Privacy Policy
Privacy Policy
Last updated: June 22, 2026
This Privacy Policy explains what Devglaze LLC ("we", "us", "our") collects when you use ToolsPow, why we collect it, how long we keep it, and the rights you have over it.
1. Data we collect
When you visit (no signup needed)
- Your IP address (used for rate-limiting, ban enforcement, and abuse logging)
- Browser user-agent string
- Uploaded files for the duration of the conversion, plus 1 hour
- Cookies: a session cookie, a CSRF cookie, and your cookie-consent choice
When you sign up
- Name, email, hashed password (we never see your plain password)
- If you sign up via Google: your Google account ID, email, name, profile picture
- Verification OTP + token (15-minute expiry)
When you use tools while signed in
- Per-tool usage counters (slug + day + count) for quota enforcement
- Job records (slug, status, timing, error if failed) for the My Files page
- Retained uploads (everything except videos) stay until you delete them from /user/files
When you pay
- Stripe customer ID and subscription state are stored locally; we never see or store full card details — Stripe processes the payment directly
- Token ledger entries (purchase, grant, spend, refund) for the My Tokens page
When you use the API or MCP
- Hashed API token + per-token last-used timestamp
- Same job + usage records as the web interface
When something breaks
- Server-side error logs (visible to admin in
/admin/errors) - Optionally, Sentry — if a Sentry DSN is configured (see "Third parties" below)
2. Why we collect each item
| Data | Purpose | Legal basis |
|---|---|---|
| Email + password | Account access | Contract |
| IP + UA | Abuse prevention, rate limits | Legitimate interest |
| Uploaded files | Run your conversion | Contract |
| Usage counters | Enforce per-tier quotas | Contract |
| Stripe IDs | Bill subscriptions, ledger token purchases | Contract |
| Cookies (essential) | Sessions, CSRF, consent | Necessary |
| Cookies (analytics, if any) | Improve the product | Consent |
| Error logs | Fix bugs | Legitimate interest |
3. Third-party data processors
We share the minimum data necessary with these processors:
- Stripe — payments (full card data goes to Stripe directly, never us)
- Google — Google Sign-In (only if you choose it), Google Drive picker (only if you use it, and only the files you pick)
- Dropbox — Dropbox Chooser (only when you use it)
- Microsoft — OneDrive picker (only when you use it)
- Cloudflare Turnstile — bot-protection on contact / signup / login forms
- Sentry (optional, if a DSN is configured) — server-side error monitoring
- Our SMTP mail provider — sending account, verification, and reply emails
We do not sell, rent, or share your data with advertisers, data brokers, or AI training datasets.
4. Retention
| Data | Kept for |
|---|---|
| Guest upload | Up to 1 hour (auto-purged) |
| Video uploads (any user) | Deleted immediately after the conversion finishes |
| Other uploads (signed-in) | Until you delete them at /user/files |
| Job records | Until you delete your account |
| Token ledger | Until you delete your account |
| Account profile | Until you delete your account |
| Soft-deleted account | 30 days, then permanent erasure |
| Error logs | 90 days |
| Security logs (IP bans, attempts) | 90 days |
| Audit log (admin actions) | 365 days |
| Stripe records | Per Stripe's policy (typically 7 years for tax / regulatory compliance) |
5. Your rights (GDPR / UK GDPR / CCPA)
You have the right to:
- Access your data → export at
/user/account(zip download) - Rectify errors → edit at
/user/profile - Erase your account →
/user/account"Delete my account" (30-day grace, then permanent) - Restrict or object to processing → contact us
- Data portability → covered by the export feature (JSON formats)
- Withdraw consent → revoke cookie consent, unsubscribe from emails, disconnect Google
- Lodge a complaint with your local data protection authority
We answer rights requests within 30 days.
6. Cookies
We use only essential cookies by default (session, CSRF, consent choice). If we add analytics in the future, an Accept All button on the cookie banner will be required before any non-essential cookie loads.
7. International transfers
Our primary server is located in a single jurisdiction; data may be transferred to our processors (Stripe, Google, Microsoft, etc.) whose infrastructure spans multiple regions. Where transfers happen outside the EEA, our processors use Standard Contractual Clauses or equivalent safeguards.
8. Security
- All traffic is over HTTPS (TLS 1.2+)
- Passwords stored with bcrypt; 2FA available (required for admin)
- API keys stored as hashes
- Stripe handles all card data; we never see PAN
- File uploads scanned via honeypot + ModSecurity at the Apache layer
No system is perfectly secure. If we suffer a breach affecting your data we'll notify you and applicable authorities as required by law.
9. Children
The Service is not directed at children under 13 (or the equivalent age of consent in your jurisdiction). If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Changes
Material changes to this Policy will be announced here and (for paying customers) by email at least 14 days before they take effect.
11. Contact
- General questions: contact form or info@toolspow.com
- Data protection requests: info@toolspow.com (subject: "DPR: ...")
- Company: Devglaze LLC
This Privacy Policy is written to cover the data flows we actually run. If you operate in a jurisdiction with stricter rules (CCPA, HIPAA, etc.) please review with counsel.