Legal & Ethics
Privacy Policy
Last Updated: July 7, 2026
Philosophy
kapadia.org is built on the principle of minimalist data processing. I believe that privacy is the default state, not an optional feature. This site does not use tracking pixels, marketing cookies, or behavioral analytics.
Data I Process
I do not collect personal information like names, email addresses, or phone numbers. Many of the tools on this site — the Hash Generator, Payload Encoder, JWT Decoder, EXIF Inspector, Subnet Calculator, and Email Header Analyzer — run entirely in your browser and send nothing at all. For the tools that require the edge network, some technical data is processed by nature of how the web works:
- IP Addresses: Your IP address is used transiently to power the networking and OSINT tools on this site (such as the Speed Test, DNS Analyzer, Link Inspector, Supply Chain Auditor, OSINT Footprint Checker, Browser Fingerprint, and the homepage terminal). It is never written to a long-term database or used to build a profile.
- Rate Limiting: To prevent abuse, requests to the edge tools are rate-limited per IP address. Your IP is held transiently in an edge key-value store (keyed per tool) purely to count requests within a short rolling window. These entries expire automatically after about a minute and are never used for tracking, analytics, or profiling.
- Edge Logs: This site runs on a global edge network. Standard server logs (which may include IP addresses and browser headers) are generated to prevent abuse and ensure security, but these are purged automatically and never sold.
Cookies & Local Storage
kapadia.org uses no cookies whatsoever — not for tracking, not for sessions, not for preferences. It also
does not use localStorage or sessionStorage. Tools that need to keep state while
you work hold it only in memory, and it is discarded the moment you reload or close the tab.
Third-Party Services
To maintain high performance and provide advanced diagnostic features, I rely on a small number of trusted third-party providers. I distinguish between services that your browser connects to directly and those where your request is proxied through my edge network to protect your identity.
Direct Connections (Sees your IP)
- Google Fonts: Provides the site's typography.
- Cloudflare: Powers the global edge network and DDoS protection.
- speed.cloudflare.com: Used by the Speed Test for ping, download, and upload measurements. Your browser connects to this service directly.
- cdnjs: Delivers the SparkMD5 library used by the Hash Generator, loaded with Subresource Integrity (SRI) so the exact pinned file is verified before it runs.
- OpenStreetMap: When you click a geolocation coordinate in the OSINT Footprint Checker or EXIF Inspector, a map link opens in a new tab and your browser connects to OpenStreetMap directly.
Proxied Investigations (Shields your IP)
When using the OSINT, networking, and supply chain tools, your IP address is never shared with the following providers. They only see the address of my edge network:
- ipwho.is: Used for IP geolocation and ASN data (primary provider).
- ipapi.co: Used as a fallback IP geolocation provider if ipwho.is is unavailable.
- rdap.org: Used for domain registration lookups (OSINT Footprint Checker and Link Inspector).
- crt.sh: Used for Certificate Transparency lookups to discover subdomains during a domain audit.
- Platform APIs: Used for username lookups across GitHub, GitLab, Hacker News, Docker Hub, and npm. npm's public CouchDB registry may include an account's email address in its API response if the owner made it public on npm — this tool surfaces it only when present in that public response.
- Link destinations: When using the Link Inspector, the URL under investigation is fetched by my edge network to trace redirect chains and surface security signals. Your browser never connects to the target URL directly.
- Page & script sources: When using the Supply Chain Auditor, the page you submit and its third-party scripts and stylesheets are fetched by my edge network so they can be hashed and integrity-checked. Package integrity is cross-referenced against the npm registry (
registry.npmjs.org) and the cdnjs API (api.cdnjs.com). Your browser never connects to the audited page or its resources directly. - Public DNS: All DNS lookups are performed via Cloudflare (1.1.1.1) over Secure DoH.
Contact
If you have questions about this policy or the technical architecture of the site, you can reach out via the information provided on the About page.