Verify it yourself

The 60-second verification

Works the same in any modern browser. Steps below use the standard menu paths.

1. Open any PrivBatch tool. A good one to test with is /tools/csv-json.html because it actually transforms data.
2. Press F12 to open DevTools. On Safari, enable the Develop menu first (Settings → Advanced → Show features for web developers), then Option+Cmd+I.
3. Click the Network tab. In Safari it is called Network too. In Firefox the same name.
4. Click the clear button to wipe the existing log. In Chrome and Edge that is the circle-with-slash icon at the top-left of the Network panel. In Firefox it is the trash icon. In Safari it is the trash icon at the top of the panel.
5. Make sure recording is on. In Chrome and Edge the record button is the red circle next to the clear button. In Firefox the "Pause" toggle should not be active. In Safari the record toggle should be highlighted.
6. Now use the tool with real data. Paste a CSV, click Convert all, download the result. Do whatever you normally would.
7. Look back at the Network tab. You will see: zero new requests. The only entries are from the initial page load (the HTML, the CSS files, the shared JS, and CDN libraries like Papa Parse). After the page finished loading, the count stays at zero. No analytics ping. No telemetry. No upload.

Live network monitor

The panel below wires the same network interception API that powers the Prove It toggle on every tool page. It wraps window.fetch and XMLHttpRequest.prototype.open, counts every call, and updates a live readout. Press the button to run a real JSON formatter operation on a sample payload, in this page, in your browser.

The architecture

This is not a privacy policy. It is what the code can and cannot do.

All PrivBatch tools are static HTML, CSS, and JavaScript served from Cloudflare's edge network. There is no backend. There is no application server. There is no API endpoint for "process this file". The build process is "copy files to a CDN". The runtime is your browser.

Every transformation, conversion, hash, encode, format, and parse runs inside the page using standard Web APIs: FileReader, Blob, TextDecoder, Web Crypto, URL.createObjectURL. The libraries that do the heavy lifting (Papa Parse for CSV, SheetJS for Excel, jsPDF for PDFs, JSZip for ZIPs) are pure-JavaScript and run in-process. They take a string or buffer in, they give a string or buffer out.

The only network requests PrivBatch ever makes are:

• The initial page load: one HTML document, a handful of CSS and JS files.
• CDN library fetches (Papa Parse, SheetJS, etc.) from cdnjs.cloudflare.com and cdn.sheetjs.com. These are cached by your browser after the first load.
• Google Fonts for typography (Geist and IBM Plex Mono).
• One request to api.gumroad.com when a Pro user enters a licence key, to verify the key is valid. This is documented in /privacy.html. Free users never trigger this.

After the page has loaded, processing has nothing to call. There is no server endpoint that accepts your data. If you blocked every outbound request with uBlock Origin or a system firewall, every tool would still work, because the work happens between your keyboard and the V8 engine inside the tab.

Read the source

You do not have to take any of this on faith. Open DevTools, click the Sources tab (or Debugger in Firefox), and read the JavaScript that is actually running. PrivBatch ships its scripts unobfuscated and unbundled. js/gold-standard.js, js/utils.js, and the per-tool inline scripts are the entire program. Search them for fetch( and XMLHttpRequest and audit every call site.

A public source mirror lives at github.com/PrivBatch/PrivBatch if you want to read the code outside a browser tab.

Found a leak?

If you spot a request from a PrivBatch tool that sends user data anywhere, that is a bug, not a feature. Email privbatch@proton.me with the network log attached. We will fix it before sunset that day.

For the full privacy policy, see /privacy.html. For the licence terms, see /licence.html.