Content Security Policy headers. All file processing occurs client-side — your files never leave your browser.

10. Children

Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Significant changes will be communicated via a notice on the site. The "Last updated" date at the top reflects the most recent revision.