Privacy Policy

Last updated: April 2026

The short version

Tool calculators run entirely in your browser — inputs never leave your device. The Ask page is different: it sends your query to our server so the platform can look up the intent, match tools, and (optionally) fetch short summaries from trusted open sources. We do our best to keep what happens on the server minimal and anonymous. Read below for exactly what goes where.

Tool calculators (client-only)

Every calculator, converter, estimator, and planner runs its math in the JavaScript engine inside your browser. No input is transmitted for these pages. No account is required or possible.

The Ask page and Ask API

The /ask page sends your question to our server via an HTTP POST request (query in the request body, not the URL). This keeps your question out of browser history entries generated by active typing, server access logs, and edge caches. If you share or bookmark an /ask?q=...deep link, the question is visible in that URL — but normal interactive usage does not create one.

  • Query text is capped: 500 characters for the Ask engine, 300 characters for the trusted-source web-context lookup.
  • Your IP address is used only for an in-memory per-IP rate limit. It is never written to any durable log.

If the platform has no confident answer for your query, the trimmed query text may be appended (anonymously, with only a timestamp — no IP, no user agent, no cookie) to a server-side log so the admin can see what the platform could not answer. Before storage:

  • Queries containing detected personal information (email addresses, phone numbers, Social Security numbers, credit card numbers, street addresses) are rejected and never stored. Detection is regex-based and cannot catch every possible format.
  • High-risk queries (medical, legal, weapons) are rejected at ingest.
  • Near-duplicate queries within 10 minutes are deduplicated.
  • The log is capped to 5,000 entries and entries older than 90 days are automatically dropped.

The log is not shared with third parties.

Trusted-source web retrieval

The Ask page fires five keyword-focused parallel lookups against trusted open sources: Wikipedia, Wikidata, DuckDuckGo, MDN, and OpenAlex. Your query text (keyword-extracted, up to 300 characters) is sent server-side to those providers. Each provider has its own privacy policy. We never forward your IP — our server makes the request on your behalf. The retrieval allowlist also permits .edu, .gov, .gov.uk, and .go.jp hosts for direct-URL lookups.

Standards-governance references

For professional standards / governance questions we surface structured official-source references drawn from our canonical authority registry (ABA, PCAOB, FASB, GASB, FASAB, IFRS Foundation / IASB, GRI, ISO, IEC, IEEE SA, BSI, JSA, ICC, OSHA, AGC, ASME, CEN-CENELEC, buildingSMART, W3C, SEC, WHO ICD-11, FDA, CMS, NIST, ENISA, IEA, IRENA, ICAO, IATA, FAO, WIPO, IBA) and a small set of adoption authorities (state supreme courts / state bars / ICC adoption map). Those references are built from the canonical registry and do not require any external search — the server just returns the official URL we already know.

If the site operator sets PSE_STANDARDS_LIVE_PROBE=true, the server will additionally issue an HTTPS HEAD request (2.5-second timeout) to each returned official URL to report reachability. No user query is sent. No body content is fetched. No result is cached.

Aggregated high-risk bucket counts

When the Ask page drops a query at the high-risk gate (medical, substantive legal, high-risk finance, weapons), the taxonomy label only (e.g. legal-substantive, medical) is incremented in a separate aggregates file. The raw query text is never written. This gives the operator a roadmap signal ("confined-space queries are spiking") without retaining any substantive or dangerous prompt.

Session-only analytics

The admin dashboard reads sessionStorage in your browser to count how many times tools are used during a single session. This data:

  • Is stored only in your browser — never transmitted anywhere
  • Contains no personal identifiers
  • Is deleted automatically when you close the tab

Advertising

If the site operator configures the NEXT_PUBLIC_ADSENSE_ID environment variable, Google AdSense scripts will load on tool pages and the Content Security Policy is widened to permit Google's ad domains. In that configuration, Google may set cookies and collect data per Google's advertising privacy. If the env var is not set (the default for local/dev deploys), no advertising scripts are loaded.

What we do not do

  • No account, login, or profile
  • No persistent cookies set by our own code
  • No fingerprinting, no tracking pixels, no social widgets
  • No sale or sharing of query logs

Children

This platform does not knowingly collect data from anyone, including children. No account creation is required or possible.

Changes to this policy

If this policy changes materially, the date at the top will be updated. We aim to keep this page accurate with the shipped behavior rather than aspirational.