Skip to content

Privacy Policy

Last updated: April 7, 2026

PassForge was built around a simple principle: security tools should not require you to hand over the very secrets you are trying to protect. Your passwords never leave your device. We could not see them even if we wanted to — they are generated, hashed, and analyzed entirely inside your browser using JavaScript and WebAssembly. No server ever receives them.

What We Do Not Collect

We do not collect passwords, passphrases, hashes, private keys, TOTP secrets, JWT tokens, or any other sensitive input you enter into our tools. These values exist only in your browser's memory and are discarded when you close the tab. We have no telemetry that captures form field contents, clipboard data, or generated output.

Breach Checker & k-Anonymity

The Breach Checker tool uses the Have I Been Pwned range API, which relies on k-anonymity. Only the first five characters of a SHA-1 hash prefix are sent to the external API — the full hash of your password is never transmitted. The comparison between the returned hash suffixes and your password's full hash happens locally in your browser. This approach means neither PassForge nor the API provider can determine what password you checked.

SSL & Security Headers Checks

When you use the SSL Certificate Checker or Security Headers Checker, the domain you enter may be sent to a public API to retrieve certificate or header information. We do not log or store which domains you analyze. These requests are made directly from your browser.

Local Storage

Some features — such as tool history, favorites, and TOTP secrets — use your browser's localStorage. This data never leaves your machine. It is not synced to any server, and we have no mechanism to read it. You can clear it at any time through your browser settings.

Analytics & Advertising

We use Google AdSense to display advertisements, which may use cookies to serve ads based on your browsing history. Google's advertising cookies allow Google and its partners to serve ads based on your visit to this site and other sites. You can opt out of personalized advertising by visiting Google's Ads Settings. We may also use basic, privacy-respecting analytics to understand aggregate page views and traffic sources. We do not track individual users across sessions or build behavioral profiles.

Cookies

PassForge itself does not set cookies. However, third-party services embedded on our pages — such as Google AdSense — may place their own cookies. You can control cookie behavior through your browser's privacy settings.

Third-Party Services

The site is hosted on Cloudflare Pages. Cloudflare may collect standard web server logs (IP addresses, timestamps, requested URLs) as part of their infrastructure. We do not control Cloudflare's data practices; please refer to Cloudflare's Privacy Policy for details.

Children's Privacy

PassForge is not directed at children under 13. We do not knowingly collect personal information from children.

Changes to This Policy

If we make material changes to this policy, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically.

Contact

Questions about this policy? Reach us at [email protected].